Glossary

Terminology of the FSProtect

Selected Scan / Current Scan

FSProtect enumerates the Active Directory environment though periodic or on-demand scans. FSProtect web interface shows only the data of the currently selected scan. This selection can be done through the combo box in the left navbar. So before analyzing the results, make sure the select correct scan.

Risk / Risk Score

FSProtect calculates risk scores for scans and objects based on different metrics and categories. These scores state the risk on the objects or scans according to the context.

Object / Entity

The term Object or Entity refers to objects in the Active Directory environment. FSProtect enumerates and analyzes objects/entities below.

  • Forest

  • Domain

  • Computer

  • User

  • Group

  • Group Policy Object

  • Organizational Unit

  • Managed Service Account

  • Group Managed Service Account

  • Local User

  • Local Group

  • Certificate Authority

  • Certificate Template

  • Certificate Authority Certificate

Tier0

What “Tier 0” Means

Tier 0 objects hold the keys to your entire Active Directory (AD) forest. Anyone who can control a Tier 0 object can ultimately control every other object.

For that reason, Tier 0 assets must be managed only from equally protected Tier 0 workstations by the most-trusted admins.

Which Objects Are Always Tier 0

Type
Name in Active Directory

Group Policy Object (GPO)

Default Domain Policy

Organizational Unit (OU)

Domain Controllers

Container

Users and AdminSDHolder

Built-in or Privileged Groups

• Dns Admins • Domain Admins • Domain Controllers • Cert Publishers • Cloneable Domain Controllers • Key Admins • Enterprise Key Admins • Schema Admins • Enterprise Admins • Built-in Administrators • Account Operators • Server Operators • Print Operators • Backup Operators • Distributed COM Users • Cryptographic Operators • Enterprise Domain Controllers • Performance Log Users • Incoming Forest Trust Builders

Built-in Users

• Administrator • krbtgt

How Everything Else Gets Its Tier

Groups

• Group is on the “Tier 0 groups” list. • Group is member of (directly or through nesting) to any Tier 0 group.

Computers & Servers

• Computer is a Domain Controller. • Computer hosts an Active Directory Certificate Authority (CA). • Computer is member of (directly or through nesting) to any Tier 0 group. • Computer is added to a Tier 0 group that lives in another trusted domain.

Users

• User is on the “Tier 0 users” list. • User is member of (directly or through nesting) to any Tier 0 group. • User is added to a Tier 0 group that lives in another trusted domain.

Local Users

• Local User is local administrator on a Tier 0 computer.

Service Accounts(MSA, gMSA, dMSA)

• Service Account is member of (directly or through nesting) to any Tier 0 group. • Service Account is added to a Tier 0 group that lives in another trusted domain.

Certificate Templates

The template is published in Active Directory Certificate Services.

Organisational Units (OUs)

OU copies the highest-privilege tier of anything stored inside it. If any child object is Tier 0, the OU becomes Tier 0.

Containers

Same rule as OUs: the container takes the highest tier of its contents.

Group Policy Objects (GPOs)

• GPO linked directly to the domain root. • GPO linked to any OU or container that is Tier 0.

Logon / Startup Scripts

A script takes the highest tier of every GPO that assigns it. If one GPO is Tier 0, the script is Tier 0.

Relation

The term Relation refers to the connections between Active Directory objects. FSProtect enumerates and analyzes various relation. You can see details of these relations with the page below.

Admin

Objects that have direct privilege on the entire Active Directory environment or that can lead to total Active Directory compromise. FSProtect marks the following objects as Admin.

  • Direct or nested members of

    • Administrators

    • Domain Admins

    • Enterprise Admins

  • Domain Controller Servers

  • KRBTGT

  • Certificate Authorities

Privileged

Objects that have direct privilege on some Active Directory objects or that can lead to compromise of Admin objects. FSProtect marks the following objects as Privileged.

  • All Admin objects

  • Direct or nested members of

    • Account Operators

    • Backup Operators

    • Cert Publishers

    • Cryptographic Operators

    • DnsAdmins

    • Enterprise Key Admins

    • Enterprise Read-only Domain Controllers

    • Group Policy Creator Owners

    • Incoming Forest Trust Builders

    • Key Admins

    • Network Configuration Operators

    • Print Operators

    • Read-only Domain Controllers

    • Remote Desktop Users

    • Replicator

    • Schema Admins

Unprivileged

All other objects that are not privileged or admin.

Everyone-Like

Groups that contain all/general objects in Active Directory. FSProtect marks the following objects as Everyone-Like.

  • Everyone

  • World

  • Anonymous

  • Authenticated Users

  • Users

  • Guests

  • Domain Guests

  • Domain Users

  • Domain Computers

Local Admin

Objects that have direct or nested membership on local Administrators group in at least one computer.

Service Account

Users with the ServicePrincipalNames attribute set.

Explicit Local Admin

Objects that have direct membership on local Administrators group.

Group Delegated Local Admin

Objects that have nested membership on local Administrators group.

Risky

Objects with a risk score greater than 50.

Online

Computers that accessed to port 445 during the network scan.

Stealth Admin

Unprivileged or privileged objects that can compromise admin objects through attack paths.

Issue

Vulnerabilities, misconfigurations, dangerous privileges, and relations that can pose risks to Active Directory.

Tag

Labels attached to issues to categorize, group, and make it easy to understand.

Impact / FSProtect Impact Name

The special tag attached to issues to identify the effects of issues on Active Directory.

Severity

Risk levels of the issues. Severity can be Info, Low, Medium, High and Critical.

Ease of Mitigation

Indicates the level of effort to mitigate/remediate the issues. Ease of Mitigation can be Easy, Medium, or High.

Ease of Detection

Indicates the level of effort to detect exploitation of the issues. Ease of Detection can be Easy, Medium, or High.

Ease of Deception

Indicates the level of effort of implementing deceptive countermeasures based on issues. Ease of Detection can be Easy, Medium, or High.

Exploitation Privilege

Refers to the level of permission or access an attacker needs to exploit a specific vulnerability, such as administrator rights or access to a specific user account.

Exploitation Certainty

Indicates the likelihood or confidence that a specific vulnerability can be successfully exploited, based on technical feasibility and environmental factors.

Path / Attack Path

FSProtect identifies relationships that allow an object to compromise/control another. The combination of one or more relationships creates the attack path.

Dangerous Path

Combination of relations that leads to compromising of objects by lower privileged objects.

PreviousFSProtect - Active Directory Security AssessmentNextArchitecture

Last updated

Was this helpful?