5 tools for auditing Active Directory
What's in the box?
Would you like to audit your company's Active Directory, but don't know how? This article will give you some pointers, as it lists 5 essential software packages for auditing your Active Directory. Thanks to these software analyses, you'll be able to boost the security level of your AD directory, because you'll get a list of points to improve!
This article simply presents the software I recommend for auditing Active Directory, and contains links to external resources (official sites, tutorials, etc.) so that you can delve deeper into the subject.
Active Directory is frequently targeted by hackers in computer attacks. When this directory is compromised, hackers can gain access to numerous resources, since it manages access to resources and authentication. Since it's a prime target, it needs to be properly secured!
1. PingCastle
PingCastle is a French software package edited by Vincent Le Toux, which is one of the benchmarks for Active Directory auditing. The latest version also includes the ability to audit Azure Active Directory.
This software is free if you audit your Active Directory yourself. On the other hand, you need to purchase a license if you intend to use it as part of a commercial service for a company. The license also serves to unlock certain functionalities.
In just a few seconds, it analyzes the Active Directory and generates a report containing an overall score: this represents the risk level of your Active Directory. The lower the score, the better! Explanations are given for each security point: essential to help you improve the security of your directory.
Related resources :
2. Purple Knight
Purple Knight is an American software program published by the Semperis company, and is entirely free of charge. and generates comprehensive security reports on Active Directory and Azure Active Directory.
Purple Knight is free to use, and Semperis markets a more comprehensive software package. This free version is already very complete, and what I love is the link between its recommendations and those of the ANSSI guide!
It too analyzes your Active Directory in a matter of seconds, and checks 100 different security points. A report is generated to tell you what's good and what's not so good. The higher the score, the better, unlike PingCastle. It's a tool with a pleasant interface that complements PingCastle (the reverse is also true).
Related resources :
3. BloodHound
BloodHound (yes, yes, which means Saint-Hubert dog is a very popular tool for audit Active Directory and it's a must-have for anyone involved in pentesting. It's an open source tool licensed under GPL-3.0 that aims to graph your Active Directory. An enterprise version, available in SaaS mode, is also available for a fee.
With it, you get mapping of the Active Directory directory with its various objectsThis is a very useful tool when you're planning an attack, for example as part of an intrusion test. When an attack is envisaged, as part of an intrusion test for example, it will be very useful, as it contains predefined queries for guidance. For example, taking the BloodHound machine as our starting point, we can find out shortest path to domain administrator accounts. Thus, we can identify an attack path.
The SharpHound tool (included in BloodHound) is used to analyze your AD, and then BloodHound analyzes the results. BloodHound installs on Linux but also on Windows (although Windows Defender isn't too happy about its presence). As with the previous tools, there is Azure Active Directory support named AzureHound.
Related resources :
4. Netwrix Auditor
Netwrix Auditor is an Active Directory auditing software package that is interesting on a daily basisbecause it will monitor Active Directory changes. It is available as a community edition, free but with few features, and as a paid edition, with many more features.
Unlike PingCastle and Purple Knight, it won't provide a score that reflects the security or risk level of your Active Directory. Instead, it will audit the Active Directory, or rather monitor your directory for changes in configuration, including suspicious changes. For example, has anyone added a new user to the "Domain Admins" group in your Active Directory? This is very interesting information, and could be a sign that an attack is underway. This audit continu is very interesting for privilege management.
Netwrix Auditor supports Active Directory, but can also monitor other services and environments: Azure AD, Microsoft Exchange, SQL Server, SharePoint, SharePoint Online, Microsoft Teams, etc.
Related resources :
5. ORADAD
To conclude this series of useful tools for auditing Active Directory, I wanted to mention this tool more for your personal culture than out of any real interest. Read on, and you'll understand why...
ORADAD for " Outil de Rskimming Automatic Dons fromActive Directory "is a tool developed by ANSSI, the French national agency for information systems security. There is an equivalent for Azure called ORADAZ, also developed by ANSSI and available on GitHub.
ANSSI uses this tool for audits carried out as part of the " Active Directory Security" . Firstly, it collects information on the status of your AD. In addition to this, another tool not publicly available is used. Although it is possible to use this tool to generate a report in MLA format, it is the processing and reading of this report that is not possible without a suitable tool.
Related resources :
6. Conclusion
After reading this article from the IT tutorial box, you'll be able to orient yourself towards the right tools for auditing Active Directory. To go further, I invite you to visit this page of Wavestone (from which the image below is taken) which contains an Active Directory security radar.
