PingCastle & Hardening Active Directory
Active Directory is the cornerstone of identity and access management in most Windows environments. Its critical nature also makes it a prime target for attackers. A poorly configured AD can allow privilege escalation, lateral movement, or even total domain compromise.
PingCastle is now one of the benchmark tools for assessing the security posture of an Active Directory. It was developed by Vincent Le Toux, a renowned French expert in offensive security circles whose mastery of Windows and Active Directory internals is widely recognized. He is said to have close ties to ANSSI—a persistent urban legend in the community, fueled by the depth and quality of the tool's detection rules, which reflect a knowledge of attack vectors rarely achieved outside of government circles. Vincent Le Toux is also co-author of mimikatz, the global benchmark tool for extracting Windows credentials.
PingCastle generates a maturity report based on concrete risk indicators, allowing you to quickly identify vulnerabilities and prioritize corrective actions. Its level of requirement naturally aligns with the recommendations published by ANSSI in its Active Directory security guide, making these two resources an essential complementary duo.
What is PingCastle?
PingCastle is an open-source tool. It allows you to audit the security of an Active Directory without requiring domain administrator privileges, although some analyses are more comprehensive with elevated rights.
Main features
- AD health score: PingCastle generates a score from 0 to 100 (0 = very secure, 100 = very risky), based on weighted rules.
- Trust mapping: Visualization of approval relationships between domains.
- Detection of known vulnerabilities: Kerberoasting, AS-REP Roasting, Pass-the-Hash, dangerous Kerberos delegations, inactive accounts, etc.
- HTML report: A clear, structured report that can be used by technical and management teams.
- Consolidated mode: Multi-domain analysis for complex environments.
Installation and use
# Download from https://www.pingcastle.com/download/
# Run the basic audit
.\PingCastle.exe --healthcheck --server<dc_fqdn>
# Audit the current domain
.\PingCastle.exe --healthcheck
# Trust mapping
.\PingCastle.exe --graph
# Consolidated report
.\PingCastle.exe --hc-conso
The report is generated in HTML in the current directory. It contains:
- A dashboard with the overall score
- Risk categories: Stale Objects, Privileged Accounts, Trusts, Anomalies
- Recommendations associated with each finding
Reading the PingCastle report
The 4 risk categories
| Category | Description |
|---|---|
| StaleObjects | Obsolete accounts and objects (inactive accounts, unjoined machines, etc.) |
| Privileged Accounts | Management of high-privilege accounts |
| Trusts | Approval relationships between domains |
| Anomalies | Dangerous configurations (Kerberos, NTLM, delegations, etc.) |
Interpreting the score
- 0–30: Correct posture, minor improvements
- 30–50: Moderate risks to be addressed
- 50–70: Significant risks, priority actions
- 70–100: Highly exposed environment, urgent intervention
Hardening Active Directory: Key points
1. Privileged account management
Tier Model: Separate administration accounts into three tiers to limit lateral movement.
- Tier 0: Domain controllers, AD DS, PKI
- Tier 1: Application servers
- Tier 2: Workstations
Each tier has dedicated accounts that cannot connect to lower tiers.
Protected Users: Add sensitive accounts to the Protected Users group to disable NTLM, Kerberos delegation, and enforce shorter Kerberos tickets.
Add-ADGroupMember -Identity "Protected Users" -Members "Admin_Tier0"
LAPS (Local Administrator Password Solution): Manage local administrator account passwords in a unique and automated way.
# Verify that LAPS is deployed
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | Where-Object { $_."ms-Mcs-AdmPwd" -ne $null }
2. Kerberos hardening
Disable AS-REP Roasting: Ensure that no accounts have Do not require Kerberos preauthentication enabled.
Get-ADUser -Filter { DoesNotRequirePreAuth -eq $true } -Properties DoesNotRequirePreAuth
Limit Kerberoasting: Audit accounts with an SPN and reduce the lifetime of service tickets.
Get-ADUser -Filter { ServicePrincipalName -ne "$null" } -Properties ServicePrincipalName, PasswordLastSet
Disable RC4 for Kerberos: Force AES256.
# Via GPO: Computer Configuration > Windows Settings > Security Settings >
# Local Policies > Security Options >
# "Network security: Configure encryption types allowed for Kerberos"
# Check only AES128_HMAC_SHA1 and AES256_HMAC_SHA1
krbtgt: Renew the krbtgt account password regularly (twice in a row to invalidate old tickets).
# Reset krbtgt (to be done twice at 10-hour intervals)
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassw0rd!" -Force)
3. Reducing the NTLM attack surface
Although NTLM is sometimes necessary, it should be restricted as much as possible.
GPO: Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options
- "Network security: LAN Manager authentication level" ? Send NTLMv2 response only. Refuse LM & NTLM
- "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" ? Deny all
Audit NTLM usage with:
# Enable NTLM auditing
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "LogNTLMExclusions" -Value 1
4. Hardening Kerberos delegations
Misconfigured delegations are a golden opportunity for attackers.
- Disable unconstrained delegation on all accounts except DCs.
- Use resource-based constrained delegation when necessary.
# Find accounts with unconstrained delegation (excluding DCs)
Get-ADComputer -Filter { TrustedForDelegation -eq $true } -Properties TrustedForDelegation, Name
Get-ADUser -Filter { TrustedForDelegation -eq $true } -Properties TrustedForDelegation
5. Securing GPOs and ACLs
Audit dangerous ACLs: WriteDACL, GenericAll, or GenericWrite rights on sensitive objects can enable privilege escalation.
Use BloodHound/SharpHound in addition to PingCastle to visualize attack paths.
AdminSDHolder: Check objects protected by AdminSDHolder and monitor changes.
# List members of protected groups
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADGroupMember -Identity "Schema Admins" -Recursive
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive
6. Managing obsolete objects
Inactive accounts pose a major risk.
# User accounts inactive for 90 days
$date = (Get-Date).AddDays(-90)
Get-ADUser -Filter { LastLogonDate -lt $date -and Enabled -eq $true } -Properties LastLogonDate
# Inactive machine accounts
Get-ADComputer -Filter { LastLogonDate -lt $date -and Enabled -eq $true } -Properties LastLogonDate
Best practice: Disable and then delete after a grace period; never delete directly.
7. Securing domain controllers
- Limit RDP connections to DCs
- Apply Credential Guard and Device Guard
- Enable Windows Defender Credential Guard to protect LSASS
- Enable advanced auditing on DCs (connections, object modifications, etc.)
- Deploy Microsoft Defender for Identity (MDI) for AD attack detection
# Check Credential Guard
Get-ComputerInfo | Select-Object DeviceGuardSecurityServicesRunning
8. Patches and updates
Ensure that critical patches are applied, including:
- MS14-068: Kerberos privilege escalation
- CVE-2020-1472 (Zerologon): DC compromise via Netlogon
- CVE-2021-42278 / 42287 (noPac): AD privilege escalation
- CVE-2022-26923 (Certifried): PKI / AD CS
Recommended workflow: PingCastle? Remediation plan
1. Launch PingCastle? Identify the score and critical findings
2. Prioritize by risk score (Critical > High > Medium)
3. For each finding:
a. Understand the impact
b. Identify the affected objects
c. Apply the fix
d. Rescan to validate
4. Schedule regular scans (monthly recommended)
5. Integrate into a vulnerability management process
Additional resources
- PingCastle — AD audit tool
- BloodHound — Attack path visualization
- Microsoft STIG for AD — Official hardening guides
- ANSSI — AD security guide — ANSSI recommendations (FR)
- Purple Knight — Alternative/complement to PingCastle
- Microsoft Tiering Model — Access level model
Regular auditing with PingCastle coupled with a structured hardening plan can significantly reduce the attack surface of an Active Directory. AD security is an ongoing process: configurations evolve, new vulnerabilities appear, and attackers adapt. A proactive approach, based on tools such as PingCastle, BloodHound, and ANSSI/Microsoft recommendations, is essential to maintaining a robust AD environment.
> Reminder: Always perform these analyses within a legal framework, with the appropriate authorizations. An unauthorized AD audit may constitute a criminal offense.</dc_fqdn>