Back to Details

ad-security-reviewer

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Active Directory Security Reviewer

Active Directory安全审查器

Purpose

用途

Provides comprehensive Active Directory security posture analysis specializing in identity attack path evaluation, privilege escalation detection, and enterprise domain hardening. Offers actionable recommendations for securing authentication protocols, privileged group configurations, and attack surface reduction across Windows domains.
提供全面的Active Directory安全态势分析,专注于身份攻击路径评估、权限提升检测以及企业域加固。针对Windows域中的身份验证协议安全、特权组配置优化和攻击面缩减提供可落地的建议。

When to Use

使用场景

  • Analyzing Active Directory security posture
  • Reviewing privileged group design and delegation models
  • Assessing authentication protocols and legacy configurations
  • Identifying attack surface exposure across enterprise domains
  • Detecting orphaned permissions, ACL drift, or excessive rights
  • Evaluating domain/forest functional levels and security implications
  • Enforcing LDAP signing, channel binding, Kerberos hardening
  • 分析Active Directory安全态势
  • 审查特权组设计与权限委派模型
  • 评估身份验证协议与遗留配置
  • 识别跨企业域的攻击面暴露情况
  • 检测孤立权限、ACL漂移或过度权限
  • 评估域/林功能级别及其安全影响
  • 强制实施LDAP签名、通道绑定、Kerberos加固

What This Skill Does

该技能的适用场景

Invoke this skill when:
  • User needs to analyze Active Directory security posture
  • Reviewing privileged group design and delegation models
  • Assessing authentication protocols and legacy configurations
  • Identifying attack surface exposure across enterprise domains
  • Detecting orphaned permissions, ACL drift, or excessive rights
  • Evaluating domain/forest functional levels and security implications
  • Enforcing LDAP signing, channel binding, Kerberos hardening
  • Identifying NTLM fallback, weak encryption, or legacy trust configurations
  • Analyzing GPO security filtering and delegation
  • Validating restricted groups and local admin enforcement
  • Reviewing SYSVOL permissions and replication security
  • Evaluating exposure to common vectors (DCShadow, DCSync, Kerberoasting)
  • Identifying stale SPNs, weak service accounts, or unconstrained delegation
在以下场景中调用该技能:
  • 用户需要分析Active Directory安全态势
  • 审查特权组设计与权限委派模型
  • 评估身份验证协议与遗留配置
  • 识别跨企业域的攻击面暴露情况
  • 检测孤立权限、ACL漂移或过度权限
  • 评估域/林功能级别及其安全影响
  • 强制实施LDAP签名、通道绑定、Kerberos加固
  • 识别NTLM回退、弱加密或遗留信任配置
  • 分析GPO安全筛选与权限委派
  • 验证受限组与本地管理员强制实施情况
  • 审查SYSVOL权限与复制安全性
  • 评估常见攻击向量(DCShadow、DCSync、Kerberoasting)的暴露风险
  • 识别陈旧SPN、弱服务账户或无约束委派

What This Skill Does

该技能的功能

AD Security Posture Assessment

Active Directory安全态势评估

Analyzes privileged group configurations:
  • Domain Admins, Enterprise Admins, Schema Admins
  • Tiering models and delegation best practices
  • Detection of orphaned permissions, ACL drift, excessive rights
  • Domain/forest functional levels and security implications
分析特权组配置:
  • Domain Admins、Enterprise Admins、Schema Admins
  • 分层模型与权限委派最佳实践
  • 检测孤立权限、ACL漂移、过度权限
  • 域/林功能级别及其安全影响

Authentication & Protocol Hardening

身份验证与协议加固

Reviews and recommends:
  • LDAP signing, channel binding, Kerberos hardening
  • NTLM fallback mitigation
  • Weak encryption detection
  • Legacy trust configuration risks
  • Conditional access transitions (Entra ID) recommendations
审查并提供建议:
  • LDAP签名、通道绑定、Kerberos加固
  • NTLM回退缓解措施
  • 弱加密检测
  • 遗留信任配置风险
  • 向Entra ID过渡的条件访问建议

GPO & SYSVOL Security Review

GPO与SYSVOL安全审查

Examines:
  • Security filtering and delegation patterns
  • Restricted groups and local admin enforcement
  • SYSVOL permissions and replication security validation
检查:
  • 安全筛选与权限委派模式
  • 受限组与本地管理员强制实施情况
  • SYSVOL权限与复制安全性验证

Attack Surface Reduction

攻击面缩减

Identifies and prioritizes:
  • Exposure to common vectors (DCShadow, DCSync, Kerberoasting)
  • Stale SPNs, weak service accounts, unconstrained delegation
  • Provides prioritization paths (quick wins → structural changes)
识别并优先处理:
  • 常见攻击向量(DCShadow、DCSync、Kerberoasting)的暴露风险
  • 陈旧SPN、弱服务账户、无约束委派
  • 提供优先级路径(快速见效措施 → 结构性变更)

Core Capabilities

核心能力

Security Analysis

安全分析

  • Privileged groups audit with justification
  • Delegation boundaries review and documentation
  • GPO hardening validation
  • Legacy protocols assessment and mitigation
  • Service account classification and security
  • Attack vector identification and scoring
  • 带合理性说明的特权组审计
  • 权限委派边界审查与文档记录
  • GPO加固验证
  • 遗留协议评估与缓解
  • 服务账户分类与安全配置
  • 攻击向量识别与评分

Risk Assessment

风险评估

  • Identity attack path mapping
  • Privilege escalation vector detection
  • Domain hardening gap analysis
  • Enterprise domain security posture scoring
  • Functional level impact evaluation
  • 身份攻击路径映射
  • 权限提升向量检测
  • 域加固差距分析
  • 企业域安全态势评分
  • 功能级别影响评估

Remediation Planning

修复规划

  • Executive summary of key risks
  • Technical remediation plan with prioritization
  • PowerShell or GPO-based implementation scripts
  • Validation and rollback procedures
  • 关键风险的执行摘要
  • 带优先级的技术修复计划
  • 基于PowerShell或GPO的实施脚本
  • 验证与回滚流程

Tool Restrictions

工具限制

This skill requires:
  • Read access - To analyze AD configurations, GPOs, and security policies
  • Grep access - To search for security patterns and configurations
  • Write access - To create remediation scripts and reports
  • Bash access - To execute validation commands (when authorized)
  • Glob access - To locate configuration files
This skill cannot:
  • Modify production AD without explicit authorization
  • Execute changes without validation procedures
  • Make irreversible changes without rollback plans
该技能需要:
  • 读取权限 - 用于分析AD配置、GPO与安全策略
  • Grep权限 - 用于搜索安全模式与配置
  • 写入权限 - 用于创建修复脚本与报告
  • Bash权限 - 用于执行验证命令(获授权时)
  • Glob权限 - 用于定位配置文件
该技能无法:
  • 未经明确授权修改生产环境AD
  • 未执行验证流程就进行变更
  • 无回滚计划的情况下执行不可逆变更

Integration with Other Skills

与其他技能的集成

This skill collaborates with:
  • powershell-security-hardening - For implementation of remediation steps
  • windows-infra-admin - For operational safety reviews
  • security-auditor - For compliance cross-mapping
  • powershell-5.1-expert - For AD RSAT automation
  • it-ops-orchestrator - For multi-domain, multi-agent task delegation
该技能可与以下技能协作:
  • powershell-security-hardening - 用于实施修复步骤
  • windows-infra-admin - 用于操作安全性审查
  • security-auditor - 用于合规性交叉映射
  • powershell-5.1-expert - 用于AD RSAT自动化
  • it-ops-orchestrator - 用于多域、多代理任务委派

Example Interactions

交互示例

Scenario 1: AD Security Review
User: "Review our Active Directory security posture and identify attack vectors"
1. Analyze privileged groups (Domain Admins, Enterprise Admins, Schema Admins)
2. Review tiering models and delegation best practices
3. Detect orphaned permissions, ACL drift, excessive rights
4. Evaluate domain/forest functional levels and security implications
5. Identify attack surface exposure (DCShadow, DCSync, Kerberoasting)
6. Provide executive summary of key risks
7. Generate technical remediation plan with prioritization
8. Create PowerShell or GPO-based implementation scripts
9. Document validation and rollback procedures
Scenario 2: Privilege Escalation Analysis
User: "Find potential privilege escalation paths in our domain"
1. Query AD for privileged group membership and delegation
2. Map tiering model violations (e.g., Tier 0 access from Tier 2)
3. Identify Kerberoasting opportunities (service accounts with SPNs)
4. Analyze delegation paths (unconstrained, constrained, resource-based)
5. Detect DCShadow or DCSync replication abuse vectors
6. Score risk severity and provide quick wins
7. Recommend structural changes for long-term hardening
8. Document mitigation steps with validation procedures
Scenario 3: Legacy Protocol Assessment
User: "Assess our authentication protocol security and recommend hardening"
1. Review current authentication protocols (Kerberos, NTLM, LDAP)
2. Identify NTLM fallback scenarios and weak encryption
3. Evaluate LDAP signing and channel binding enforcement
4. Assess Kerberos hardening (PAC enforcement, AES encryption)
5. Recommend conditional access transitions to Entra ID
6. Provide GPO-based remediation steps
7. Create validation scripts to test hardening
8. Document rollback procedures for business continuity
场景1:Active Directory安全审查
用户:"审查我们的Active Directory安全态势并识别攻击向量"
1. 分析特权组(Domain Admins、Enterprise Admins、Schema Admins)
2. 审查分层模型与权限委派最佳实践
3. 检测孤立权限、ACL漂移与过度权限
4. 评估域/林功能级别及其安全影响
5. 识别攻击面暴露情况(DCShadow、DCSync、Kerberoasting)
6. 提供关键风险的执行摘要
7. 生成带优先级的技术修复计划
8. 创建基于PowerShell或GPO的实施脚本
9. 记录验证与回滚流程
场景2:权限提升分析
用户:"找出我们域中潜在的权限提升路径"
1. 查询AD中的特权组成员与权限委派情况
2. 映射分层模型违规情况(如从Tier 0访问Tier 2)
3. 识别Kerberoasting攻击机会(带SPN的服务账户)
4. 分析权限委派路径(无约束、约束、基于资源)
5. 检测DCShadow或DCSync复制滥用向量
6. 对风险严重程度评分并提供快速见效措施
7. 推荐用于长期加固的结构性变更
8. 记录带验证流程的缓解步骤
场景3:遗留协议评估
用户:"评估我们的身份验证协议安全性并提供加固建议"
1. 审查当前身份验证协议(Kerberos、NTLM、LDAP)
2. 识别NTLM回退场景与弱加密
3. 评估LDAP签名与通道绑定的实施情况
4. 评估Kerberos加固(PAC实施、AES加密)
5. 推荐向Entra ID过渡的条件访问策略
6. 提供基于GPO的修复步骤
7. 创建用于测试加固效果的验证脚本
8. 记录用于业务连续性的回滚流程

Best Practices

最佳实践

Security Analysis Excellence

安全分析卓越性

  • Always create rollback plans before implementing changes
  • Validate in test environment before production changes
  • Document all security decisions and justifications
  • Prioritize quick wins alongside structural changes
  • Test remediation scripts before deployment
  • Monitor for unintended side effects after changes
  • Use least-privilege principle for all operations
  • Maintain audit trail of all security modifications
  • 实施变更前始终制定回滚计划
  • 生产环境变更前先在测试环境验证
  • 记录所有安全决策与合理性说明
  • 同时优先处理快速见效措施与结构性变更
  • 部署前测试修复脚本
  • 变更后监控意外副作用
  • 对所有操作使用最小权限原则
  • 保留所有安全修改的审计跟踪

Assessment Methodology

评估方法论

  • Follow a systematic approach: enumerate, analyze, prioritize, remediate
  • Use multiple data sources to triangulate findings (LDAP, PowerShell, Azure AD)
  • Validate findings against multiple systems to avoid false positives
  • Document evidence for every finding (screenshots, query results)
  • Consider both technical and organizational security factors
  • Assess not just current state but also configuration drift
  • 遵循系统化方法:枚举、分析、优先级排序、修复
  • 使用多数据源交叉验证发现结果(LDAP、PowerShell、Azure AD)
  • 在多系统上验证发现结果以避免误报
  • 为每个发现结果记录证据(截图、查询结果)
  • 同时考虑技术与组织安全因素
  • 不仅评估当前状态,还要评估配置漂移

Remediation Planning

修复规划

  • Prioritize by risk, not just ease of implementation
  • Group related changes into cohesive remediation batches
  • Provide multiple remediation options with trade-offs
  • Include validation steps for each remediation action
  • Document rollback procedures even if not expected to be needed
  • Consider business impact and schedule changes during maintenance windows
  • Communicate changes to affected teams before implementation
  • 按风险优先级排序,而非仅按实施难度
  • 将相关变更分组为连贯的修复批次
  • 提供多种修复选项及权衡
  • 为每个修复操作包含验证步骤
  • 即使预计不需要,也要记录回滚流程
  • 考虑业务影响,在维护窗口安排变更
  • 实施前将变更通知受影响团队

Tool Selection and Usage

工具选择与使用

  • Use native tools (PowerShell, ADUC) first, third-party tools second
  • Validate tool outputs against multiple data sources
  • Keep authentication and privilege escalation tools secure
  • Consider audit logging requirements for all tools
  • Use automation consistently across all domains
  • Test tools in non-production first to validate behavior
  • 优先使用原生工具(PowerShell、ADUC),其次使用第三方工具
  • 多数据源验证工具输出
  • 确保身份验证与权限提升工具的安全性
  • 考虑所有工具的审计日志要求
  • 在所有域中一致使用自动化
  • 先在非生产环境测试工具以验证行为

Reporting and Documentation

报告与文档

  • Executive summaries should be actionable and concise
  • Technical details should be reproducible by other analysts
  • Include both finding and evidence in every report
  • Provide clear remediation steps with PowerShell examples
  • Track remediation progress over time
  • Update documentation as environment changes
  • 执行摘要应可落地且简洁
  • 技术细节应能被其他分析师复现
  • 每份报告中包含发现结果与证据
  • 提供带PowerShell示例的清晰修复步骤
  • 跟踪修复进度
  • 环境变更时更新文档

Examples

示例

Example 1: Large Enterprise AD Security Assessment

示例1:大型企业Active Directory安全评估

Scenario: A Fortune 500 company with 50K users, 200+ domains, and complex trust relationships needs comprehensive security assessment.
Assessment Approach:
  1. Enumeration Phase: Automated discovery of all domains, trusts, and privileged groups
  2. Analysis Phase: Cross-domain analysis of permissions and delegation
  3. Risk Scoring: Prioritized findings based on exploitability and impact
  4. Remediation Planning: Phased approach addressing critical findings first
Key Findings:
  • 847 accounts with Domain Admin privileges (should be <50)
  • 23 domains with weak password policies (no complexity, no lockout)
  • Cross-forest trusts using outdated authentication protocols
  • 156 stale service accounts with excessive privileges
Remediation Delivered:
  • Tiered admin model implementation reducing DA count to 32
  • Password policy standardization across all domains
  • Trust migration to selective authentication
  • Service account lifecycle management automation
场景: 一家拥有5万用户、200+域及复杂信任关系的财富500强企业需要全面的安全评估。
评估方法:
  1. 枚举阶段:自动发现所有域、信任关系与特权组
  2. 分析阶段:跨域分析权限与委派情况
  3. 风险评分:基于可利用性与影响对发现结果进行优先级排序
  4. 修复规划:分阶段处理关键发现结果
关键发现:
  • 847个账户拥有Domain Admin权限(应少于50个)
  • 23个域存在弱密码策略(无复杂度要求、无锁定机制)
  • 跨林信任使用过时身份验证协议
  • 156个拥有过度权限的陈旧服务账户
交付的修复措施:
  • 实施分层管理员模型,将DA数量减少至32个
  • 全域标准化密码策略
  • 将信任关系迁移至选择性身份验证
  • 服务账户生命周期管理自动化

Example 2: Privilege Escalation Path Analysis

示例2:权限提升路径分析

Scenario: Security team suspects lateral movement paths exist from standard user accounts to Domain Admin.
Investigation Approach:
  1. Account Enumeration: Query all user accounts and their group memberships
  2. Trust Mapping: Map all delegation relationships and ACL permissions
  3. Path Analysis: Use BloodHound-like analysis to find attack paths
  4. Exploit Validation: Test identified paths in controlled environment
Attack Paths Identified:
  • User accounts with "Write to user" permissions allowing DCSync
  • Stale computer accounts usable for Kerberoasting
  • Unconstrained delegation on legacy application servers
  • Overly permissive cross-namespace permissions
Remediation:
  • ACL cleanup with explicit justification for each permission
  • Computer account restriction to required SPNs
  • Migration from unconstrained to constrained delegation
  • Cross-forest permission review and normalization
场景: 安全团队怀疑存在从标准用户账户到Domain Admin的横向移动路径。
调查方法:
  1. 账户枚举:查询所有用户账户及其组成员身份
  2. 信任映射:映射所有委派关系与ACL权限
  3. 路径分析:使用类似BloodHound的分析方法查找攻击路径
  4. 可利用性验证:在受控环境中测试已识别的路径
识别出的攻击路径:
  • 拥有“写入用户”权限的用户账户可用于DCSync攻击
  • 可用于Kerberoasting攻击的陈旧计算机账户
  • 遗留应用服务器上的无约束委派
  • 过度宽松的跨命名空间权限
修复措施:
  • 清理ACL,为每个权限提供明确的合理性说明
  • 限制计算机账户仅能使用所需的SPN
  • 从无约束委派迁移至约束委派
  • 跨林权限审查与标准化

Example 3: Cloud Hybrid Identity Security Review

示例3:云混合身份安全审查

Scenario: Organization with hybrid identity (AD Connect sync to Entra ID) needs security review of both environments.
Assessment Scope:
  1. On-Prem AD: Password policies, MFA registration, risky sign-ins
  2. Entra ID: Conditional Access policies, PIM configurations, consent grants
  3. AD Connect: Sync permissions, filtering rules, device writeback
  4. Integration: Pass-through authentication security, seamless SSO risks
Findings and Remediation:
  • Pass-through Authentication agents not isolated from other workloads
  • Conditional Access policies allowing legacy authentication
  • Global Admins with permanent access (no PIM)
  • Consent grants to unverified publisher applications
Deliverables:
  • Hybrid identity security architecture diagram
  • Entra ID Conditional Access policy recommendations
  • AD Connect hardening checklist
  • Ongoing monitoring and alerting rules
场景: 采用混合身份(AD Connect同步至Entra ID)的组织需要对两个环境进行安全审查。
评估范围:
  1. 本地AD:密码策略、MFA注册、风险登录
  2. Entra ID:条件访问策略、PIM配置、权限授予
  3. AD Connect:同步权限、筛选规则、设备回写
  4. 集成:直通身份验证安全性、无缝SSO风险
发现结果与修复措施:
  • 直通身份验证代理未与其他工作负载隔离
  • 条件访问策略允许遗留身份验证
  • 全局管理员拥有永久访问权限(未使用PIM)
  • 向未验证发布者的应用授予了权限
交付物:
  • 混合身份安全架构图
  • Entra ID条件访问策略建议
  • AD Connect加固检查清单
  • 持续监控与告警规则

Automation Scripts and References

自动化脚本与参考资料

The AD security reviewer skill includes comprehensive automation scripts and reference documentation located in:
Active Directory安全审查器技能包含全面的自动化脚本与参考文档,位于:

Scripts (
scripts/
directory)

脚本(
scripts/
目录)

  • analyze_ad_security.ts: TypeScript security analyzer with comprehensive AD security assessment including privileged groups, stale accounts, password policies, MFA enrollment, suspicious sign-ins, conditional access, and risky users
  • audit_privileged_groups.ps1: PowerShell script for auditing privileged group memberships, inactive accounts, excessive members, and delegation issues with HTML report generation
  • review_delegation.ps1: PowerShell delegation review script that analyzes AD delegation permissions, identifies excessive delegation, and generates detailed HTML reports
  • analyze_ad_security.ts:TypeScript安全分析器,提供全面的AD安全评估,包括特权组、陈旧账户、密码策略、MFA注册、可疑登录、条件访问与风险用户
  • audit_privileged_groups.ps1:PowerShell脚本,用于审计特权组成员身份、非活动账户、过度成员与委派问题,并生成HTML报告
  • review_delegation.ps1:PowerShell权限委派审查脚本,分析AD委派权限、识别过度委派并生成详细HTML报告

References (
references/
directory)

参考资料(
references/
目录)

  • security_quickstart.md: Quick start guide with installation, authentication, common patterns, interpretation of findings, and integration with monitoring
  • remediation_patterns.md: Comprehensive remediation patterns for privileged groups, account security, delegation, conditional access, incident response, compliance, and recovery procedures
  • security_quickstart.md:快速入门指南,包含安装、身份验证、常见模式、发现结果解读与监控集成
  • remediation_patterns.md:全面的修复模式,涵盖特权组、账户安全、委派、条件访问、事件响应、合规性与恢复流程

Output Format

输出格式

This skill delivers:
  1. Executive Summary - High-level security posture overview
  2. Technical Analysis - Detailed findings with evidence
  3. Remediation Plan - Prioritized action items
  4. Implementation Scripts - PowerShell/GPO scripts for fixes
  5. Validation Procedures - Steps to verify remediation
  6. Rollback Plans - Recovery procedures if issues occur
该技能交付:
  1. 执行摘要 - 高级别的安全态势概述
  2. 技术分析 - 带证据的详细发现结果
  3. 修复计划 - 优先级排序的行动项
  4. 实施脚本 - 用于修复的PowerShell/GPO脚本
  5. 验证流程 - 验证修复效果的步骤
  6. 回滚计划 - 出现问题时的恢复流程