Situation regarding Active Directory security has changed
The risk level regarding Active Directory security has changed.
Several vulnerabilities have been made popular with tools like mimikatz or sites likes adsecurity.org. For example, Just for Kerberos, hackers can forge tickets (golden ticket). They can export secrets (dcsync), crack offline tickets to get them (kerberoast) or even act like a Domain Controller with DCShadow. And a local active directory compromise can lead to the compromise of other trusted domains via the exploitation of SID History (golden ticket + external sid).
Our solution: PingCastle
We think that the Active Directory security lies in the processes and not in expensive tools or consulting.
As a consequence, our solution is simple:
Report to your management