Azure AD Connect stopped syncing to Azure AD. Looking in Azure AD Connect Synchronization Service…
How to Create an Active Directory Security Assessment report
Microsoft released Active Directory in 1999 and is still used by 90% of the world’s major corporations. While it’s very popular, the problem is that it receives many security attacks. To dramatically reduce your AD attack surface, it’s good to run an AD security assessment and remediate the flagged security indicators. In this article, you will learn how to create an Active Directory Security Assessment report.
Table of contents
What is Purple Knight?
Active Directory, Microsoft Entra ID, and Okta vulnerabilities can give attackers virtually unrestricted access to your organization’s network and resources. Semperis built Purple Knight, a free security assessment tool that helps you discover indicators of exposure (IoEs) and indicators of compromise (IoCs) for the following environments:
- Okta
- Microsoft Entra ID
- Active Directory
This FREE tool checks and reports the following security indicators.
Purple Knight is not open-source software. It’s a wrapper built around PowerShell scripts that run against the Active Directory. All the PowerShell scripts used by the Purple Knight software can be found in the folder and opened once you download the software, so you can examine what it does.
There is no installer, and it’s a portable executable, which is fantastic.
How to create an Active Directory Security Assessment report
To create an Active Directory Security Assessment report, follow these steps:
Step 1. Download Purple Knight
- Extract the folder in the Zip file and save it in C:\Install.
Step 2. Unblock files with PowerShell
It’s essential to unblock the extracted Purple Knight files before you start the application:
- Start Windows PowerShell
- Run the below command to unblock all the files in the PK Community 4.2 directory
Get-ChildItem -Path "C:\Install\PurpleKnight-Community\PK Community 4.2" -Recurse | Unblock-File
If you don’t do that, you will get the below error when you start the Purple Knight application.
Step 3. Run Purple Knight application
- Double-click on PurpleKnight.exe to run the Purple Knight application
- Accept the license agreement
- Click Next
- Click on the three dots at the top
- Select Check for updates
- Click Update
- The security indicators updates are downloading
- Verify that both the PK version and Security indicators are up to date
Note: Ensure that the PK (Purple Knight) version and the Security indicators are always up to date before you proceed further.
- The Purple Knight scripts folders will update with the latest security indicators
Now is also a good time to look into the scripts if you find this interesting. So you can see what it exactly does when you run the report.
- Select the checkbox Active Directory
- Click Select
- Click Next
- Click on the AD Infrastructure Security expand icon
- Find the unchecked checkbox Zerologon vulnerability
Note: By default, only one checkbox is deselected, and that’s the Zerologon vulnerability security indicator. That’s because it takes several hours to execute within a typical production environment. Run the report with that deselected, and once you’ve been able to through the report, return and enable the Zerologon vulnerability for a new scan.
- Click Run Tests
- It shows the progress status, elapsed time, and how many security indicators are processed
- The scan finishes and the summary shows the Active Directory total score, including how many IOEs (Indicators of Exposure) are found
- Click Save As and save a Full PDF report
- Click View Report
- It will automatically save an HTML report and an Excel checklist with all the indicator results to the Purple Knight output folder (in our example, we have run the report twice)
- Open the folder to check the Active Directory Security Assessment report files
Step 4. Examine Active Directory Security Assessment report
The HTML output appears and shows the Active Directory Security Assesment report. Take your time and see what you can improve in your organization.
This is how it looks in our Active Directory environment.
An example of one of the fourteen IOEs found in Active Directory and appears in the report is: Print spooler service is enabled on a DC.
We immediately took action to remediate the security indicator. Once that was done, we rerun Purple Knight to create a new security scan and report.
Read more in the article How to Disable Print Spooler on Domain Controller.
That’s it!
Read more: Microsoft 365 security recommendations with PowerShell script »
Conclusion
You learned how to perform an Active Directory Security Assessment. The Purple Knight software is fast in scanning the environment and identifying the security indicators. It’s essential to know that you should run this tool every week, month, or quarter, depending on your environment. Also, the tool gets updated with new security indicators every time, and you always want to have the latest security changes checked on your organization.
It’s interesting that Purple Knight identifies a number of points of risk that purchased security products completely miss. I would absolutely recommend this free Active Directory Assessment tool.
Did you enjoy this article? You may also like Active Directory health check with PowerShell script. Don’t forget to follow us and share this article.
Just ran it a customer site, easy to setup and you get clear report of what is a potential issue.
Great work PurpleKnight and Ali for getting this on my radar
Hi Sir,
Awesome sharing.. great to learn. i have download the file but after zip i am not able to unblock the file using powershell cmd. Run the cmd with correct path no errors occurs still unable to open/run the exe.
Could you please guide. Thanks in advance
Another method to unblock the files:
1. Download the Zip file
2. Right-click on the Zip file and click Properties
3. Unblock it
4. Extract the Zip file
5. Open the .exe file
Great article!!!
An excellent way to Deep dive!