With version 1.1.0 our tool DirectoryRanger introduces a new feature: informational audit checks. These checks do not have a severity rating because they are just “for your information” and the included information might or might not contain security issues, depending on other facts. But these checks can help to reduce your Active Directory attack surface by pointing you to some aspects which need your attention and at least require to be discussed and documented (and they might also imply governance measures like a risk acceptance).
The first new informational audit check is “Active Directory Trust Relationship Overview”. This check identifies and lists all trusts from or to scanned forests so you get a better overview about your security boundaries. With this information you can check all existing trust relationships for their
- relevance
- need
- approval
and take further actions, if some of the identified trusts are not valid anymore or violate your identified security boundaries. Trusts are often the root cause for successful compromises, because the security level might differ in other environments and subsequently the exploitation of vulnerabilities might be easier. So it is mandatory to keep an eye on your trust relationships, and the new informational audit check will assist you in doing so.
If you would like to get more information regarding DirectoryRanger, just visit its website.
cheers
Michael