Windows AD Access Risk Heatmap

One of the largest Hungarian automotive parts manufacturers, engaged our services to conduct a comprehensive review of their on-premise Windows Active Directory (AD) environment prior to a regulatory audit. This engagement was a one-off assessment, involving a point-in-time vulnerability scan of AD access rights. The primary objective was to gain a clearer understanding of their exposure to user access risks. The client immediately began the remediation effort to demonstrate due diligence towards their regulatory body.  

The engagement covered: 

  • 1000 of Win AD users. 
  • Folder and file access were based on AD group memberships. 
  • Numerous external contractors as high-risk domain users because of different projects. 
  • High rate of remote employees. 
  • Client about to introduce an IDM (identity management) solution, which they have not had before. 
  • They did utilize a PIM/PAM solution. 
  • This task seemed to require lots of manual work, however they were short on human resources. 

The aim of the engagement was to identify the riskiest users, their group memberships, and the riskiest AD groups. 

A Powershell script was shared with the client to collect the user and access rights data.  

To enhance the results of the risk assessment, interviews were conducted  with the Chief Information Security Officer (CISO) and Identity & Access Management team about the access rights and the nature of their current AD groups. The interviews made the assessment more capable, while the results allowed the client to get a better understanding of the threat landscape. 

Applying THEFENCE’s unique risk scoring and analyzing mechanism to the shared access data, we generated a comprehensive report. By identifying and ranking the riskiest users and groups, we facilitated the cleanup of AD access issues (by recommending priority items). 

Report elements provided: 

  • AD users that have not logged in for more than 3 months. 
  • AD users that have not logged in for more than 6 months. 
  • AD users that have not logged in for more than 12 months. 
  • AD users that have never logged in. 
  • AD users that have never expiring passwords (or have not changed their initially assigned passwords.) 
  • AD groups prioritized based on number of users and risk. (e.g. High risk users bearing remote connectivity access.)
  • AD users risk rated based on group membership(s). 
  • AD Admin users prioritized based on risk they pose. 
  • Active AD users that are not longer aligned with the organization (terminated). 
  • TOP 40 AD users with privileged group membership(s). 

Our service is preventive in nature to its entirety, which means we do not monitor or report on past or current user activity. Instead, our focus lies in proactively identifying and mitigating risks within the Windows Active Directory environment based on assigned group memberships 

Following our assessment, the client received an immediate, actionable set of tasks related to their AD environment. With the intelligence provided on the riskiest users and groups they promptly initiated the neccessary  remediation efforts. The entire project spanned over the course of three weeks, with a total of 4 hours of consultation. 

Highlights – reduced number of users:

  • In high-risk groups (Domain- /Enterprise- /Schema Admins).
  • Having remote access capabilities.
  • That had non-expiring passwords by 37,5%.
  • That have not logged in for more than 6 months by 64,5%.
  • That have not logged in for more than a year by 13,5%.
  • That have never logged in by 28,2%.  
2 min read

Share this post:

Scroll to Top