icon-itdr.svg
ITDR

About Active Directory Posture

Attackers compromise an Active Directory (AD) and then move to other systems, gaining high-level privileges. A security compromise of AD can destabilize the integrity of your identity management infrastructure. Active Directory Posture enables you to identify issues or risks related to AD, such as AS-REP roasting, kerberoasting, accounts with weak permissions, etc. You can assign a Windows endpoint agent to scan the AD domain for identity misconfigurations.

Zscaler ITDR collects AD object (user and computer) attributes, such as objectSid, description, pwdLastSet, department, etc. After you configure an AD domain for scanning, you can enable attribute collection. The Windows endpoint agent assigned for scanning the AD domain collects the attributes. ITDR leverages these attributes to provide context for the misconfigurations detected in AD.

Active Directory Posture enhances your ITDR experience by enabling you to:

  • Scan your AD domains via an endpoint agent to discover identity misconfigurations.
  • Remediate AD security vulnerabilities and disrupt attack paths.

About the Active Directory Posture Page

On the Active Directory Posture page (ITDR > Manage > Active Directory Posture), you can do the following:

  1. View a list of AD domains that are scheduled for scanning. For each AD domain, you can view:
  • Domain Name: The name of the AD domain.
  • Scan Frequency: The scheduled scan frequency (Daily, Weekly, Monthly, and Quarterly).
  • Agents: The endpoint agents that run the scan.
  • Info: The last and upcoming scan dates.
  • Last Scan Status: The last scan status (Scan Completed, Processing scan data, Unable to connect to the domain, Scan Timed Out, Scan Canceled, and Scan Failed).
  • Current State: The current scan status. The status are as follows:
    • Active: The scan is enabled.
    • Disabled: The scan is disabled.
    • Waiting: Waiting to connect to the endpoint agent, so that the agent can start the AD scan.
    • Scanning: The scan is in progress.
    • Error: The endpoint agent is uninstalled or deleted.
  1. Scan an AD domain.
  2. Disable an ongoing scan.
  3. View the AD Attribute Collection status (Enabled or Disabled), scheduled scan frequency (Weekly or Monthly), last scan status and date, and upcoming scan date.
  4. Enable or disable change detection.
  5. Edit or delete a scan.
  6. Trigger an on-demand scan.
View the Active Directory Posture scan page
Related Articles
About Active Directory PostureScanning an Active DirectoryEnabling Active Directory Attribute CollectionTriggering an On-Demand ScanViewing Failed Scan Check DetailsConfiguring Scan and LDAP Connection TimeoutSpecifying a Domain Controller for ScanningStopping an Ongoing ScanEditing or Deleting a Scan