search

AsBuiltReport / AsBuiltReport.Microsoft.AD

Repository for AsBuiltReport Microsoft Active Directory module
https://techmyth.blog/posts/homelab-ad-doc-using-asbuiltreport/
MIT License
63 stars 18 forks source link

HealthCheck - Restrict Anonymous Access #99

Closed rebelinux closed 1 year ago

rebelinux commented 1 year ago

Restrict Anonymous LDAP access by limiting the "Pre-Windows 2000 Compatible Access" group and confirm the dsHeuristic value is not set to 0000002.

When the Pre-Windows 2000 Compatible Access group contains “Everyone” or “Anonymous Logon” unauthenticated users can perform LDAP queries on Active Directory. This enables attackers to perform domain reconnaissance. 

<#PSScriptInfo
    .VERSION 1.0.1
    .GUID cd46c714-bb58-4416-947b-1691b8185859
    .AUTHOR florian.burnel
    .TAGS ActiveDirectory
    .LICENSEURI
    .PROJECTURI https://github.com/florianburnel/PowerShell/tree/master/AD-Get-ADAnonymousAccessStatus
    .ICONURI
    .EXTERNALMODULEDEPENDENCIES
    .REQUIREDSCRIPTS 
    .EXTERNALSCRIPTDEPENDENCIES 
    .RELEASENOTES
    .DESCRIPTION This script query the Active Directory to check the unicode value "dsHeuristics". The 7th value of this settings determine if anonymous access is authorized or not in your environment. So, if the value if "not defined", it's OK because equal 0. But if the value is 2, it's bad !
#>

<#
.DESCRIPTION

         This script query the Active Directory to check the unicode value "dsHeuristics".
         The 7th value of this settings determine if anonymous access is authorized or not in your environment.
         So, if the value if "not defined", it's OK because equal 0. But if the value is 2, it's bad !

        .NOTES
         NAME:  Get-ADAnonymousAccessStatus.ps1
         AUTHOR:    Florian Burnel
         EMAIL: florian.burnel@it-connect.fr
         URL : www.it-connect.fr
         TWITTER: @FlorianBurnel

        .EXAMPLE        
         PS> .\Get-ADAnonymousAccessStatus.ps1

        .PARAMETER
         NO PARAMETER.

        VERSION HISTORY:

        1.0.0   2018.01.25
                Initial Version

        1.0.1   2018.01.25
                Add block "PSScriptInfo" for PowerShell Gallery
#>

$TargetDN = ("CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration," + (Get-ADDomain).DistinguishedName)
$ValuedsHeuristics = (Get-ADObject -Identity $TargetDN -Properties dsHeuristics).dsHeuristics

if(($ValuedsHeuristics -eq "") -or ($ValuedsHeuristics.Length -lt 7)){

    Write-Output "Good ! Anonymous access is already disable !"

}elseif(($ValuedsHeuristics.Length -ge 7) -and ($ValuedsHeuristics[6] -eq "2")){

    Write-Output "Warning ! Anonymous access is enable and authorized on your Active Directory ! Value = $ValuedsHeuristics"

}