Available Controls

IAP comes with more than 100 off-the-shelf controls. These controls identify problems related to:

Data quality
Security policy violation
Compliance gaps such as access certification
Discrepancies through peer group and predictive analysis

These controls are part of the data model and are presented in each detail pane. They are also used to compute risk scores. You can use them in your own dashboards, reports, reviews and analytics. You can also search for errors through the search pages. (You will have to switch to "free search" and enable "show extended attributes" to do this.)

Sample advanced search using control results

Here is an extract of the available controls in IAP. Please consult "Settings → System → Manage Controls Execution" for an updated list of the controls available in your instance.

Note that the Booster for PAM and Booster for AD functions, now integrated into Identity Analytics, also come with additional predefined controls which are listed at the end of this page. Please go to Booster for AD or PAM Booster Controls sections for the control details.

Standard Controls

Control ID: ACC_01
Entity: Account
Name: Unused account
Description Unused accounts are defined as accounts that have not been used for at least 90 days or those that have never been used at all.
Risk Level: 1
Risk description: Unused accounts are, by definition, no longer monitored by their respective owners. These accounts can be hacked and used by an insider to impersonate an individual while engaging in fraudulent activity. Accounts can be unused if the account owner is no longer using the service, if the account owner is a contractor who no longer works for the company, or if the account is a test/service account that is no longer being used.
Remediation: Monitor the account's last login date. If the last login date is greater than 60 days (or if the account has never been used), notify the manager of the account owner to disable or delete it. The account owner's manager is in charge of enforcing the security policy within his scope of responsibility.

Control ID: ACC_02
Entity: Account
Name: Orphaned account
Description Active accounts identified as orphaned.
Risk Level: 1
Risk description: Orphaned accounts are neither assigned to an individual nor tracked as a service account. Therefore, they can be used by insiders, outliers or hackers to steal data or engage in rogue transactions.
Remediation: Reconcile the account or disable it if it is no longer being used.

Control ID: ACC_03
Entity: Account
Name: Active account whose owner has left the company.
Description An active account belonging to an identity who has left the company.
Risk Level: 4
Risk description: Accounts must be terminated upon the departure of their owner. Otherwise they can be used by a third party (insider, hacker) to compromise data or steal information.
Remediation: Verify that the owner has left the company and disable the account immediately.

Control ID: ACC_04
Entity: Account
Name: Password never expires
Description User account with a password that never expires.
Risk Level: 2
Risk description: User accounts with a password that never expires present a risk because once a password is shared, it can spread rapidly, exposing the assets of the company.
Remediation: Reactivate the password's expiration date.

Control ID: ACC_05
Entity: Account
Name: Password never expires - technical account
Description Technical account with a password that never expires.
Risk Level: 1
Risk description: Technical/service accounts with a password that never expires present a risk because once a password is shared, it can spread rapidly, exposing the assets of the company.
Remediation: Change the password on a regular basis or use a PAM solution to hide the password from users.

Control ID: ACC_06
Entity: Account
Name: Password never expires - orphan account
Description Orphaned account with a password that never expires.
Risk Level: 2
Risk description: Accounts with a password that never expires present a risk because once the password is shared, it can spread rapidly, exposing the assets of the company.
Remediation: Reactivate the password's expiration date.

Control ID: ACC_07
Entity: Account
Name: User password is too old.
Description Active user account with a password that has not been changed in the last 90 days.
Risk Level: 1
Risk description: Passwords must be changed on a regular basis to comply with security policies and mitigate account-hacking risk.
Remediation: For user accounts, verify whether or not the account is still being used. If not, disabled it. Otherwise, check the password policy and reactivate the password expiration policy.

Control ID: ACC_08
Entity: Account
Name: Abnormal login attempts
Description More than 20 unsuccessful login attempts have been detected on this account.
Risk Level: 4
Risk description: A high number of unsuccessful login attempts have been detected on this account. Someone (or a bot) may be attempting to hack into this account.
Remediation: Contact the account owner to investigate. Check account security (password strength) and enable MFA, if needed.

Control ID: ACC_09
Entity: Account
Name: Password not needed
Description Password is not needed to connect.
Risk Level: 2
Risk description: This account can be used without a password which can lead to security problems depending on the type of account.
Remediation: Reactivate authentication for this account.

Control ID: ACC_10
Entity: Account
Name: User password cannot be changed
Description User cannot change their password.
Risk Level: 2
Risk description: User accounts with a password that never expires or cannot be changed present a risk because once the password is shared, it can spread rapidly, exposing the assets of the company.
Remediation: Reactivate the password update capability for this account.

Control ID: ACC_11
Entity: Account
Name: Locked account
Description The account is locked.
Risk Level: 1
Risk description: Locked accounts need to be monitored because they can correspond to former users accounts with unsuccessful login attempts.
Remediation: Disable the account if it is no longer needed.

Control ID: ACC_12
Entity: Account
Name: No user name
Description The account does not have a username, only a login.
Risk Level: 1
Risk description: Accounts should be documented to help with auditing.
Remediation: Enrich the account information.

Control ID: ACC_13
Entity: Account
Name: Username inconsistency
Description The account last name does not match with the account owner's last name.
Risk Level: 1
Risk description: This account could have been reassigned which can lead to security issues if the account permissions have not been updated accordingly.
Remediation: Review account permissions.

Control ID: ACC_14
Entity: Account
Name: Technical account without a manager
Description A technical account without an account manager.
Risk Level: 1
Risk description: These are technical/service accounts that are not associated with an account owner. However, these accounts have sensitive access rights and, as a result, they should be associated with an account manager or business owner who is responsible for reviewing accounts and their permissions on a regular basis.
Remediation: Assign a business owner to this account.

Control ID: ACC_15
Entity: Account
Name: Extremely sensitive permissions
Description An account with a permission sensitivity level that is set to Extreme (4).
Risk Level: 2
Risk description: Accounts granting "extreme sensitivity" access rights should be carefully monitored.
Remediation: Verify that this account is not a standard user account. Review the account on a regular basis. Monitor account access.

Control ID: ACC_16
Entity: Account
Name: Sensitive permissions
Description An account with a permission sensitivity level that is set to High (3).
Risk Level: 1
Risk description: Accounts granting "high sensitivity" access rights should be carefully monitored.
Remediation: Verify that this account is not a standard user account. Review the account on a regular basis. Monitor account access.

Control ID: ACC_17
Entity: Right
Name: Overallocated right
Description The access right is not found in the "granted rights" list.
Risk Level: 2
Risk description: Overallocated rights means that access rights have been given to individuals without following a formal approval process. This can be due to an IT administrative error or direct system update. Because these rights are not approved, they can lead to fraud or data-leakage risk.
Remediation: Review the access right and remove it if it is not necessary. Update the table of granted rights.

Control ID: ACC_18
Entity: Right
Name: Atypical access right
Description Based on the analysis of an organizational peer group, this access right appears to be atypical.
Risk Level: 1
Risk description: Atypical access rights need to be monitored because they can correspond to stale access rights (access rights not removed when an individual moves from one department to another).
Remediation: Review the access right and remove it if it is not necessary.

Control ID: ACC_19
Entity: Right
Name: Atypical new access right
Description Based on the analysis of an organizational peer group, this new access right appears to be atypical.
Risk Level: 3
Risk description: Atypical new access rights need to be monitored because they correspond to new access rights for an individual who appears unusual in the organizational context. It could be an IT error.
Remediation: Review the access right and remove it if it is not necessary.

Control ID: ACC_20
Entity: Right
Name: Atypical access right next to a position update
Description Based on the analysis of an organizational peer group, this access right appears to be atypical.
Risk Level: 2
Risk description: Atypical access rights need to be monitored because they are unusual in the organizational context and the account user position just changed (organization). It could be a leftover access right.
Remediation: Review the access right and remove it if it is not necessary.

Control ID: ACC_21
Entity: Account
Name: Access to extremely sensitive folders
Description An account with folders whose sensitivity level is set to Extreme (4).
Risk Level: 2
Risk description: Accounts granting "extreme sensitivity" access rights should be carefully monitored.
Remediation: Verify that this account is not a standard user account. Review the account on a regular basis. Monitor account access.

Control ID: ACC_22
Entity: Account
Name: Access to sensitive folders
Description An account with folders whose sensitivity level is set to High (3).
Risk Level: 1
Risk description: Accounts granting "high sensitivity" access rights should be carefully monitored.
Remediation: Verify that this account is not a standard user account. Review the account on a regular basis. Monitor account access.

Control ID: ACC_24
Entity: Right
Name: Atypical folder right
Description Based on the analysis of an organizational peer group, this access right appears to be atypical.
Risk Level: 1
Risk description: Atypical access rights need to be monitored because they can correspond to stale access rights (access rights not removed when an individual moves from one department to another).
Remediation: Review the access right and remove it if it is not necessary.

Control ID: ACC_25
Entity: Right
Name: Atypical new folder right
Description Based on the analysis of an organizational peer group, this new access right appears to be atypical.
Risk Level: 3
Risk description: Atypical new access rights need to be monitored because they correspond to new access rights for an individual which seem unusual in the organizational context and the account user's position just changed (organization). It could be an IT error.
Remediation: Review the access right and remove it if it is not necessary.

Control ID: ACC_26
Entity: Right
Name: Atypical folder right next to a position update
Description Based on the analysis of an organizational peer group, this access right appears to be atypical.
Risk Level: 2
Risk description: Atypical access rights need to be monitored because they seem unusual in the organizational context and the account user's position just changed (organization). It could be a leftover access right.
Remediation: Review the access right and remove it if it is not necessary.

Control ID: ACC_27
Entity: Account
Name: Reactivated user account
Description A disabled account has been reactivated and the account is reconciled to an active identity.
Risk Level: 1
Risk description: Reactivated user accounts must be checked because they can be used by an insider to gain control of some systems if these accounts still have permissions.
Remediation: Review the account. Is the account owner returning from a long-term absence? Is he a contractor?

Control ID: ACC_28
Entity: Account
Name: Reactivated user account with inactive identity
Description A disabled account has been reactivated and the account is reconciled to an inactive identity.
Risk Level: 3
Risk description: Reactivated users accounts must be checked because they can be used by an insider to gain control of some systems if these accounts still have permissions. The identity is marked as inactive which means that the account owner is no longer part of the company.
Remediation: Review the account. Is the account owner returning from a long-term absence. Is he a contractor?

Control ID: ACC_29
Entity: Account
Name: Reactivated leaver account
Description A disabled account has been reactivated and the account is marked as being associated with a person who has left the company (leaver).
Risk Level: 3
Risk description: Reactivated user accounts for whom the account owner is marked as no longer being part of the company must be checked because they can be used by an insider to gain control of some systems if these accounts still have permissions.
Remediation: Review the account. Did the account owner return to the company? If this is the case, notify the HR department to update the HR repository.

Control ID: ACC_30
Entity: Account
Name: Reactivated technical account
Description A disabled account has been reactivated and account is marked as a technical account.
Risk Level: 2
Risk description: Reactivated technical accounts must be checked because they provide elevated privileges and can be used by an insider to gain control of some systems.
Remediation: Review the reason for the reactivation of the technical account with the account manager.

Control ID: ACC_31
Entity: Account
Name: Reactivated orphaned account
Description A disabled account has been reactivated and the account is orphaned.
Risk Level: 3
Risk description: Reactivated orphaned accounts have no reason to be reactivated because they can be used by an insider to gain control of some systems.
Remediation: Reconcile the account and review the reason for reactivation with the account owner/manager.

Control ID: ACC_32
Entity: Account
Name: An active leaver account used after the account owner's departure date (inactive user).
Description The account is active, but owner is inactive. The last connection date is more recent than the date of departure.
Risk Level: 4
Risk description: This account should have been revoked because the account owner has left the company. However, it appears that this account is still being used. Either the account password has been shared or the account has been hacked.
Remediation: Investigate by analyzing the account logs and disable the account.

Control ID: ACC_33
Entity: Account
Name: Active leaver account used after the account owner's departure date (leaver)
Description The account is active but the owner has left th company. The last connection date is more recent than the date of departure.
Risk Level: 4
Risk description: This account should have been revoked because the account owner has left the company. However, it appears that the account is still being used. Either the account password has been shared or the account has been hacked.
Remediation: Investigate by analyzing the account logs and disable the account.

Control ID: ACC_34
Entity: Account
Name: Revoked leaver account used after the account owner's departure date (inactive user)
Description The account is disabled and the owner is inactive. The last connection date is more recent than the date of departure.
Risk Level: 2
Risk description: This account has been revoked because the account owner has left the company. However, it appears that this account has been used after the account owner's departure date.
Remediation: Investigate by analyzing the account logs.

Control ID: ACC_35
Entity: Account
Name: Revoked leaver account used after the account owner's departure date (leaver)
Description The account is disabled and the owner has left the company. The last connection date is more recent than the departure date.
Risk Level: 2
Risk description: This account has been revoked because the account owner left the company. However, it appears that this account has been used after account owner's departure date.
Remediation: Investigate by analyzing the account logs.

Control ID: ACC_36
Entity: Account
Name: Account not used since its creation
Description The account creation date is the same as the account's last login date.
Risk Level: 1
Risk description: It seems that this account is not being used. It could be that this account was a test account, used only once, then forgotten.
Remediation: Investigate and disable the account.

Control ID: ACC_37
Entity: Account
Name: User with no department manager
Description The account is reconciled to an identity that belongs to a department with no active manager known.
Risk Level: 0
Risk description: The absence of a known active department manager could be an issue. If a company plans to delegate user account controls to department managers, this account won't be included in the control plan KPIs.
Remediation: Review your organizational tree and assign all departments to active managers.

Control ID: ACC_38
Entity: Account
Name: Identity with multiple active accounts in the same repository
Description Several accounts from the same repository are reconciled with the same identity.
Risk Level: 2
Risk description: Having multiple accounts in the same repository is a bad practice. It can be a way to evade Segregation of Duties (SoD) controls. Unless the user has several accounts for very good reasons (for instance an admin account, and a standard user account), those accounts should be merged.
Remediation: Verify that the user holds these accounts for good reasons. Otherwise consider merging the accounts and their respective permissions.

Control ID: ACC_39
Entity: Account
Name: Identity with multiple accounts in the same application
Description Several accounts from the same application are reconciled with the same identity.
Risk Level: 2
Risk description: Having multiple accounts in the same application is a bad practice. It can be a way to evade Segregation of Duties (SoD) controls. Unless the user has several accounts for very good reasons (for instance an admin account, and a standard user account), those accounts should be merged.
Remediation: Verify that the user holds these accounts for good reasons. Otherwise consider merging the accounts and their respective permissions.

Control ID: ACC_40
Entity: Account
Name: Inactive account whose owner left the company at least 2 years ago
Description This account is inactive, and is reconciled to a user who left the company at least 2 years ago.
Risk Level: 1
Risk description: Repositories should be cleaned up on a regular basis to avoid accounts sprawl on the systems. Inactive users accounts should be deleted after a quarantine period.
Remediation: Delete this account.

Control ID: ACC_41
Entity: Account
Name: AD or Azure account created more than 7 days after the identity's start date
Description This AD or Azure Account was created more than 7 days after the identity's start date.
Risk Level: 1
Risk description: Some repositories, such as AD or Azure, are associated with the identity lifecycle. If the account is created more than 7 days after the identity's start date, it could highlight the fact that the on-boarding process is not efficient.
Remediation: Verify if the account repository is associated with the identity lifecycle. If investigate why it took so long to create the account.

Control ID: GROUP_01
Entity: Group
Name: Group is empty
Description The group does not contain any accounts.
Risk Level: 0
Risk description: Empty groups should be removed if they are no longer being used to improve repository quality.
Remediation: Verify that the group is still being used. If not, delete it.

Control ID: GROUP_02
Entity: Group
Name: Group only contains deactivated accounts
Description All the accounts in the group are deactivated.
Risk Level: 0
Risk description: Legacy groups should be removed if they are no longer being used to improve repository quality.
Remediation: Verify if the group is still being used. If not, delete it.

Control ID: GROUP_03
Entity: Group
Name: Group contains circular references
Description Circular references are detected in the subgroups.
Risk Level: 2
Risk description: Circular references in subgroups can cause application outages (if they manage to retrieve all account subgroups without detecting circular references).
Remediation: Solve the circular reference issue.

Control ID: GROUP_04
Entity: Group
Name: Public group
Description The group contains all (100%) of the active accounts.
Risk Level: 0
Risk description: The public group should be reviewed on a regular basis to ensure that it does not provide access to sensitive information.
Remediation: Review group usage and permissions.

Control ID: GROUP_05
Entity: Group
Name: Group is almost public
Description The group contains 90% of the active accounts.
Risk Level: 0
Risk description: The public group should be reviewed on a regular basis to ensure that it does not provide access to sensitive information.
Remediation: Review group usage and permissions.

Control ID: GROUP_06
Entity: Group
Name: High sensitivity group owner left
Description The manager of a highly sensitive group is inactive.
Risk Level: 1
Risk description: Sensitive groups must have an owner. Otherwise, they are not managed or reviewed.
Remediation: Assign a manager to the group.

Control ID: GROUP_07
Entity: Group
Name: High sensitivity group without owner
Description No manager is found for a highly sensitive group.
Risk Level: 1
Risk description: Sensitive groups must have an owner. Otherwise, they are not managed or reviewed.
Remediation: Assign a manager to the group.

Control ID: GROUP_08
Entity: Group
Name: Extreme sensitivity group owner left
Description The manager of an extremely sensitive group is inactive.
Risk Level: 2
Risk description: Sensitive groups must have a owner. Otherwise, they are not managed or reviewed.
Remediation: Assign a manager to the group.

Control ID: GROUP_09
Entity: Group
Name: Extreme sensitivity group without owner
Description No manager is found for an extremely sensitive group.
Risk Level: 2
Risk description: Sensitive groups must have a owner. Otherwise, they are not managed or reviewed.
Remediation: Assign a manager to the group.

Control ID: GROUP_10
Entity: Group
Name: High sensitivity group owner is a contractor
Description The manager of a highly sensitive group is a contractor.
Risk Level: 0
Risk description: Sensitive resources should not be managed by contractors.
Remediation: Verify that this is a normal situation.

Control ID: GROUP_11
Entity: Group
Name: Extreme sensitivity group owner is a contractor
Description The manager of an extremely sensitive group is a contractor.
Risk Level: 0
Risk description: Sensitive resources should not be managed by contractors.
Remediation: Verify that this is a normal situation.

Control ID: GROUP_12
Entity: Group
Name: Highly sensitive group and new accounts
Description New accounts within a highly sensitive group are found.
Risk Level: 2
Risk description: Sensitive group changes must be reviewed in order to mitigate IT errors and hacking attempts.
Remediation: Review group changes.

Control ID: GROUP_13
Entity: Group
Name: Extremely sensitive group and new accounts
Description New accounts within an extremely sensitive group are found.
Risk Level: 3
Risk description: Sensitive group changes must be reviewed in order to mitigate IT errors and hacking attempts.
Remediation: Review group changes.

Control ID: GROUP_14
Entity: Group
Name: High sensitivity group without description
Description The description field of a highly sensitive group is empty.
Risk Level: 1
Risk description: Sensitive groups must be documented.
Remediation: Update the group description.

Control ID: GROUP_15
Entity: Group
Name: Extreme sensitivity group without description
Description The description field of an extremely sensitive group is empty.
Risk Level: 1
Risk description: Sensitive groups must be documented.
Remediation: Update the group description.

Control ID: GROUP_16
Entity: Group
Name: No group description
Description The description field of a group is empty.
Risk Level: 0
Risk description: Groups should be documented.
Remediation: Update the group description.

Control ID: GROUP_17
Entity: Group
Name: No group sensitivity level
Description The group sensitivity level is empty.
Risk Level: 0
Risk description: Groups should have a sensitivity level set in order to identify the applicable security policy.
Remediation: Update the group sensitivity level.

Control ID: GROUP_18
Entity: Group
Name: Public group grants access to highly sensitive permissions
Description The permission sensitivity level is set at 3.
Risk Level: 2
Risk description: Sensitive information should not be public.
Remediation: Review the group configuration and membership.

Control ID: GROUP_19
Entity: Group
Name: Public group grants access to extremely sensitive permissions
Description The permission sensitivity level is set at 4.
Risk Level: 3
Risk description: Sensitive information should not be public.
Remediation: Review the group configuration and membership.

Control ID: GROUP_20
Entity: Group
Name: Public group grants access to highly sensitive folders
Description A public group grants access to highly sensitive folders and the permission sensitivity level is set at 3.
Risk Level: 2
Risk description: Sensitive information should not be public.
Remediation: Review the group configuration and membership.

Control ID: GROUP_21
Entity: Group
Name: Public group grants access to extremely sensitive folders
Description A public group grants access to extremely sensitive folders and the permission sensitivity level is set a 4.
Risk Level: 3
Risk description: Sensitive information should not be public.
Remediation: Review the group configuration and membership.

Control ID: GROUP_22
Entity: Group
Name: Semi-public group grants access to highly sensitive permissions
Description A semi-public group grants access to highly sensitive permissions and the permission sensitivity level is set at 3.
Risk Level: 2
Risk description: Sensitive information should not be public.
Remediation: Review the group configuration and membership.

Control ID: GROUP_23
Entity: Group
Name: Semi-public group grants access to extremely sensitive permissions
Description A semi-public group grants access to extremely sensitive permissions and the permission sensitivity level is set at 4.
Risk Level: 3
Risk description: Sensitive information should not be public.
Remediation: Review the group configuration and membership.

Control ID: GROUP_24
Entity: Group
Name: Semi-public group grants access to highly sensitive folders
Description A semi-public group grants access to highly sensitive folders and the permission sensitivity level is set at 3.
Risk Level: 2
Risk description: Sensitive information should not be public.
Remediation: Review the group configuration and membership.

Control ID: GROUP_25
Entity: Group
Name: Semi-public group grants access to extremely sensitive folders
Description A semi-public group grants access to extremely sensitive folders and the permission sensitivity level is set at 4.
Risk Level: 3
Risk description: Sensitive information should not be public.
Remediation: Review the group configuration and membership.

Control ID: GROUP_26
Entity: Group
Name: High sensitivity and new accounts
Description A highly sensitive group with new accounts.
Risk Level: 1
Risk description: Highly sensitive groups should be carefully monitored for account changes because these groups can lead to continuity, fraud or data-leakage risk.
Remediation: Perform a review of the changes.

Control ID: GROUP_27
Entity: Group
Name: Extreme sensitivity and new accounts
Description An extremely sensitive group with new accounts
Risk Level: 2
Risk description: Extremely sensitive groups should be carefully monitored for account changes because these groups can lead to continuity, fraud or data-leakage risk.
Remediation: Perform a review of the changes.

Control ID: GROUP_34
Entity: Group
Name: Significant increase in group members
Description The number of group members has increased by more than 1000 since the last analysis.
Risk Level: 1
Risk description: Significant changes regarding access rights can be caused by operational IT errors.
Remediation: Review the change.

Control ID: GROUP_35
Entity: Group
Name: Local server group with direct domain user account
Description A local server group directly includes Active Directory domain active user accounts.
Risk Level: 2
Risk description: Local server groups are difficult to manage because most of the time one must connect to the server to manage the group content. Therefore, as a best practice, it is suggested that Active Directory domain accounts should not be directly added to these groups. This is because there is a high probability that one will forget to remove those memberships when necessary.
Remediation: Create an Active Directory group with the same content and add the Active Directory group in this local server group. As a result, it will be possible to administer the local group content from Active Directory.

Control ID: GROUP_36
Entity: Group
Name: Local server user group contains public access
Description The local user group (sid S-1-5-32-545) contains public Active Directory domain access.
Risk Level: 2
Risk description: The local user group contains all the Active Directory domain accounts meaning that, unless overridden by a GPO, anyone can open a session locally on this server.
Remediation: Verify that a GPO has been configured to prevent login by unauthorized users. As a best practice, create a group on the Active Directory domain and include this group as a subgroup of the local group in order to centrally manage who can open a session on this server.

Control ID: GROUP_37
Entity: Group
Name: Local server remote desktop user group contains public access
Description Local remote desktop user group (sid S-1-5-32-555) contains public Active Directory domain access.
Risk Level: 3
Risk description: The local remote desktop user group contains all the Active Directory domain accounts meaning that, unless overridden by a GPO, anyone can open a session locally on this server.
Remediation: Verify that a GPO has been configured to prevent login by unauthorized users. As a best practice, create a group on the Active Directory domain and include this group as a subgroup of the local group in order to centrally manage who can open a session on this server.

Control ID: GROUP_38
Entity: Group
Name: Local server remote management user group contains public access
Description The local remote management user group (sid S-1-5-32-580) contains public Active Directory domain access.
Risk Level: 3
Risk description: The local remote management user group contains all the Active Directory domain accounts meaning that, unless overridden by a GPO, anyone can remotely execute PowerShell commands on this server.
Remediation: Verify that a GPO has been configured to prevent login by unauthorized users. As a best practice, create a group on the Active Directory domain and include this group as a subgroup of the local group in order to centrally manage who can execute PowerShell commands on this server.

Control ID: GROUP_39
Entity: Group
Name: Local server administrator group contains public access
Description The local administrator group (sid S-1-5-32-544) contains public Active Directory domain access.
Risk Level: 4
Risk description: The local administrator group contains all Active Directory domain accounts meaning that, unless overridden by a GPO, anyone can open a session as a local administrator on this server.
Remediation: Verify that a GPO has been configured to prevent login by unauthorized users. As a best practice, create a group on the Active Directory domain and include this group as a subgroup of the local group in order to centrally manage who can open a session as an administrator on this server.

Control ID: GROUP_40
Entity: Group
Name: Local server power user group contains public access
Description The local power user group (sid S-1-5-32-547) contains public Active Directory domain access.
Risk Level: 3
Risk description: The local power user group contains all the Active Directory domain accounts meaning that, unless overridden by a GPO, anyone can open a session as a power user on this server and create local accounts.
Remediation: Verify that a GPO has been configured to prevent login by unauthorized users. As a best practice, create a group on the Active Directory domain and include this group as a subgroup of the local group in order to centrally manage who can open a session as a power user on this server.

Control ID: HR_01
Entity: Identity
Name: No employee number
Description The HR Code is empty.
Risk Level: 1
Risk description: Having unique employee numbers is a good practice because it helps with audits and account reconciliation processes by avoiding issues with duplicate names.
Remediation: Consider entering an employee number if one exists.

Control ID: HR_02
Entity: Identity
Name: No email found
Description No email is found.
Risk Level: 1
Risk description: No interactions are possible without a valid email address, as in the example of self-certification.
Remediation: Enter a valid email address.

Control ID: HR_03
Entity: Identity
Name: Resource owner without email
Description No email is found and the identity is a resource owner.
Risk Level: 3
Risk description: Resource owners have many security interactions, including approvals, recertification, level 1 control, etc. Without an email, security processes will not be able to reach this resource owner.
Remediation: Enter a valid email address.

Control ID: HR_04
Entity: Identity
Name: Department manager without email
Description No email is found and the identity is a department manager.
Risk Level: 3
Risk description: Department managers have many security interactions, including approvals, recertification, level 1 control, etc. Without an email, security processes will not be able to reach this resource owner.
Remediation: Enter a valid email address.

Control ID: HR_05
Entity: Identity
Name: Team leader without email
Description No email is found and the identity is a team leader.
Risk Level: 3
Risk description: Team leaders have many security interactions, including approvals, recertification, level 1 control, etc. Without an email, security processes will not be able to reach this resource owner.
Remediation: Enter a valid email address.

Control ID: HR_06
Entity: Identity
Name: Inactive identity
Description The identity is active but all its accounts are either inactive or have not been used in the last 90 days.
Risk Level: 1
Risk description: The identity is active but all of its accounts are either inactive or have not been used in the last 90 days. This identity may have left the company.
Remediation: Notify the HR department.

Control ID: HR_07
Entity: Identity
Name: Phantom identity
Description The identity is active but no accounts have been found.
Risk Level: 1
Risk description: The identity is active but no accounts have been found. This identity may have left the company.
Remediation: Notify the HR department.

Control ID: HR_08
Entity: Identity
Name: Contractor without end date
Description An active identity, marked as a contractor, does not have an end date.
Risk Level: 1
Risk description: Contractors should have an end date to help with account revocation.
Remediation: Add an end date.

Control ID: HR_09
Entity: Identity
Name: Contractor with past-due end date and no active accounts
Description An active identity, marked as as a contractor, has an outdated end date.
Risk Level: 1
Risk description: Contractors should be monitored carefully, especially during the off-boarding process.
Remediation: Validate with the contractor manager.

Control ID: HR_10
Entity: Identity
Name: Contractor with past-due end date and active accounts
Description An active identity, marked as as a contractor, has an outdated end date but retains active accounts.
Risk Level: 3
Risk description: Contractors should be monitored carefully, especially during the off-boarding process. It could be that this identity has left the company but still has active accounts.
Remediation: Validate with the contractor manager.

Control ID: HR_11
Entity: Identity
Name: Employee without manager
Description An active, internal identity has no direct manager.
Risk Level: 1
Risk description: All employees must have an assigned manager.
Remediation: Assign this employee to a manager.

Control ID: HR_12
Entity: Identity
Name: Contractor without manager
Description An active, external identity, has no direct manager.
Risk Level: 2
Risk description: All contractors must have an assigned manager.
Remediation: Assign this contractor to a manager.

Control ID: HR_13
Entity: Identity
Name: Employee whose manager left the company
Description An active, internal identity, has an inactive direct manager.
Risk Level: 1
Risk description: Employees must have a manager.
Remediation: Assign this employee to a manager.

Control ID: HR_14
Entity: Identity
Name: Contractor whose manager left the company
Description An active, external identity has an inactive direct manager.
Risk Level: 2
Risk description: Contractors must have a manager.
Remediation: Assign this contractor to a manager.

Control ID: HR_15
Entity: Identity
Name: Employee with a contractor as a manager
Description An active, internal identity has an external direct manager.
Risk Level: 1
Risk description: Employees must not be managed by a contactor, as this is an HR risk.
Remediation: Verify the data quality of the HR source and solve the issue with the HR department.

Control ID: HR_16
Entity: Identity
Name: Identity is its own manager
Description The identity is its own manager
Risk Level: 2
Risk description: This identity is its own manager. When access reviews are launched, this person will be assigned the review for their own entitlements. This should be avoided, and may point to HR data quality issues.
Remediation: Reassign this identity to another manager.

Control ID: HR_17
Entity: Identity
Name: Contractor leaving within the next 30 days
Description This contractor's departure date is coming the next 30 days
Risk Level: 0
Risk description: This contractor will leave the company within the next 30 days. The manager should verify if the contractor's end date is accurate. Upon departure, all the contractor's accesses will be disabled.
Remediation: Verify the contractor's departure date with their manager.

Control ID: HR_18
Entity: Identity
Name: Identity with namesakes
Description Multiple identities have identical first and last names (namesakes)
Risk Level: 1
Risk description: Namesakes must be carefully managed. They may be both a symptom of bad HR data quality, and a trigger for access rights provisioning mistakes.
Remediation: Verify if this is a real namesake or a data quality issue. Identify possible unique identification attributes (employee number, for instance).

Control ID: HR_19
Entity: Identity
Name: Identities with the same email address
Description Multiple identities have the same email address.
Risk Level: 2
Risk description: Several identities have the same email address. This may point to duplicated identities OR data quality issues in the HR system. This must be solved as it breaks all logical access control policies.
Remediation: Investigate and solve the issue (deduplicate identities, or update one email address in the HR system)

Control ID: HR_20
Entity: Identity
Name: Identity with multiple active accounts in the same repository
Description This identity holds several active accounts in a repository.
Risk Level: 2
Risk description: Having multiple accounts in the same repository is a bad practice. It can be a way to evade Segregation of Duties (SoD) controls. Unless the user has several accounts for very good reasons (for instance an admin account, and a standard user account), those accounts should be merged.
Remediation: Verify that the user holds these accounts for good reasons. Otherwise consider merging the accounts and their respective permissions.

Control ID: HR_21
Entity: Identity
Name: Identity with multiple active accounts in the same application
Description This identity holds several active accounts in an application.
Risk Level: 2
Risk description: Having multiple accounts in the same application is a bad practice. It can be a way to evade Segregation of Duties (SoD) controls. Unless the user has several accounts for very good reasons (for instance an admin account, and a standard user account), those accounts should be merged.
Remediation: Verify that the user holds these accounts for good reasons. Otherwise consider merging the accounts and their respective permissions.

Control ID: PERM_01
Entity: Permission
Name: High sensitivity and new rights
Description A highly sensitive permission has new access rights (active accounts added or removed).
Risk Level: 1
Risk description: Highly sensitive permissions should be carefully monitored for access right changes because these permissions can lead to continuity, fraud and data-leakage risk.
Remediation: Perform a review of the changes.

Control ID: PERM_02
Entity: Permission
Name: Extreme sensitivity and new rights
Description An extremely sensitive permission has new access rights (active accounts added or removed).
Risk Level: 2
Risk description: Extremely sensitive permissions should be carefully monitored for access right changes because these permissions can lead to continuity, fraud and data-leakage risk.
Remediation: Perform a review of the changes.

Control ID: PERM_03
Entity: Permission
Name: High sensitivity and new folder rights
Description Highly sensitive folders have new access rights (active accounts added or removed).
Risk Level: 1
Risk description: Highly sensitive folders should be carefully monitored for access right changes because these permissions can lead to continuity, fraud and data-leakage risk.
Remediation: Perform a review of the changes.

Control ID: PERM_04
Entity: Permission
Name: Extreme sensitivity and new folder rights
Description Extremely sensitive folders have new access rights (active accounts added or removed).
Risk Level: 2
Risk description: Extremely sensitive folders should be carefully monitored for access right changes because these permissions can lead to continuity, fraud and data-leakage risk.
Remediation: Perform a review of the changes.

Control ID: PERM_05
Entity: Permission
Name: Highly sensitive permission without owner
Description A highly sensitive permission has no owner.
Risk Level: 1
Risk description: A highly sensitive permission should have an owner and should be reviewed by the owner on a regular basis.
Remediation: Assign an owner and request that he review the rights.

Control ID: PERM_06
Entity: Permission
Name: Extremely sensitive permission without owner
Description An extremely sensitive permission has no owner.
Risk Level: 2
Risk description: An extremely sensitive permission should have an owner and should be reviewed by the owner on a regular basis.
Remediation: Assign an owner and request that he review the rights.

Control ID: PERM_07
Entity: Permission
Name: Highly sensitive folders without owner
Description Highly sensitive folders have no owner.
Risk Level: 1
Risk description: Highly sensitive folders should have an owner and should be reviewed by the owner on a regular basis.
Remediation: Assign an owner and request that he review the rights.

Control ID: PERM_08
Entity: Permission
Name: Extremely sensitive folders without owner
Description Extremely sensitive folders have no owner.
Risk Level: 2
Risk description: Extremely sensitive folders should have an owner and should be reviewed by the owner on a regular basis.
Remediation: Assign an owner and request that he review the rights.

Control ID: PERM_09
Entity: Permission
Name: Highly sensitive permission without description
Description Highly sensitive permission with an empty description field.
Risk Level: 1
Risk description: Highly sensitive permissions must be documented to help with analysis and audits.
Remediation: Fill in the description field.

Control ID: PERM_10
Entity: Permission
Name: Extremely sensitive permission without description
Description Extremely sensitive permission with an empty description field.
Risk Level: 1
Risk description: Extremely sensitive permissions must be documented to help with analysis and audits.
Remediation: Fill in the description field.

Control ID: PERM_11
Entity: Permission
Name: Highly sensitive folders without description
Description Highly sensitive folders with an empty description field.
Risk Level: 1
Risk description: Highly sensitive folders must be documented to help with analysis and audits.
Remediation: Fill in the description field.

Control ID: PERM_12
Entity: Permission
Name: Extremely sensitive folders without description
Description Extremely sensitive folders with an empty description field.
Risk Level: 1
Risk description: Extremely sensitive folders must be documented to help with analysis and audits.
Remediation: Fill in the description field.

Control ID: PERM_13
Entity: Permission
Name: Significant increase in folder rights
Description The increase in folder rights since the last analysis is greater than 100.
Risk Level: 1
Risk description: Significant changes with regards to folder rights can be caused by operational IT errors.
Remediation: Review the change(s).

Control ID: PERM_14
Entity: Permission
Name: Significant increase in access rights
Description The increase in access rights since the last analysis is greater than 100.
Risk Level: 1
Risk description: Significant changes with regards to access rights can be caused by operational IT errors.
Remediation: Review the change(s).

Control ID: PERM_15
Entity: Permission
Name: Local share with AD domain account ACLs
Description Local share permission ('/') contains direct active account access through ACLs.
Risk Level: 2
Risk description: Active Directory domain accounts should not be allowed to directly access local server shares because this is a local, server per server, configuration. There is a high risk of residual access rights.
Remediation: A group in Active Directory should be referenced instead of a shared ACL. Centrally manage the access rights through Active Directory's group membership.

Control ID: QA_01
Entity: Application
Name: Application without owner
Description The application has no assigned owner.
Risk Level: 1
Risk description: Applications without owners are not managed or reviewed which could lead to increased fraud and data leakage risk.
Remediation: Assign an owner to this application.

Control ID: QA_02
Entity: Organization
Name: Organization without owner
Description The organization does not have an assigned owner.
Risk Level: 1
Risk description: Organizations without owners are not managed or reviewed which could lead to increased fraud and data leakage risk.
Remediation: Assign an owner to this organization.

Control ID: QA_03
Entity: Application
Name: Application owner left the company
Description The application owner has left the company.
Risk Level: 1
Risk description: Applications without owners are not managed or reviewed which could lead to increased fraud and data leakage risk.
Remediation: Assign an owner to this application.

Control ID: QA_04
Entity: Organization
Name: Organization owner left the company
Description The organization owner has left the company.
Risk Level: 1
Risk description: Organizations without owners are not managed or reviewed which could lead to increased fraud and data leakage risk.
Remediation: Assign an owner to this organization.

Control ID: QA_05
Entity: Application
Name: Sensitive application owner is a contractor
Description The owner is a contractor and the application sensitivity level is greater than 2.
Risk Level: 0
Risk description: Sensitive applications should not be managed by contractors.
Remediation: Verify that this is a normal situation.

Control ID: QA_06
Entity: Organization
Name: Organization owner is a contractor
Description The organization owner is a contractor.
Risk Level: 0
Risk description: Organizations should not be managed by contractors.
Remediation: Verify that this is a normal situation.

Control ID: QA_07
Entity: Organization
Name: Orphaned organization
Description The organization is orphaned.
Risk Level: 1
Risk description: This can be a data quality problem or a RadiantOne Identity Analytics connector error.
Remediation: Verify that the data has been loaded properly into RadiantOne Identity Analytics. Partial data loading leads to partial analysis. If this is not the case, check with the HR department to correct this organization.

Control ID: QA_08
Entity: Organization
Name: Empty organization
Description The organization is empty.
Risk Level: 1
Risk description: This can be a data quality problem or a RadiantOne Identity Analytics connector error.
Remediation: Verify that the data has been loaded properly into RadiantOne Identity Analytics. Partial data loading leads to partial analysis. If this is not the case, check with the HR department to correct this organization.

Control ID: QA_09
Entity: Application
Name: No application description
Description The application description is empty.
Risk Level: 0
Risk description: An application description should always be provided to help with analysis and audits.
Remediation: Fill in the application description field.

Control ID: QA_10
Entity: Share
Name: No share description
Description The share description is empty.
Risk Level: 0
Risk description: A share application should always be provided to help with analysis and audits.
Remediation: Fill in the share description field.

Control ID: QA_11
Entity: Application
Name: No sensitivity level set for the application
Description The application sensitivity level is empty.
Risk Level: 0
Risk description: The application sensitivity level should always be provided to help with analysis and audits.
Remediation: Fill in the application sensitivity level field.

Control ID: QA_12
Entity: Share
Name: No sensitivity level set for the share
Description The share sensitivity level is empty.
Risk Level: 0
Risk description: The share sensitivity level should always be provided to help with analysis and audits.
Remediation: Fill in the share sensitivity level field.

Control ID: QA_13
Entity: Permission
Name: No sensitivity level set for the permission
Description The permission sensitivity level is empty.
Risk Level: 0
Risk description: The permission sensitivity level should always be provided to help with analysis and audits.
Remediation: Fill in the permissions sensitivity level field.

Control ID: QA_14
Entity: Permission
Name: No sensitivity level set for the folder
Description The folder sensitivity level is empty.
Risk Level: 0
Risk description: The folder sensitivity level should always be provided to help with analysis and audits.
Remediation: Fill in the folder sensitivity level field.

Control ID: QA_15
Entity: Permission
Name: No permission description
Description The permission description field is empty and the sensitivity level is less than 3.
Risk Level: 0
Risk description: A permission description should always be provided to help with analysis and audits.
Remediation: Fill in the permission description field.

Control ID: QA_16
Entity: Permission
Name: No folder description
Description The folder description field is empty, an ACL is associated, and the sensitivity level is less than 3.
Risk Level: 0
Risk description: A folder description should always be provided to help with analysis and audits.
Remediation: Fill in the folder description field.

Control ID: REM_01
Entity: Account
Name: Account not revoked
Description A decision have been made to revoke this account and a remediation process has been implemented. Although the remediation process states that the account has been revoked, the account is still active in the system at the time of data loading.
Risk Level: 3
Risk description: A discrepancy between the remediation process (theoretical view of the situation) and the actual situation in the system can lead to fraud and data-leakage risk.
Remediation: Revoke the account and investigate to understand why this error occurred using the "Decision History" tab on the Account Detail page.

Control ID: REM_02
Entity: Right
Name: Access right not removed
Description A decision has been made to revoke this access right and a remediation process has been implemented. Although the remediation process states that the access right has been revoked, the access right is still active in the system at the time of data loading.
Risk Level: 3
Risk description: A discrepancy between the remediation process (theoretical view of the situation) and the actual situation in the system can lead to fraud and data-leakage risk.
Remediation: Revoke the access right and investigate to understand why this error occurred using the "Decision History" tab on the Application Detail page.

Control ID: REM_03
Entity: Right
Name: Folder right not removed
Description A decision have been made to revoke this folder right and a remediation process has been implemented. Although the remediation process states that the folder right has been revoked, the account is still active in the system at the time of data loading.
Risk Level: 3
Risk description: A discrepancy between the remediation process (theoretical view of the situation) and the actual situation in the system can lead to fraud and data-leakage risk.
Remediation: Revoke the folder right and investigate to understand why this error occurred using the "Decision History" tab on the Share Detail page.

Control ID: REM_04
Entity: Identity
Name: Identity not revoked
Description A decision has been made to revoke this identity and a remediation process has been implemented. Although the remediation process states that the identity has been revoked, the account is still active in the system at the time of data loading.
Risk Level: 3
Risk description: A discrepancy between the remediation process (theoretical view of the situation) and the actual situation in the systems can lead to fraud and data-leakage risk.
Remediation: Revoke the identity and investigate to understand why this error occurred using the Identity Detail page.

Control ID: REV_01
Entity: Account
Name: Account not reviewed in the last 365 days
Description The account has not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Accounts should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_02
Entity: Right
Name: Access rights not reviewed in the last 365 days
Description The access rights have not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Access rights should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_03
Entity: Right
Name: Folder rights not reviewed in the last 365 days
Description Folder fights have not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Folder rights should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_04
Entity: Application
Name: Application not reviewed in the last 365 days
Description The application has not reviewed in the last 365 days.
Risk Level: 1
Risk description: Applications should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_05
Entity: Share
Name: Share not reviewed in the last 365 days
Description The share has not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Shares should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_06
Entity: Identity
Name: Identity not reviewed in the last 365 days
Description The identity has not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Identities should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_07
Entity: Organization
Name: Organization not reviewed in the last 365 days
Description The organization has not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Organizations should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review

Control ID: REV_08
Entity: Permission
Name: Permission not reviewed in the last 365 days
Description The permission has not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Permissions should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_09
Entity: Folder
Name: Folder not reviewed in the last 365 days
Description The folder has not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Folders should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_10
Entity: Group
Name: Group not reviewed in the last 365 days
Description The group has not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Groups should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_11
Entity: Group membership
Name: Group membership not reviewed in the last 365 days
Description Group membership has not been reviewed in the last 365 days.
Risk Level: 1
Risk description: Group membership should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_12
Entity: Right
Name: Highly sensitive access rights not reviewed in the last 90 days
Description Highly sensitive access rights have not been reviewed in the last 90 days and the sensitivity level is set at 3.
Risk Level: 1
Risk description: Highly sensitive access rights should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_13
Entity: Right
Name: Highly sensitive folder rights not reviewed in the last 90 days
Description Highly sensitive folder rights have not been reviewed in the last 90 days and the sensitivity level is set at 3.
Risk Level: 1
Risk description: Highly sensitive folder rights should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_14
Entity: Group membership
Name: Highly sensitive group membership not reviewed in the last 90 days
Description Highly sensitive group membership has not been reviewed in the last 90 days.
Risk Level: 1
Risk description: Group membership should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_15
Entity: Right
Name: Extremely sensitive access rights not reviewed in the last 30 days
Description Extremely sensitive access rights have not been reviewed in the last 30 days and the sensitivity level is set at 4.
Risk Level: 1
Risk description: Extremely sensitive access rights should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

Control ID: REV_16
Entity: Right
Name: Extremely sensitive folder rights not reviewed in the last 30 days
Description Extremely sensitive folder rights have not been reviewed in the last 30 days and the sensitivity level is set at 4.
Risk Level: 1
Risk description: Extremely sensitive folder rights should be reviewed on a regular basis to comply with security policy constraints.
Remediation: Perform a review.

ad booster controls

By installing the AD Booster add-on available on our Marketplace: bw_ad_schema, you can extract information about privilege access rights in AD (DIT ACL) and benefit from additional controls on the accounts that can administer AD itself. These controls are listed in this section.

Control ID: ad_account_editadmin
Control Type: access
Entity: Account
Description: AD privileged accounts that can edit UAC
Risk Description: "Those accounts can change Active Directory User Account control attributes administration scope and therefore grant some accounts the privilege to override default password policies, re-enable accounts, unlock accounts, ...

This privilege should be carefully granted as if this account is compromised, it can be used to create lateral movements for an attacker by, for instance, re-enabling privileged dormant accounts."

Remediation: "Double-check if the account owner attributes are aligned with this privilege. In the case of a service account, double check that this privilege is part of the actions normally performed by this service account. If it is not the case, remove this privilege from this account."

Control ID: ad_account_resetpass
Control Type: access
Entity: Account
Name: AD privileged accounts that can reset password
Risk Level: 3
Risk Description: "Those accounts can reset Active Directory accounts password.

This privilege should be carefully granted as if this account is compromised, it can be used to steal legitimate dormant accounts to perform lateral movements."

Remediation: "Double-check if the account owner attributes are aligned with this privilege. In the case of a service account, double check that this privilege is part of the actions normally performed by this service account. If it is not the case, remove this privilege from this account."

Control ID: ad_account_usercontrol
Control Type: access
Entity: Account
Name: AD privileged accounts that can change UAC
Risk Level: 3
Risk Description: "Those accounts can change Active Directory User Account control attributes and therefore override default password policies, re-enable accounts, unlock accounts, ...

This privilege should be carefully granted as if this account is compromised, it can be used to create lateral movements for an attacker by, for instance, re-enabling privileged dormant accounts."

Remediation: "Double-check if the account owner attributes are aligned with this privilege. In the case of a service account, double check that this privilege is part of the actions normally performed by this service account. If it is not the case, remove this privilege from this account."

Control ID: ad_admin_rights
Control Type: access
Entity: Account
Name: AD privileges accounts
Risk Level: 3
Risk Description: "Those accounts can change Active Directory User Account control attributes administration scope and therefore grant some accounts the privilege to override default password policies, re-enable accounts, unlock accounts, ...

This privilege should be carefully granted as if this account is compromised, it can be used to create lateral movements for an attacker by, for instance, re-enabling privileged dormant accounts."

Remediation: "Double-check if the account owner attributes are aligned with this privilege. In the case of a service account, double check that this privilege is part of the actions normally performed by this service account. If it is not the case, remove this privilege from this account."

Control ID: ad_account_disabled
Control Type: ad quality controls
Entity: Account
Name: AD disabled account
Description: Disabled account
Risk Level: 0
Risk Description: Disabled accounts should be deleted after a given period are they can still pose security problems if Active Directory is compromised: Those accounts, which are no longer monitored, could be reactivated and used by an attacker.
Remediation: Delete those accounts after a given period (12 months)

Control ID: ad_account_inactive
Control Type: ad quality controls
Entity: Account
Name: AD inactive account
Description: Unused accounts are defined as accounts who have not been used since at least 90 days or accounts who have never been used.
Risk Level: 1
Risk Description: "Unused accounts are by definition no longer monitored by their respective owners. Those accounts can hacked and used by an insider to impersonate an individual while doing a fraud. Accounts can be unused if the account owner is no longer using the service, if the account owner is a contractor no longer working for the company, the account is a test/service account no longer used."
Remediation: "Monitor account last login date. If the last login date is longer than 60 days (or if the account has never been used) notify the manager of the account owner for disabling/deleting action. The account owner manager is accountable for the applying the security policy within his perimeter."

Control ID: ad_account_orphan
Control Type: ad quality controls
Entity: Account
Name: AD orphan active accounts
Description: active accounts identified as orphan
Risk Level: 1
Risk Description: "Orphan accounts are nor assigned to an individual, nor tracked as a service account. Therefore, they can be used by insiders, outliers or hackers to steal data or issue rogue transactions"
Remediation: reconcile the account, disable it if it is no longer used.

Control ID: ad_service_account
Control Type: ad quality controls
Entity: Account
Name: AD service account
Description: Service account
Risk Level: 0
Risk Description: Service accounts / No-owners should be carefully managed and revoked when no longer used as most of the time they override default security policies (password, expiration, ...).
Remediation: Review this account on a regular basis

Control ID: ad_account_leaver
Control Type: ad risk controls
Entity: Account
Name: AD leaver's active account
Description: active account belonging to an identity who left the company
Risk Level: 4
Risk Description: Accounts must be terminated upon their owner departure, otherwise they can be used by a third party (insider, hacker) to compromise the data or steal information.
Remediation: Double check if the owner left the company and disable the account immediatly

Control ID: ad_account_passnoexpire
Control Type: ad risk controls
Entity: Account
Name: AD active accounts for which the password cannot expire
Description: User account with never expiring password
Risk Level: 2
Risk Description: "User accounts with password whom never expires present a risk as once the password is shared, it is spread widely and thus, expose the company assets"
Remediation: Re-activate the expiration date on the password.

Control ID: ad_account_passnotchanged
Control Type: ad risk controls
Entity: Account
Name: AD account whose password has not changed
Description: Active user accounts with password not changed in the last 90 days
Risk Level: 1
Risk Description: Passwords must be changed on a regular basis to comply with security policies and mitigate account hacking risks.
Remediation: For user accounts: Check if the account is still used, if not disabled it. Otherwise, check password policy and reactivate password expiration policy.

Control ID: ad_account_passnotrequired
Control Type: ad risk controls
Entity: Account
Name: AD active accounts without a password required
Description: Password is not needed to connect
Risk Level: 2
Risk Description: This account can be used without any password, is can lead to security problem depending on the context of the account.
Remediation: Reactivate authentication for this account

Control ID: gpo_rights_to
Control Type: gpo restricted
Entity: Account
Name: gpo rights to
Risk Level: 4

Control ID: grp_Account_Operators
Control Type: ad security group controls
Entity: Account
Name: Account Operators
Risk Level: 1
Risk Description: "The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights. By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved."

Remediation: Remove all existing members

Control ID: grp_Backup_Operators
Control Type: ad security group controls
Entity: Account
Name: Backup Operators
Risk Level: 1
Risk Description: Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.
Remediation: "Double-check if the account owner attributes are aligned with this privilege. In the case of a service account, double check that this privilege is part of the actions normally performed by this service account. If it is not the case, remove this privilege from this account."

Control ID: grp_Domain_Admins
Control Type: ad security group controls
Entity: Account
Name: Domain Admins
Risk Level: 1
Risk Description: "Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.

The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain."

Remediation: "Double-check if the account owner attributes are aligned with this privilege. In the case of a service account, double check that this privilege is part of the actions normally performed by this service account. If it is not the case, remove this privilege from this account."

Control ID: grp_Server_Operators
Control Type: ad security group controls
Entity: Account
Name: Server Operators
Risk Level: 1
Risk Description: "Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.

By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table."

Remediation: Remove all existing members

Control ID: ad_local_admin
Control Type: gpo restricted
Entity: Account
Name: AD accounts with local administration rights
Risk Level: 4

Control ID: ad_localadm_computers
Control Type: gpo restricted
Entity: Account
Name: AD local admin computers
Risk Level: 0

Control ID: ad_account_disabled_noou
Control Type: quality
Entity: Account
Name: AD disabled accounts not in OU
Risk Level: 2

Control ID: ad_account_reconciled_enabled
Control Type: quality
Entity: Account
Name: AD enabled reconciled accounts
Risk Level: 1

Control ID: ad_acl_id_notfound
Control Type: quality
Entity: Account
Name: ad_acl_id_notfound
Risk Level: 3

Control ID: ad_group_cyclic
Control Type: quality
Entity: Group
Name: AD circular groups
Risk Level: 3

Control ID: ad_group_disabled
Control Type: quality
Entity: Group
Name: AD groups with only disabled accounts
Risk Level: 2

Control ID: ad_group_empty
Control Type: quality
Entity: Group
Name: AD empty groups
Risk Level: 2

Control ID: ad_account_srvpassnotrequired
Control Type: risk
Entity: Account
Name: AD active service accounts whithout a password required
Risk Level: 5

Control ID: ad_group_public
Control Type: risk
Entity: Group
Name: AD public groups
Risk Level: 4

Control ID: ad_group_threshold
Control Type: risk
Entity: Account
Name: AD Group Threshold
Description: Count every accounts in the AD domain
Risk Level: 0
Risk Description: Metrics for other controls to be compared with

Control ID: grp_Access_Control_Assistance_Operators
Control Type: security groups
Entity: Account
Name: Access Control Assistance Operators
Risk Level: 0
Risk Description: Members of this group can remotely query authorization attributes and permissions for resources on the computer.

Control ID: grp_Administrators
Control Type: security groups
Entity: Account
Name: Administrators
Risk Level: 0
Risk Description: Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.
Remediation: The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.

Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.

Control ID: grp_Cert_Publishers
Control Type: security groups
Entity: Account
Name: Cert Publishers
Risk Level: 0
Risk Description: Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.

Control ID: grp_Certificate_Service_DCOM_Access
Control Type: security groups
Entity: Account
Name: Certificate Service DCOM Access
Risk Level: 0
Risk Description: Members of this group are allowed to connect to certification authorities in the enterprise.

Control ID: grp_Cloneable_Domain_Controllers
Control Type: security groups
Entity: Account
Name: Cloneable Domain Controllers
Risk Level: 0
Risk Description: Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).

Control ID: grp_Cryptographic_Operators
Control Type: security groups
Entity: Account
Name: Cryptographic Operators
Risk Level: 0
Risk Description: Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.

Control ID: grp_Denied_RODC_Password_Replication_Group
Control Type: security groups
Entity: Account
Name: Denied RODC Password Replication Group
Risk Level: 0
Risk Description: "Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller.

The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication Group supersedes the Allowed RODC Password Replication Group."

Control ID: grp_Distributed_COM_Users
Control Type: security groups
Entity: Account
Name: Distributed COM Users
Risk Level: 0
Risk Description: Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).

Control ID: grp_DnsAdmins
Control Type: security groups
Entity: Account
Name: DnsAdmins
Risk Level: 0
Risk Description: Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.

Control ID: grp_DnsUpdateProxy
Control Type: security groups
Entity: Account
Name: DnsUpdateProxy
Risk Level: 0
Risk Description: "Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.

However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account."

Control ID: grp_Domain_Computers
Control Type: security groups
Entity: Account
Name: Domain Computers
Risk Level: 0
Risk Description: This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group.

Control ID: grp_Domain_Controllers
Control Type: security groups
Entity: Account
Name: Domain Controllers
Risk Level: 0
Risk Description: The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group.

Control ID: grp_Domain_Guests
Control Type: security groups
Entity: Account
Name: Domain Guests
Risk Level: 0
Risk Description: The Domain Guests group includes the domain�s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.

Control ID: grp_Enterprise_Admins
Control Type: security groups
Entity: Account
Name: Enterprise Admins
Risk Level: 0
Risk Description: "The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains.

By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account."

Control ID: grp_Enterprise_Read_Only_Domain_Controllers
Control Type: security groups
Entity: Account
Name: Enterprise Read-Only Domain Controllers
Risk Level: 0
Risk Description: "Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.

Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it."

Control ID: grp_Event_Log_Readers
Control Type: security groups
Entity: Account
Name: Event Log Readers
Risk Level: 0
Risk Description: Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.

Control ID: grp_Hyper_V_Administrators
Control Type: security groups
Entity: Account
Name: Hyper-V Administrators
Risk Level: 0
Risk Description: Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.

Control ID: grp_IIS_IUSRS
Control Type: security groups
Entity: Account
Name: IIS_IUSRS
Risk Level: 0
Risk Description: IIS_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR_MachineName account and the IIS_WPG group with the IIS_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS_IUSRS.

Control ID: grp_Incoming_Forest_Trust_Builders
Control Type: security groups
Entity: Account
Name: Incoming Forest Trust Builders
Risk Level: 0
Risk Description: "Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account.

To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups."

Control ID: grp_Network_Configuration_Operators
Control Type: security groups
Entity: Account
Name: Network Configuration Operators
Risk Level: 0
Risk Description: "Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features:

Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers. Rename the LAN connections or remote access connections that are available to all the users. Enable or disable a LAN connection. Modify the properties of all of remote access connections of users. Delete all the remote access connections of users. Rename all the remote access connections of users. Issue ipconfig, ipconfig /release, or ipconfig /renew commands. Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card."

Control ID: grp_Performance_Log_Users
Control Type: security groups
Entity: Account
Name: Performance Log Users
Risk Level: 0
Risk Description: "Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group:

Can use all the features that are available to the Performance Monitor Users group. Can create and modify Data Collector Sets after the group is assigned the Log on as a batch job user right. Cannot use the Windows Kernel Trace event provider in Data Collector Sets."

Control ID: grp_Performance_Monitor_Users
Control Type: security groups
Entity: Account
Name: Performance Monitor Users
Risk Level: 0
Risk Description: "Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways.

Specifically, members of this security group: Can use all the features that are available to the Users group. Can view real-time performance data in Performance Monitor. Can change the Performance Monitor display properties while viewing data. Cannot create or modify Data Collector Sets."

Control ID: grp_Pre_Windows_2000_Compatible_Access
Control Type: security groups
Entity: Account
Name: Pre�Windows 2000 Compatible Access
Risk Level: 0
Risk Description: Members of the Pre�Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.

Control ID: grp_Print_Operators
Control Type: security groups
Entity: Account
Name: Print Operators
Risk Level: 0
Risk Description: "Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.

This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved."

Control ID: grp_Protected_Users
Control Type: security groups
Entity: Account
Name: Protected Users
Risk Level: 0
Risk Description: "Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes.

This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer. Depending on the account�s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows. Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1, so the device fails to authenticate to a domain when the account is a member of the Protected User group. The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite. The user�s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group. The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again."

Control ID: grp_RAS_and_IAS_Servers
Control Type: security groups
Entity: Account
Name: RAS and IAS Servers
Risk Level: 0
Risk Description: Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.

Control ID: grp_RDS_Endpoint_Servers
Control Type: security groups
Entity: Account
Name: RDS Endpoint Servers
Risk Level: 0
Risk Description: Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.

Control ID: grp_RDS_Management_Servers
Control Type: security groups
Entity: Account
Name: RDS Management Servers
Risk Level: 0
Risk Description: Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.

Control ID: grp_RDS_Remote_Access_Servers
Control Type: security groups
Entity: Account
Name: RDS Remote Access Servers
Risk Level: 0
Risk Description: Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group.

Control ID: grp_Read_Only_Domain_Controllers
Control Type: security groups
Entity: Account
Name: Read-Only Domain Controllers
Risk Level: 0
Risk Description: "This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality: Read-only AD DS database Unidirectional replication Credential caching Administrator role separation Read-only Domain Name System (DNS)"

Control ID: grp_Remote_Desktop_Users
Control Type: security groups
Entity: Account
Name: Remote Desktop Users
Risk Level: 0
Risk Description: The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).

Control ID: grp_Remote_Management_Users
Control Type: security groups
Entity: Account
Name: Remote Management Users
Risk Level: 0
Risk Description: "Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the WinRMRemoteWMIUsers_ group is allows remotely running Windows PowerShell commands."

Control ID: grp_Replicator
Control Type: security groups
Entity: Account
Name: Replicator
Risk Level: 0
Risk Description: Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.

Control ID: grp_Schema_Admins
Control Type: security groups
Entity: Account
Name: Schema Admins
Risk Level: 0
Risk Description: "Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode.

The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema. The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory."

Control ID: grp_Terminal_Server_License_Servers
Control Type: security groups
Entity: Account
Name: Terminal Server License Servers
Risk Level: 0
Risk Description: Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).

Control ID: grp_Windows_Authorization_Access_Group
Control Type: security groups
Entity: Account
Name: Windows Authorization Access Group
Risk Level: 0
Risk Description: Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).

Control ID: grp_WinRMRemoteWMIUsers
Control Type: security groups
Entity: Account
Name: WinRMRemoteWMIUsers_
Risk Level: 0
Risk Description: "In Windows 8 and in Windows Server 2012, a Share tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.

The WinRMRemoteWMIUsers_ group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version. If the file share is hosted on a server that is running a supported version of the operating system: You must be a member of the WinRMRemoteWMIUsers__ group or the BUILTIN Administrators group. You must have Read permissions to the file share. If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012: You must be a member of the BUILTIN Administrators group. You must have Read permissions to the file share. In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers__ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions."

Control ID: grpAllowed_RODC_Password_Replication_Group
Control Type: security groups
Entity: Account
Name: Allowed RODC Password Replication Group
Risk Level: 0
Risk Description: The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The Denied RODC Password Replication Group group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.

Control ID: grpDomain_Users
Control Type: security groups
Entity: Account
Name: Domain Users
Risk Level: 0
Risk Description: "The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group.

By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer)."

Control ID: grpGroup_Policy_Creators_Owners
Control Type: security groups
Entity: Account
Name: Group Policy Creators Owners
Risk Level: 0
Risk Description: This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.

pam booster controls

When activating the "Booster for PAM designed for CyberArk" feature in the technical configuration of the Identity Analytics project, the following addition controls are executed:

Control ID: CA_SAFE_ACCOUNT03
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT03_leaver_access
Description: Active user accounts for which the owner has departed and have access to a safe.
Risk Level: 4
Risk Description: User accounts must be terminated upon their owner's departure or risk being used by a third party (insider, hacker) to compromise the data or steal information.
Remediation: Verify that the owner has left the company and immediately disable the account.

Control ID: CA_VAULT_ACCOUNT03
Control Type: risk
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT03_leaver_access
Description: Active user accounts for which the owner has departed and have access to a vault
Risk Level: 4
Risk Description: Accounts must be terminated upon their owner's departure or risk being used by a third party (insider, hacker) to compromise the data or steal information.
Remediation: Verify that the owner left the company and immediately disable the account.

Control ID: CA_SAFE_ACCOUNT06
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT06_contractor_noexp_admin
Description: Contractors with no expiration date that can manage a safe
Risk Level: 4
Risk Description: Contractor user accounts should have an expiration date to facilitate account revocation.
Remediation: Add an expiration date to the contractor user account.

Control ID: CA_SAFE_ACCOUNT02
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT02_contractor_noexp_access
Description: Contractors without an expiration date that can access a safe
Risk Level: 4
Risk Description: Contractor user accounts should have an expiration date to faciliate account revocation.
Remediation: Add an expiration date to the contractor user account.

Control ID: CA_VAULT_ACCOUNT02
Control Type: risk
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT02_contractor_noexp_access
Description: Contractors without an expiration date that can access a vault
Risk Level: 4
Risk Description: Contractor user accounts should have an expiration date to faciliate account revocation.
Remediation: Add an expiration date to the contractor user account.

Control ID: CA_SAFE_ASSET01
Control Type: risk
Entity: Asset
Resource Type: Credential
Name: CA_SAFE_ASSET01_nocpm
Description: CyberArk credentials for which automatic password rotation is disabled
Risk Level: 3
Risk Description: End users can still bypass CyberArk to use these privileged accounts because the password is not automatically changed by the CyberArk CPM.
Remediation: Contact the resource owner and the CyberArk team about activating CPM on these privileged accounts.

Control ID: CA_SAFE_ACCOUNT08
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT08_SOD_accountadmin_accountusage
Description: Users that can both manage the safe and use its contents
Risk Level: 3
Risk Description: User accounts should not be able to both manage and use the contents in order to conform with the principles of segregation of duties.
Remediation: Re-assign the user'a access rights to conform with the principles of segregation of duties.

Control ID: CA_SAFE_ACCOUNT05
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT05_noexp_adminaccess
Description: Users with no expiration date that can manage a safe
Risk Level: 3
Risk Description: User accounts that can manage a CyberArk safe should have an expiration date to facilitate account revocation.
Remediation: Add an expiration date to the user account that can administer a CyberArk safe.

Control ID: CA_SAFE_ACCOUNT09
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT09_SOD_vaultadmin_accountusage
Description: Users with both access to the vault and access to a safe inside the vault
Risk Level: 3
Risk Description: User accounts should not be able to manage a vault, access a safe and use the contents in order to conform with the principles of segregation of duties.
Remediation: Re-assign the user's access rights to conform with the principles of segregation of duties.

Control ID: CA_SAFE_ACCOUNT07
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT07_directrights_access
Description: Users that have at least one direct permission to a safe
Risk Level: 2
Risk Description: All access rights to a safe should be provided to user accounts through groups. Discretionary access should be avoided to ensure proper user access management.
Remediation: Remove the direct rights and use groups to grant access.

Control ID: CA_VAULT_ACCOUNT06
Control Type: risk
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT06_directrights_access
Description: Users that have at least one direct permission to a vault
Risk Level: 2
Risk Description: All access rights to a vault should be provided to user accounts through groups. Discretionary access should be avoided to ensure proper user access management.
Remediation: Remove direct rights and use groups to grant access.

Control ID: CA_VAULT_ACCOUNT05
Control Type: risk
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT05_noexp_access
Description: Users without an expiration date that have access to a vault
Risk Level: 2
Risk Description: Users that can access a CyberArk vault should have an expiration date to facilitate account revocation.
Remediation: Add an expiration date to the account that can access a CyberArk vault.

Control ID: CA_VAULT_ACCOUNT07
Control Type: risk
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT07_SOD_admin_audit
Description: Users that can both audit and administer the same vault
Risk Level: 2
Risk Description: Users should not be able to both audit and manage a vault in order to conform to the principles of segregation of duties.
Remediation: Re-assign the user's access rights to conform with the principles of segregation of duties.

Control ID: CA_VAULT_ACCOUNT08
Control Type: risk
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT08_SOD_backup_restore
Description: Users that can both back up and restore the same vault
Risk Level: 2
Risk Description: Users should not be able to both back up and restore the same vault in order to conform with the principles of segregation of duties.
Remediation: Re-assign the user's access rights to conform with the principles of segregation of duties.

Control ID: CA_SAFE_ACCOUNT04
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT04_orphan_accounts_access
Description: Orphaned accounts with access to a safe
Risk Level: 2
Risk Description: Orphaned accounts are no longer assigned to an individual or tracked as a service or technical account. They can be used by insiders, outliers or hackers to steal data or issue rogue transactions.
Remediation: If relevant, immediately assign the account to an individual, document it as a technical/service account or disable it if it is no longer being used.

Control ID: CA_VAULT_ACCOUNT04
Control Type: risk
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT04_orphan_accounts_access
Description: Orphaned accounts with access to a vault
Risk Level: 2
Risk Description: Orphaned accounts are no longer assigned to an individual or tracked as a service or technical account. They can be used by insiders, outliers or hackers to steal data or issue rogue transactions.
Remediation: If relevant, immediately assign the account to an individual, document it as technical/service account or disable it if it is no longer being used.

Control ID: CA_SAFE_ACCOUNT11
Control Type: quality
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT11_accounts_dormant
Description: Unused user accounts giving access to a safe
Risk Level: 1
Risk Description: Unused user accounts are no longer being monitored by their respective owners. They can be hacked and used by an insider to impersonate an individual and commit fraud. Accounts are considered unused if its owner is no longer using the service, if its owner is a contractor no longer working for the company, or if the account is a test/service account no longer being used.
Remediation: Monitor the last login date of the account. If it is greater than 180 days, or if the account has never been used, notify the manager of the account owner in order to disable or delete it. The account owner manager is accountable for the applying the security policy within his perimeter.

Control ID: CA_SAFE_ACCOUNT13
Control Type: quality
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT13_service
Description: Technical/service accounts giving access to a safe
Risk Level: 1
Risk Description: Service or technical accounts with access to a safe should be identified and reviewed.
Remediation: Review service or technical accounts and check the legitimacy of the access to the vault.

Control ID: CA_VAULT_ACCOUNT11
Control Type: quality
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT11_accounts_dormant
Description: Unused user accounts giving access to a vault
Risk Level: 1
Risk Description: Unused user accounts are no longer being monitored by their respective owners. They can be hacked and used by an insider to impersonate an individual and commit fraud. Accounts are considered unused if its owner is no longer using the service, if its owner is a contractor no longer working for the company, or if the account is a test/service account no longer being used.
Remediation: Monitor the last login date of the account. If it is greater than 180 days, or if the account has never been used, notify the manager of the account owner in order to disable or delete it. The account owner manager is accountable for applying the security policy within his perimeter.

Control ID: CA_VAULT_ACCOUNT13
Control Type: quality
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT13_service
Description: Technical/service accounts giving access to a vault
Risk Level: 1
Risk Description: Service or technical accounts with access to a vault should be identified and reviewed.
Remediation: Review service or technical accounts and check the legitimacy of the access to the vault.

Control ID: CA_SAFE_ACCOUNT01
Control Type: risk
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT01_contractor_access
Description: Contractors that can access a safe
Risk Level: 1
Risk Description: Contractor user accounts with access to a safe should be identified and reviewed.
Remediation: Review contractor user accounts and check the legitimacy of their access to a safe.

Control ID: CA_VAULT_ACCOUNT01
Control Type: risk
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT01_contractor_access
Description: Contractors that can access a vault
Risk Level: 1
Risk Description: Contractor user accounts with access to a vault should be identified and reviewed.
Remediation: Review contractor user accounts and check the legitimacy of the access to a vault.

Control ID: CA_SAFE_ACCOUNT12
Control Type: quality
Entity: Account
Resource Type: Safe
Name: CA_SAFE_ACCOUNT12_disabled_accounts_access
Description: Disabled user accounts giving access to a safe
Risk Level: 1
Risk Description: Legacy user accounts which are very old can be removed to improve repository quality.
Remediation: Remove very old disabled accounts.

Control ID: CA_VAULT_ACCOUNT12
Control Type: quality
Entity: Account
Resource Type: Vault
Name: CA_VAULT_ACCOUNT12_disabled_accounts_access
Description: Disabled user accounts giving access to a vault
Risk Level: 1
Risk Description: Legacy user accounts can be removed if they are very old to improve repository quality.
Remediation: Remove very old disabled accounts.

Control ID: CA_SAFE01
Control Type: quality
Entity: Application
Resource Type: Safe
Name: CA_SAFE01_safe_empty
Description: The safe is empty
Risk Level: 0

Control ID: CA_SAFE_GROUP01
Control Type: quality
Entity: Group
Resource Type: Safe
Name: CA_SAFE_GROUP01_group_empty
Description: Empty groups giving access to a safe
Risk Level: 0
Risk Description: Empty groups should be removed if they are no longer being used to improve repository quality.
Remediation: Verify that the group is still being used, and if not, delete it.

Control ID: CA_SAFE_GROUP04
Control Type: quality
Entity: Group
Resource Type: Safe
Name: CA_SAFE_GROUP04_one_account
Description: Groups with only one account giving access to a safe
Risk Level: 0
Risk Description: Legacy groups should be removed if they are no longer being used to improve repository quality.
Remediation: Verify that the group is still being used, and if not, delete it.

Control ID: CA_SAFE_GROUP03
Control Type: quality
Entity: Group
Resource Type: Safe
Name: CA_SAFE_GROUP03_one_group
Description: Groups with only one group giving access to a safe
Risk Level: 0
Risk Description: Legacy groups should be removed if they are no longer being used to improve repository quality.
Remediation: Verify that the group is still being used, and if not, delete it.

Control ID: CA_VAULT_GROUP01
Control Type: quality
Entity: Group
Resource Type: Vault
Name: CA_VAULT_GROUP01_group_empty
Description: Empty groups giving access to a vault
Risk Level: 0
Risk Description: Empty groups should be removed if they are no longer used to improve repository quality.
Remediation: Verify that the group is still being used, and if not, delete it.

Control ID: CA_SAFE_GROUP02
Control Type: quality
Entity: Group
Resource Type: Safe
Name: CA_SAFE_GROUP02_disabled_accounts
Description: Groups with only disabled accounts giving access to a safe
Risk Level: 0
Risk Description: Legacy groups should be removed if they are no longer being used to improve repository quality.
Remediation: Verify that the group is still being used, and if not, delete it.

Control ID: CA_VAULT_GROUP02
Control Type: quality
Entity: Group
Resource Type: Vault
Name: CA_VAULT_GROUP02_disabled_accounts
Description: Groups with only disabled accounts giving access to a vault
Risk Level: 0
Risk Description: Legacy groups should be removed if they are no longer used to improve repository quality.
Remediation: Verify that the group is still being used, and if not, delete it.

Control ID: CA_VAULT_GROUP04
Control Type: quality
Entity: Group
Resource Type: Vault
Name: CA_VAULT_GROUP04_one_account
Description: Groups with only one account giving access to a vault
Risk Level: 0
Risk Description: Verify that the group is still being used, and if not, delete it.
Remediation: Verify that the group is still being used, and if not, delete it.

Control ID: CA_VAULT_GROUP03
Control Type: quality
Entity: Group
Resource Type: Vault
Name: CA_VAULT_GROUP03_one_group
Description: Groups with only one group giving access to a vault
Risk Level: 0
Risk Description: Verify that the group is still being used, and if not, delete it.
Remediation: Verify that the group is still being used, and if not, delete it.

Control ID: CA_SAFE02
Control Type: quality
Entity: Application
Resource Type: Safe
Name: CA_SAFE02_safe_no_access
Description: Safe accounts and groups giving no access
Risk Level: 0

Available Controls

Standard Controls

ad booster controls

pam booster controls

IN THIS PAGE