文章讨论了Active Directory安全审查的重要性,建议定期检查域管理员组成员及其嵌套组成员。需核实账户合理性、服务账户权限、密码状态及Kerberos设置等,并提供PowerShell脚本链接。 2025-9-13 00:3:0 Author: adsecurity.org(查看原文) 阅读量:5 收藏
Sep 12 2025
A critical part of Active Directory security is regularly reviewing your AD admins. The simplest way to do this is to recursively enumerate the membership of the domain Administrators group (that group’s members and all member group members).
Check the AD Admins output for the following:
- Are all the admin accounts associated with people expected?
- Are there service accounts that shouldn’t require AD admin rights (VMware, Exchange, LDAP, VPN, Sharepoint, etc.)?
- Are the associated passwords current?
- Are they as expected with no outliers (all within 2 years but one has a password that’s 10 years old)?
- Has the default domain Administrator account logged on recently?
- Is that expected/known?
- Are all accounts enabled?
- Disabled accounts should be removed from being an AD Admin.
- Do all accounts require Kerberos preauthentication?
- They must if they are AD admins.
- Do any use Kerberos DES?
- If so fix that.
- Are any set to never expire their password?
- Is that expected?
- Accounts with this set rarely change their password.
- Is that expected?
- Are there any passwords in Active Directory user attributes (commonly description notes/info, Exchange custom attributes, etc.)?
- Practically all of the attributes are visible to users.
PowerShell code (using Active Directory PowerShell modules):
https://github.com/PyroTek3/Misc/blob/main/Get-ADAdmins.ps1
(Visited 14 times, 14 visits today)
Sean Metcalf
I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter.
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8
如有侵权请联系:admin#unsafe.sh