Free Active Directory Security Tools
Windows Active Directory is hard to secure. There are many ways an attacker can leverage one issue to take over your whole domain. Many expensive tools will help you find Active Directory security issues, but I have a few free ones that can get the job done. If your IT budget is tight, try these free Active Directory security tools to find the weakness in your Active Directory systems.
Short on time? TLDR
Purple Knight
Purple Knight is a free tool Semperis provides that reviews your Active Directory for vulnerabilities. This tool searches for weak settings and configurations that can lead to a breach of Active Directory. The findings report maps of the vulnerabilities to MITRE ATT&CK and ANSSI frameworks. Mapping to the MITRE ATT&CK and ANSSI framework adds context to the vulnerability so you can see how an attacker may abuse it.
After downloading the tool to your Domain Controller and running it, it generates a report. Export the report and start researching and planning how to mitigate the vulnerabilities.
Pros of Purple Knight
- Free.
- NO DATA LEAVES YOUR SERVER!
- Check for a wide variety of vulnerabilities.
- Each vulnerability in the report has a link to more in-depth information.
- Checks the general security of the Domain Controller server too.
- It can also test Azure AD. This does take additional setup.
- The tool is a portable executable, so there is no installation.
- Multiple report export formats available; PDF, CSV, HTML.
- Awesome name and logo. lol
Cons of Purple Knight
- Some of the checks are out of date. For example, the scan will flag user accounts with passwords older than 180 days. Mandatory password updates every 180 days are no longer the best practice.
- You have to fill out a contact form to download the tool.
PingCastle
PingCastle is a portable tool for finding Active Directory vulnerabilities. The tool downloads to a Domain Controler and runs like a script, so no install required. This tool is similar to Purple Knight but has evaluation and reporting method variations. The report focuses more on the technical details of the vulnerability and how to fix it. Whereas Purple Knight has some of this information but focuses on the likelihood of compromise.
PingCastle will find critical vulnerabilities in any enterprise-size company’s Active Directory. Find the vulnerabilities with the highest points value, plan a fix, fix it, then repeat. Continue this process over a few months, and your risk score will lower dramatically.
Pros of PingCastle
- Free.
- NO DATA LEAVES YOUR SERVER!
- The reports contain more technical detail accompanied by tables of problematic accounts. The report overall is better, in my opinion.
- The tool is a portable executable, so there is no installation.
- Complete online documentation of all evaluation rules.
- Additional feature that builds a map of all interconnected domains.
Cons of PingCastle
- The only report format is HTML.
- No Azure AD tests.
- MITRE ATT&CK and Domain Maturity Level assessments are only in the paid-for version.
PingCastle vs. Purple Knight
Both tools are good; using either will help you better secure your Active Directory. My advice, use both, they’re free, so you have nothing to lose. Where one tool lacks, the other can make up for it.
Not only will you know how to better secure your Active Directory, but you can measure it too. Use the reports from both tools to show management your team’s progress over time in securing the environment. These reports arm you with the metrics of your team’s ongoing success at building better defenses.
BloodHound and SharpHound
BloodHound’s core purpose is to discover the hidden and often unintended relationships within an Active Directory environment. These relationships often lead from a simple user account to Domain Admin rights and full domain compromise. BloodHound identifies highly complex attack paths that would otherwise be impossible to identify quickly.
I won’t sugarcoat it; this tool has a steep learning curve. Making sense of the data it discovers will take a lot of research and a deep understanding of Active Directory. However, learning and using this tool will give your environment the most robust defense. Moreover, you don’t have an option not to learn and use this tool. BloodHound is an attacker’s best friend and will be used against you to breach your environment. So don’t let the attackers be the first to run BloodHound in your environment!
I suggest you start by reviewing the BloodHound wiki. You will need to set up the BloodHound analytical software on a workstation. You will use SharpHound on the Domain Controller to collect data about Active Directory. SharpHound will spit out a ZIP file. Copy the ZIP file to your workstation for BloodHound to ingest. You can then start graphing out possible attack paths within your environment.
Wrap-Up; TLDR
If you want to increase the security of your Active Directory environment, costly tools are not required. Several free tools can quickly tell you the areas that need attention. However, you will be pushed to research and gain a deeper understanding of Active Directory. These tools will only show what is wrong and give an idea of how to fix it, but finding the actual fix is your job.