Brand new forest, PingCastle

PingCastle is an audit tool that helps you build a prioritised list of issues that need addressing in Active Directory. See how I’ve used it in a ‘box fresh’ domain.

If you’ve been following my home lab rebuild project, you will know that I have provisioned a brand new forest and domain. If you haven’t heard of PingCastle, I suggest you check it out! It’s very useful. The strap line for PingCastle is “Get Active Directory Security at 80% in 20% of the time”.

What is PingCastle? It’s an audit tool. It will scan your AD environment and look for potential security risks. It will then score each of the findings to help give you a priority list of things to tackle. I’ve just deployed a brand new, Windows Server 2019 environment, nothing has been configured since deploying it, it must be secure …. surely? Lets take a look.

After downloading from the website, you will need to extract the Zip file, then fire up a command prompt. Head to the directory where you extracted PingCastle then run PingCastle.exe. You will be prompted with a menu like below.

Select “1-healthcheck-Score the risk of a domain” by pressing enter. You will then be asked to specify the domain to check. If you press enter it will use the current domain, or you can specify another domain

When it is complete, you will be prompted to press a key to terminate the program

This process generates a report in the directory it’s run from called ad_hc_<domainname>.html. The audit data is written to an XML file of the same name format. If we open the HTML file we will see how are domain is. Given mine is a brand new domain, I’m hoping it’s not too bad, so lets open the HTML file and take a look.

Oh! It’s not green! Green means good … right …. Well, yes it does in this case. At the top of the report you can see that there are 5 gauges with colours from green (good) to red (bad). The big gauge at the top matches the biggest risk in the environment (Privileged accounts in this case). If we scroll down the report a little bit, we get a bit more information on the risks.

Again, to make it easier to look at what to focus on there is a colour scheme used. White is nothing detected, blue is no risk but some things to look at then yellow, orange and red as the risk score increases. From here, you can see that we have 3 Orange alerts to investigate, Account take over, Admin Control and Pass-the-credential. We then have 6 yellow warnings to investigate and one blue improvement to make. Lets scroll down to Privileged Accounts and see what is going on here.

You can see that there are 3 issues to resolve here. The native admin account is being used (yes this is true, I haven’t created and delegated permissions yet), I will leave this for now as I need to post on permission delegation. Next we can see that Admin accounts are not flagged to prevent delegation and the recycle bin is not enabled. I have a previous post about enabling the recycle bin so I will quickly go through and do this. I will admit to cheating a little on this one. I wanted to enable the PAM feature at the same time so I used the following:

Get-ADOptionalFeature -Filter * | Enable-ADOptionalFeature -Scope ForestOrConfigurationSet -Target lab.marklewis.blog

which enabled both the Recycle Bin and the PAM feature. With the Recycle Bin enabled, we will now flag the account as sensitive and prevent delegation use. From within AD Administration Centre, find the account and put a tick in the box

With that ticked, recycle bin enabled, we have finished with this section (excluding the account usage!). Our next biggest issue was around Anomalies. So scrolling down to that section and I find 7 things that need looking at.

OK, so this list isn’t too bad. Top of the list is deploy LAPS, which I would expect. It’s a brand new domain after all. So, it’s over to Deploying LAPS and get this done. Next, our auditing policy isn’t catching enough events. So, we’re off to the previous Auditing post and enable auditing. With the auditing enabled, we will tackle the next item on the list. Editing the default domain policy, we will increase the minimum password length to 8. Passwords are toast so I know that guidance has already changed around things like how often to change. The minimum length should be longer than 8. It will come down to your users as to what you choose to set here. Last on the list is the lack of a secondary domain controller for redundancy. This will be resolved later as the lab gets it’s Hyper-V cluster up and running.

Next, we have some informational rules. These rules are what trigger the Blue option on the report earlier. I will tackle the Service Account Password policy later as I will be using Fine Grained Password Policies for this. The last two informational points are group policy based. We want PowerShell logging enabled globally and we want LLMNR disabled globally. I will create a new Default Domain Policy (with the exception of the password policy you shouldn’t edit the default domain and default domain controllers policies) and apply the setting here. If you click the rule name it will expand and give an explanation of where to make the changes. Once these two policy settings are done, we will scroll up to the last, lowest risk section, Stale Objects.

This doesn’t look too bad, just two things here. After all the domain is ‘box fresh’ so shouldn’t have anything that is stale. First thing on the list is preventing standard users from joining computers to the domain. To do this we will use ADSIEdit. Connect to your default naming context, right click the domain, go to properties and look for the attribute ms-DS-MachineAccountQuota. Set this to a value of 0 (screenshot below shows pre-change).

The last issue to resolve is the missing Subnet specification for our domain. I’ve covered AD Sites and Services a few times. It’s really important that your AD Sites and Services is configured correctly. I will run through and set up the three sites I will be using (physical, ESXi, and Hyper-V) which is why I subnetted everything down! Create the Subnets, set up the site links with Physical being the root. I am then using the Bridge All Site Links Option given that I have connectivity between all sites. The last thing to do is re-run PingCastle and see if what we’ve done above made a difference:

All good! Happy Days. We can see the improvements. We need to do a few things like add a second DC, move off the Admin account to a delegated model, create a FGPP for Service Accounts and configure backups. Remember, this was run in a “box fresh” environment. In an environment where you’ve been running for 20 years there will be a whole lot more to focus on. PingCastle is excellent for helping prioritise your hit list.

1 thought on “Brand new forest, PingCastle

Leave a Reply

Your email address will not be published. Required fields are marked *