What does the Active Directory scan cover?
This article describes what is assessed in your Active Directory (AD) environment.
Coverage by functional area
The table below lists all functional areas assessed by HolmAD, with a description of what each area covers.
| Area: | What it covers: |
|---|---|
| Privileged access & delegation | AdminSDHolder integrity, dangerous ACEs, Kerberos delegation (unconstrained, constrained, RBCD, protocol transition), Schema/Domain/Enterprise Admin hygiene, DCSync exposure via Exchange WriteDACL, indirect control paths, Operators groups, Key Admins, recovery console. |
| Kerberos & authentication | krbtgt password age, AES vs RC4 / DES negotiation, FAST / Kerberos armoring, pre-authentication disabled, Protected Users group adoption. |
| ADCS & certificate services | Vulnerable templates (ESC1-ESC4, ESC9/ESC10), HTTP enrollment and channel binding, ROCA-vulnerable keys, weak RSA exponents, deprecated hash algorithms (MD2/MD4/MD5/SHA-0/SHA-1) on root and intermediate CAs. |
| GPO & SYSVOL | GPP cpassword exposure, dangerous Restricted Groups, broad privilege assignments via GPO, logon and login script delegation, deployed-file ACL tampering, NTFRS vs DFS-R, display specifiers. |
| End-of-life operating systems | Domain Controllers and member hosts running unsupported Windows versions (NT, 2000, XP, Vista, 7, 8, Server 2003 / 2008 / 2012, EOL Windows 10/11 builds). |
| LDAP & SMB protocol exposure | LDAP signing enforcement, LDAPS channel binding, anonymous LDAP and NSPI binds, SMB signing, SMBv1, null sessions, NetSessionEnum hardening, deprecated TLS / SSL on LDAPS. |
| Password & account hygiene | Reversible encryption, password-never-expires, PASSWD_NOTREQD, stale Kerberoastable accounts, MachineAccountQuota, LM hash storage, NTLMv1, smart card rotation, LAPS deployment. |
| Domain Controller hardening | Coercion exposure (PetitPotam, PrinterBug, WebClient), Print Spooler on DC, DC RPC exposure, audit policy and PowerShell logging, Defender ASR rules, MS14-068 and MS17-010 (EternalBlue) susceptibility. |
| Domain & forest configuration | Functional level, Recycle Bin, OU protection, conflict objects, site/subnet coverage, schema class hygiene, WSUS hardening, recent backup, single-DC topology. |
| Domain trusts & SID history | SID filtering, SID history (intra-domain, external, unknown), downlevel trusts, TGT delegation, inter-domain Kerberos algorithm negotiation. |
| Anonymous & legacy access | Built-in Guest, Pre-Windows 2000 Compatible Access group composition, anonymous LDAP via dsHeuristics, legacy Domain$$$ artifacts. |
The categories above are functional groupings used for prioritization. They do not correspond to any field shown in the report.
What does HolmAD assess?
HolmAD assesses your on-premise Active Directory environment by connecting directly to your Domain Controllers. The assessment covers configuration weaknesses, protocol exposure, privilege hygiene, and attack paths that are specific to on-premise AD and cannot be detected from the cloud side. The categories below describe what the assessment covers.
Kerberos attack paths
The assessment identifies weaknesses related to Kerberoasting, AS-REP Roasting, unconstrained and constrained delegation abuse, and Golden and Silver Ticket attacks. These risks are native to on-premise AD and require direct access to Domain Controllers to detect.
LDAP & SMB exposure
The assessment checks LDAP signing enforcement, anonymous LDAP binds, SMBv1 support, null sessions, and Print Spooler accessibility on Domain Controllers.
AdminSDHolder & ACL abuse
The assessment evaluates the AdminSDHolder mechanism, dangerous DACL entries on privileged objects, and ACL-based privilege escalation paths. These are specific to the on-premise directory structure and have no equivalent in Entra ID.
GPO & SYSVOL
Group Policy Objects (GPOs) can contain password policies, logon scripts, software deployment settings, and occasionally plaintext credentials (GPP cpassword). All of these reside in SYSVOL on Domain Controllers and are assessed as part of this category.
Functional level & schema debt
The assessment flags domains running at outdated functional levels (such as Server 2008), domains with NTLMv1 permitted, or domains with LM hash storage enabled. These represent configuration drift that can be exploited for lateral movement.
Privileged group hygiene
The assessment reviews membership, password age, and activity for Domain Admins, Enterprise Admins, Schema Admins, and their nested groups. This information is only accessible from on-premise AD.
How does on-premise AD differ from Microsoft 365 & Entra ID?
HolmAD assesses your on-premise Active Directory. If your organization also uses Microsoft 365 and Entra ID, some risks exist only in the cloud environment and are not covered by HolmAD.
The table below shows the key differences between the two environments.
| What: | Microsoft 365 & Entra ID: | On-premise AD: |
|---|---|---|
| Authentication plane | Cloud identity (Entra ID) | Kerberos / NTLM (AD DS) |
| Protocols evaluated | OAuth, OIDC, SAML | LDAP, SMB, Kerberos, RPC |
| Representative risks | MFA gaps, guest exposure, app permissions, cloud role abuse | Delegation abuse, Kerberoasting, LDAP signing, SYSVOL, GPP cpassword |
| Infrastructure assessed | Azure tenant | Domain Controllers, SYSVOL, DNS |
| Network access required | No (API-based) | Yes (routed access to DC) |
| Hybrid risk | Entra Connect service account | On-premise DA compromise contaminates cloud |
Entra ID coverage
Entra ID (Azure AD) is covered through Cloud Security via API-based assessments. For organizations using a hybrid identity setup, Holm Security recommends running both System & Network Security and Cloud Security, this ensures full coverage of both your on-premise Active Directory and Azure platform, including Entra ID.
What is the hybrid risk?
Most Microsoft 365 deployments use Entra Connect to synchronize identities from on-premise AD to Entra ID. This synchronization creates a one-way trust with significant security consequences: a compromised on-premise AD can contaminate the cloud directory.
A cybercriminal with Domain Admin access on-premise can:
- Modify synchronized user attributes to escalate cloud privileges.
- Manipulate on-premise accounts that hold cloud roles.
- Abuse the Entra Connect service account, which holds extensive rights in both directories.
- Use pass-the-hash or pass-the-ticket techniques to impersonate synchronized users.
Hybrid environments require both assessments
These attack paths are not visible from cloud-only assessments because the underlying vulnerability resides on-premise. If your organization synchronizes identities to Microsoft 365, running HolmAD alongside Cloud Security assessments is strongly recommended.
How do I locate a specific finding?
Every finding in the report carries a HID (e.g. HID-2-1-5320760). HIDs are stable across assessment runs and across customers. To investigate a specific finding:
- Search the report for the HID directly.
- Read the Result information field for the list of affected objects.
- Read the Solution information field for remediation steps.