jbgalet
commented
8 months ago Hello, Control path are ranked by their exploitability: red indicates a trivial and direct exploitation, yellow an indirect one (several actions are needed) and blue one with specific requirements that may not be present on the target AD. They are not related to "accepted risk", for this you have to implement one of the documented workarounds.
If the workaround you try to implement is the one that uses PSOs, you have to make the data extraction with a privileged account (or grant read access on PSOs for the data collection user) since standard users cannot read their settings.
If you need assistance on a specific control point, or suspect a bug (unlikely), you can use the ANSSI service email address.
AlphonseBa
Hello, I have a question concerning the "color risk", If I've understood correctly, if the right is red, it's a critical risk, and if it's blue, it's an accepted risk. However, my object still has the "Write_alt_identity" permission, which is in blue and is always detected at level two. Is this a bug? Thank you for your reply. Here a screenshot: