Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Learn about Microsoft Defender for Identity security posture assessments for identity infrastructure.
Note
While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as Completed.
Built-in Active Directory Guest account is enabled
Description
This recommendation indicates whether an AD Guest account is enabled in your environment.
The goal is to ensure that the Guest account of the ___domain is not enabled.
User impact
The on-premises Guest account is a built-in, non-nominative account that allows anonymous access to Active Directory. Enabling this account permits access to the ___domain without requiring a password, potentially posing a security threat.
Implementation
Review the list of exposed entities to discover if there's a Guest account, which is enabled.
Take appropriate action on those accounts by disabling the account.
For example:
Change Domain Controller computer account old password
Description
This recommendation lists all ___domain controller’s computer accounts with password last set over 45 days ago.
A Domain Controller (DC) is a server in an Active Directory (AD) environment that manages user authentication and authorization, enforces security policies, and stores the AD database. It handles logins, verifies permissions, and ensures secure access to network resources. Multiple DCs provide redundancy for high availability.
Domain Controllers with old passwords are at heightened risk of compromise and could be more easily taken over. Attackers can exploit outdated passwords, gaining prolonged access to critical resources and weakening network security. It could indicate a Domain controller that is no longer functioning in the ___domain.
Implementation
Verify Registry Values:
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange is set to 0 or is nonexistent.
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge is set to 30.
Reset Incorrect Values:
- Reset any incorrect values to their default settings.
- Check Group Policy Objects (GPOs) to ensure they don't override these settings.
If these values are correct, check if the NETLOGON service is started with sc.exe query netlogon.
Validate Password Synchronization by Running nltest /SC_VERIFY: (with DomainName being the ___domain NetBIOS name) can check the synchronization status and should display0 0x0 NERR_Success for both verifications.
Tip
For more information about computer account’s password process check this blog post about Machine accounts password process.
Disable Print spooler service on ___domain controllers
Description
Print spooler is a software service that manages printing processes. The spooler accepts print jobs from computers and makes sure that printer resources are available. The spooler also schedules the order in which print jobs are sent to the print queue for printing. In the early days of personal computers, users had to wait until files printed before performing other actions. Thanks to modern print spoolers, printing now has minimal impact on overall user productivity.
While seemingly harmless, any authenticated user can remotely connect to a ___domain controller's print spooler service, and request an update on new print jobs. Also, users can tell the ___domain controller to send the notification to the system with unconstrained delegation. These actions test the connection and expose the ___domain controller computer account credential (Print spooler is owned by SYSTEM).
Due to the possibility for exposure, ___domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object (GPO).
While this security assessment focuses on ___domain controllers, any server is potentially at risk to this type of attack.
Implementation
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your ___domain controllers has the Print spooler service enabled.
Take appropriate action on the at-risk ___domain controllers and actively remove the Print spooler service either manually, through GPO or other types of remote commands.
Due to the possibility for exposure, ___domain controllers and Active Directory admin systems need to have the Print spooler service disabled. Fix this specific issue by disabling the Print Spooler service on all servers that don't require it.
Note
- Make sure to investigate your Print spooler settings, configurations, and dependencies before disabling this service and preventing active printing workflows.
- The ___domain controller role adds a thread to the spooler service that is responsible for performing print pruning – removing the stale print queue objects from the Active Directory. Therefore, the security recommendation to disable the Print spooler service is a trade-off between security and the ability to perform print pruning. To address the issue, you should consider periodically pruning stale print queue objects.
Remove local admins on identity assets
Description
Accounts with indirect control over an identity system, such as AD FS, AD CS, Active Directory, and so on, have the rights to escalate their privileges within the environment, which can lead to obtaining Domain Admin access or equivalent.
Every local admin on a Tier-0 system is an indirect Domain Admin from an attacker's point of view.
Implementation
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions for Remove local admins on identity assets.
For example:
Review this list of exposed entities to discover which of your accounts have local admin rights on your identity assets.
Take appropriate action on those entities by removing their privileged access rights.
To achieve a full score, you must remediate all exposed entities.
Unmonitored ___domain controllers
Description
An essential part of the Microsoft Defender for Identity solution requires that its sensors are deployed on all organizational ___domain controllers, providing a comprehensive view for all user activities from every device.
For this reason, Defender for Identity continuously monitors your environment to identify ___domain controllers without an installed Defender for Identity sensor, and reports on these unmonitored servers to assist you in managing full coverage of your environment.
In order to operate at maximum efficiency, all ___domain controllers must be monitored with Defender for Identity sensors. Organizations that fail to remediate unmonitored ___domain controllers, reduce visibility into their environment and potentially expose their assets to malicious actors.
Implementation
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your ___domain controllers are unmonitored.
Take appropriate action on those ___domain controllers by installing and configuring monitoring sensors.
Unmonitored ADCS servers
Description
Unmonitored Active Directory Certificate Services (AD CS) servers pose a significant risk to your organization’s identity infrastructure. AD CS, the backbone of certificate issuance and trust, is a high-value target for attackers aiming to escalate privileges or forge credentials. Without proper monitoring, attackers can exploit these servers to issue unauthorized certificates, enabling stealthy lateral movement and persistent access. Deploy Microsoft Defender for Identity version 2.0 sensors on all AD CS servers to mitigate this risk. These sensors provide real-time visibility into suspicious activity, detect advanced threats, and generate actionable alerts based on security events and network behavior.
Implementation
Note
This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADCS servers in the environment. In some cases, servers running ADCS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your AD CS servers are unmonitored.
Go to the Microsoft Defender portal > Settings > Identities > Sensors. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
Take appropriate action on those servers by configuring monitoring sensors.
Unmonitored ADFS servers
This article describes the Microsoft Defender for Identity's unmonitored Active Directory Federation Services (ADFS) servers security posture assessment report.
Description
Unmonitored Active Directory Federation Services (ADFS) servers are a significant security risk to organizations. ADFS controls access to both cloud and on-premises resources as the gateway for federated authentication and single sign-on. If attackers compromise an ADFS server, they can issue forged tokens and impersonate any user, including privileged accounts. Such attacks might bypass multi-factor authentication (MFA), conditional access, and other downstream security controls, making them particularly dangerous. Without proper monitoring, suspicious activity on ADFS servers might go undetected for extended periods. Deploying Microsoft Defender for Identity version 2.0 sensors on ADFS servers is essential. These sensors enable real-time detection of suspicious behavior and help prevent token forgery, abuse of trust relationships, and stealthy lateral movement within the environment.
Implementation
Note
This security assessment is only available if Microsoft Defender for Endpoint detects eligible ADFS servers in the environment. In some cases, servers running ADFS might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your ADFS servers are unmonitored.
Go to the Microsoft Defender portal > Settings > Identities > Sensors. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
Take appropriate action on those servers by configuring monitoring sensors.
Unmonitored Microsoft Entra Connect servers
Description
Unmonitored Microsoft Entra Connect servers (formerly Azure AD Connect) pose a significant security risk in hybrid identity environments. These servers synchronize identities between on-premises Active Directory and Entra ID. They can introduce, modify, or remove accounts and attributes that directly affect cloud access.
If an attacker compromises a Microsoft Entra Connect server, they can inject shadow admins, manipulate group memberships, or sync malicious changes into the cloud without triggering traditional alerts.
These servers operate at the intersection of on-premises and cloud identity, making them a prime target for privilege escalation and stealthy persistence. Without monitoring, such attacks can go undetected. Deploying Microsoft Defender for Identity version 2.0 sensors on Microsoft Entra Connect servers is critical. These sensors help detect suspicious activity in real time, protect the integrity of your hybrid identity bridge, and prevent full-___domain compromise from a single point of failure.
Implementation
Note
This security assessment is only available if Microsoft Defender for Endpoint detects eligible Microsoft Entra Connect servers in the environment. In some cases, servers running Entra Connect might not be identified with the required role and therefore will not appear in this assessment, even if they exist in the environment.
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your Microsoft Entra Connect servers are unmonitored.
Go to the Microsoft Defender portal > Settings > Identities > Sensors. You can view the already installed sensors in your environment and download the install package to deploy them on your remaining servers.
Take appropriate action on those servers by configuring monitoring sensors.
Resolve unsecure ___domain configurations
Description
Microsoft Defender for Identity continuously monitors your environment to identify domains with configurations values that expose a security risk, and reports on these domains to assist you in protecting your environment.
Organizations that fail to secure their ___domain configurations leave the door unlocked for malicious actors.
Malicious actors, much like thieves, often look for the easiest and quietest way into any environment. Domains configured with unsecure configurations are windows of opportunity for attackers and can expose risks.
For example, if LDAP signing isn't enforced, an attacker can compromise ___domain accounts. This is especially risky if the account has privileged access to other resources, as with the KrbRelayUp attack.
Implementation
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your domains have unsecure configurations.
Take appropriate action on these domains by modifying or removing the relevant configurations.
Use the remediation appropriate to the relevant configurations as described in the following table.
Recommended action Remediation Reason Enforce LDAP Signing policy to "Require signing" We recommend you require ___domain controller level LDAP signing. To learn more about LDAP server signing, see Domain controller LDAP server signing requirements. Unsigned network traffic is susceptible to man-in-the-middle attacks. Set ms-DS-MachineAccountQuota to "0" Set the MS-DS-Machine-Account-Quota attribute to "0". Limiting the ability of non-privileged users to register devices in the ___domain. For more information about this particular property and how it affects device registration, see Default limit to number of workstations a user can join to the ___domain.