# AD Policies
**Active Directory Policies define security rules and assessment configurations specifically designed for on-premises Active Directory environments.**
These policies focus on identifying misconfigurations, excessive privileges, weak access controls, and risky relationships between Active Directory objects.
By applying Active Directory-specific policies, FSProtect evaluates the security posture of domain controllers, users, groups, computers, and organizational units within the directory structure.
### Edit Scan Policy (Active Directory)
**This section allows users to configure scan settings specific to Active Directory environments.**
Users can enable or disable scan modules, define exclusions, and adjust scan-related options applied during Active Directory assessments.
Active Directory Scan Policy Settings
#### Vulnerability Policies and Tier 0 Assets (Active Directory)
This section defines vulnerability policies and Tier 0 asset configurations specific to Active Directory environments.\
Vulnerability policies control which security checks are applied during the scan, while Tier 0 Assets identify the most critical directory objects that may lead to full domain compromise if exposed.
### **Active Directory Scan Modules**
* **Active Directory Assesment**: This module allows users to check and validate vulnerabilities, misconfigurations, and attack paths on each active directory asset and the relations between these assets. Because of this module is the core component of the engine, this is a mandatory option. When it is the only enabled module on the scan policy, the engine itself only communicates with the domain controllers in the active directory environment.
* **Network Security Assesment**: This module allows users to enumerate network-related information like SMB port status, spool service status, shared files,contents of the GPO and GPP files, etc. Collected information is used to check and validate vulnerabilities, misconfigurations, and attack paths caused by the network-related services that are only detectable over the network communication like sensitive information on the files, MS17-10, Bluekeep, Zerologon, SMB Signing enforcements and etc. It is an optional module. Engine communicates with the each computer identified on the active directory environment.
`Important Note:`The modules that are mentioned below require the network security module to be active.
* **Service-Based Security Assesment**: This module allows users to identify, deficiencies on the authentication service protocols of the active directory. Deficiencies on the Kerberos and NTLM authentication protocols like CVE based drop the MIC attacks can be identified with the help of this module. It is an optional module. Engine communicates with the each computer identified on the active directory environment.
* **Session Enumeration**: This module allows users to enumerate active sessions on the computers. With the help of this module, questions like which users have sessions on which machines can be answered. In addition, tier model issues that can be caused by the sessions between entities that belong to different tiers can be easily identified. It is an optional module. Engine communicates with the each computer identified on the active directory environment.
* **Local Entity Enumeration**: This module allows users to enumerate local users, local groups, and the membership information between either local or domain entities. In addition, it reveals the privileges of these entities to execute DCOM, Powershell, or RDP. Also, It reveals the local admin and group delegated local admin paths over these computers. It is an optional module. Engine communicates with each computer identified on the active directory environment.
* **ADCS Enumeration**: This module allows users to collect Active Directory Certificate Services information like certificate authorities, subordinate certificate authorities, exposed enrollment services, certificate templates and etc. by enumerating both the Active Directory environment and computers/servers that have certificate services roles. It requires network communication to certificate authority servers over HTTP, HTTPS, LDAP and etc. and remote registry read operations to reveal different attack vectors.
* **Coercion Enumeration:** This module allows user to collect Coercion related vulnerebilities' data from online computers in network. When this module disabled, Coercion related vulnerabilities will not shown in the issues page.
* **Share Audit Enumeration:** This module allows user to audit publicly accessible SMB shares across all online computers to locate regex-based *secrets,* including clear-text or improperly protected passwords, cryptographic keys, certificates, and configuration files that may contain sensitive credentials. The engine enumerates share listings, recursively samples file contents where permitted, and flags if Everyone can read or write them. The module depends on the **Network Security Assessment** module and communicates with every computer identified in the Active Directory environment.
* **Tier0 Analysis:** This module is an analytics-only component that builds comprehensive graphs showing shortest feasible attack paths from Tier 2 assets to Tier 0 assets. Leveraging data produced by **Active Directory Assessment**, the engine performs graph-theoretical calculations (shortest-path, choke-point, and blast-radius analyses) without generating additional network traffic. Results help defenders visualize privilege-escalation routes, prioritize high-impact remediations, and measure the effectiveness of tier-segmentation strategies.
### **Tier 0 Assets (Active Directory)**
Tier 0 Assets settings allow users to designate specific objects as Admin and Privileged. These selected objects will not be marked as Stealth Admin. When Organizational Units and Groups are chosen as Tier 0 Assets, all objects within them will also be classified as Tier 0 Assets.
