An Introduction to PingCastle: Securing Your Active Directory

Encryptorium
12 min readSep 17, 2024

--

PingCastle Official Website

Before diving into how PingCastle enhances Active Directory security, it’s important to understand the foundational elements of AD itself. If you’re unfamiliar with AD or want a quick refresher, we’ve covered the basics of its architecture, security challenges, and role within an organization in our previous post (Active Directory: An Introduction). We’ll focus on how PingCastle can help assess and fortify AD, making it a powerful tool for organizations looking to protect this critical system from emerging threats.

What is PingCastle?

PingCastle is a specialized tool designed to assess the security posture of Active Directory environments quickly and efficiently. The tool helps organizations identify misconfigurations, vulnerabilities, and risks attackers could exploit. PingCastle’ provides a high-level, actionable overview of AD security without requiring extensive configuration or manual effort. As stated on their official site (https://www.pingcastle.com/), “Get Active Directory Security at 80% in 20% of the time” is a direct approach to quickly solving AD security issues.

PingCastle is not just a product; it is rooted in the philosophy that “security based only on technology does not work.” The focus is on “people and process” rather than relying solely on technology to secure the infrastructure. Rather than offering solutions to protect the infrastructure, PingCastle provides tools that help discover what needs protection, assess its security level, and give insights into whether the security budget has been effectively used. (https://www.pingcastle.com/)

One of the key features of PingCastle is the Health Check. This is the default report generated by the tool, which quickly collects the most important information from the Active Directory environment and establishes an overview. Based on a model and a set of rules, it evaluates the security of the AD processes and provides a risk score. The Health Check report gives administrators a clear understanding of AD security, highlighting risks and offering actionable recommendations. (https://www.pingcastle.com/documentation/)

According to PingCastle’s documentation, the tool operates on a risk assessment and maturity framework. The goal is not to provide a perfect evaluation but to offer “an efficiency compromise” by focusing on key security risks that can be resolved quickly. The rising risk of AD-related vulnerabilities — popularized by tools like Mimikatz — makes PingCastle an essential tool for modern organizations looking to protect their AD environments. (https://github.com/netwrix/pingcastle)

PingCastle Focus Methodology Illustration (Methodology Image)

License Model

PingCastle offers free and commercial licenses, each catering to different needs depending on the size of the organization and the complexity of the Active Directory environment being assessed.

PingCastle Service Overview (Services)

Free Version: The Basic free license offers essential functionality for personal use and small-scale environments. It includes features like the Audit Program, Health Check Report, and Map functionality.

  • PingCastle’s website (https://www.pingcastle.com/download/) outlines that “the binary program can be run for free, as long as you do not derive any revenue from it.” Any for-profit organization can use PingCastle to audit its systems without purchasing a license. However, if the organization plans to bundle PingCastle in a commercial package or provide services based on PingCastle, it must acquire a specific license. The tool can run only during its support period, and support can be extended by purchasing additional licenses. The end of support for PingCastle version 3.3.0.0 is January 31, 2026.

Commercial Versions: The commercial offerings are divided into three tiers, each providing progressively more advanced features tailored to audit companies, large organizations, or those requiring professional services.

1. Standard License (formerly Auditor): Priced at €2200/year, this version is aimed at audit companies. It unlocks features such as Unlocked Reports and supports bug fixing, making it suitable for those needing more detailed analysis and reporting capabilities.

2. Professional License: Available for €6600/year, this tier is for organizations requiring additional services. It includes all the features of the Standard version but adds support for a web app and a history feature for managing reports from multiple domains. Professional license holders also receive premium support for bug fixing.

3. Enterprise License: PingCastle offers a custom-priced enterprise license for large organizations or complex environments. It includes features such as an Extended Map, configurable authentication, and support for auditing many domains.

Proprietary and Open Source Licensing: The PingCastle source code is licensed under a proprietary license and the Non-Profit Open Software License (OSL) 3.0. Organizations can run PingCastle without purchasing a license if they only use it internally (i.e., the company or IT Service Management provider is running it). However, if a company plans to build commercial services based on PingCastle or generate revenue from its usage, it must purchase a license.

PingCastle also leverages various open-source components like Bootstrap, JQuery, vis.js, popper.js, and Bootstrap Table, all licensed under the MIT license.

Frequent PingCastle Findings

PingCastle scans often reveal a range of misconfigurations and vulnerabilities in Active Directory environments. Addressing these issues is crucial for securing the network against potential attacks. Here are some of the most frequent findings:

  • Weak Password Policies: User accounts with weak or default passwords or environments lacking enforcement of password complexity requirements. This opens up vulnerabilities to brute-force attacks.
  • Excessive Privileges: Accounts with broader-than-necessary administrative rights increase the risk if such accounts are compromised. It’s essential to adhere to the least privilege principle.
  • Dormant Accounts: Inactive users or computer accounts that remain enabled, providing an entry point for attackers if they go unnoticed and unmonitored.
  • Unconstrained Delegation: Misconfigurations that allow attackers to impersonate other users by capturing Kerberos tickets, leading to potential privilege escalation.
  • Overlapping Group Memberships: Users that belong to multiple groups with conflicting or overly broad permissions, creating complexity in access control and increasing security risks.
  • Unpatched Vulnerabilities: Outdated or unpatched systems, especially domain controllers, that expose the AD environment to known vulnerabilities and exploitation.
  • Open Shares: Shared network resources with overly permissive access control, allowing unintended access to sensitive data or infrastructure.
  • Service Accounts with Administrative Rights: Service accounts that hold administrative privileges, which attackers can target to execute system-wide attacks if compromised.
  • Insufficient Auditing: Lack of proper logging and monitoring, making it difficult to detect suspicious activity or unauthorized changes within the AD environment.

PingCastle Applications and Scans

PingCastle provides a comprehensive suite of modules to assess various aspects of Active Directory security. These modules allow administrators to quickly identify risks, evaluate their AD environment, and prioritize mitigation efforts. Below are the main scanning and reporting features available in PingCastle:

PingCastle after Launch Overview

1. Health Check: This is the core function of PingCastle and provides an overall risk score for an AD domain. It analyzes various security parameters and offers a report highlighting the most critical security risks. This fast and efficient health check gives administrators an overview of the AD environment in minutes.

2. AzureAD Risk Scanning: This module is specifically designed to evaluate the security posture of Azure Active Directory (AzureAD). It works similarly to the health check but focuses on the unique challenges and configurations of Azure environments.

3. Report Aggregation (Conso): This feature aggregates multiple reports, giving administrators a unified view of security risks across interconnected AD domains. This is particularly useful for large organizations managing multiple AD instances.

4. Domain Mapping (Carto): The Carto module builds a map of all interconnected domains, providing a visual overview of trust relationships and interdependencies within an AD environment. This helps administrators quickly identify trust boundaries and potential weak points in cross-domain configurations.

5. Security Scanners: PingCastle offers several security scanners to perform detailed checks on workstations and domain controllers:

  • ACLCheck: Checks the authorization settings related to users and groups. It helps identify excessive permissions or weak access control policies that could lead to privilege escalation.
  • Antivirus Scanner: Checks if antivirus is installed and configured adequately on workstations.
  • Local Admin Scanner: Identifies accounts with local administrative privileges, a common target for attackers seeking to escalate privileges.
  • NullSession & NullSession-Trust Scanners: Detects null sessions, a legacy Windows feature that allows unauthenticated users to connect to the network, posing a significant security risk.
  • ZeroLogon Scanner: Identifies systems vulnerable to the critical ZeroLogon vulnerability (CVE-2020–1472), which allows attackers to escalate privileges to domain admin without valid credentials.
PingCastle Scanner Overview

6. Export Tools: The Export function allows administrators to extract a list of users or computers from the domain. This is useful for large-scale audits or compliance reporting, as it offers a quick way to collect data for analysis or external reporting.

7. Advanced Settings: For administrators who require more in-depth control, the advanced settings menu provides access to additional configuration options, such as adjusting protocols used to query AD (LDAP, ADWS), generating encrypted reports, or removing item limits from health check reports.

PingCastle advanced menu

Rule Set and Risk Assignment

PingCastle employs a detailed rule-based system to evaluate the security of your Active Directory (AD) environment. Each rule is designed to check for specific vulnerabilities, such as stale objects, excessive privileges, and misconfigurations, assigning points based on the severity of the identified risk. Some rules, however, are purely informative and do not contribute points to the overall risk score.

Categories of Rules

PingCastle organizes its rules into four primary categories, each representing an essential aspect of AD security:

  1. Stale Objects: Identifies issues related to inactive users or computers, obsolete operating systems, and replication problems.
    Example: Inactive users that haven’t logged in for an extended period.
  2. Privileged Accounts: Scans accounts with administrative rights to detect excessive privileges or privilege escalation paths.
    Example: Privileged accounts with broad administrative access.
  3. Trusts: Analyzes the relationships between AD domains, ensuring trust links are secure and configured correctly.
    Example: Outdated or inactive trust relationships between domains.
  4. Anomalies: Flags unusual or suspicious activities can indicate misconfigurations or active threats.
    Example: Indicators of Golden Ticket attacks, where attackers forge authentication tickets.
PingCastle Rule Categories (Rule List)

Points Assignment and Informative Rules

Each rule either assigns points based on the severity of the issue it detects or is flagged as an Informative Rule, carrying 0 points. Informative rules provide context or best practice recommendations but don’t affect the overall security score. For example, a rule identifying inactive accounts might assign 5 points if the account poses a risk. Another rule recommending a best practice would assign 0 points if no immediate risk is detected.

The points for each identified issue are tallied and contribute to the cumulative score for each category.

Example PingCastle Rule (Rule List)

Risk Table Overview

Once the individual rules are processed and points are assigned, the total score is mapped into the Risk Model, which categorizes the severity of risks across the four main areas — Stale Objects, Privileged Accounts, Trusts, and Anomalies. The risk table shows the number of rules that match, the points assigned, and their overall impact on AD security:

  • Blue (0 points): No significant risk, but improvements may still be suggested.
  • Yellow (1–10 points): Minor risks that require attention but are not urgent.
  • Orange (10–30 points): Moderate risks that need to be addressed in the short term.
  • Red (30+ points): Major risks that require immediate remediation to avoid compromise.
PingCastle Risk Model (Sample Report)

Risk Indicators

All the points accumulated from each category are then used to generate the Risk Indicators — a visual representation of the overall security posture of the AD domain. Each indicator represents a score between 0 and 100, where 100 is the worst-case scenario, indicating critical vulnerabilities in a given category:

  • Stale Objects
  • Privileged Accounts
  • Trusts
  • Anomalies

The highest score across these categories determines the Domain Risk Level, which ranges from 0 (low risk) to 100 (high risk). A score of 100 indicates significant vulnerabilities that must be prioritized for immediate remediation.

PingCastle Domain Risk Indicators (Sample Report)

For a more detailed list of rules and their points, visit the PingCastle AD Health Check Rules List or explore the sample report.

Example Report

PingCastle generates a comprehensive report that details all findings after each scan. The report provides a high-level security score, detailed issues breakdowns, and actionable remediation steps.

You can explore a sample report here: Example Report.

The structure of the report includes the following sections:

  • Active Directory Indicators (Indicators, Risk Model)
  • Maturity Level
  • MITRE ATT&CK® (Techniques, Mitigations)
  • Stale Objects
  • Privileged Accounts
  • Trusts
  • Anomalies Analysis
  • Domain Information (Azure AD Configuration)
  • User Information (Honey Pot, Account Analysis, Password Age Distribution, SID History)
  • Computer Information (Account Analysis, Operating Systems, Domain Controllers, LAPS Analysis)
  • Admin Groups (Groups, Last Logon Distribution, Password Age Distribution, Delegations)
  • Control Paths Analysis (Foreign Domain Involvement, Indirect Links, Admin Groups, Critical Infrastructure)
  • Trust Details (Discovered Domains, Reachable Domains)
  • PKI (Certificates, Certificate Templates, Domain Controller Certificates)
  • Infrastructure (Azure AD Connect Settings, WSUS Settings, Exchange Settings, SCCM Settings, Service Connections Points, Kerberos Encryption Settings, Service Accounts, GPOs)
  • Anomalies (Backup, LAPS, Windows Event Forwarding (WEF), krbtgt Golden Ticket Attack Indicators, Temporary Elevated Accounts, Smart Cards, Unix Passwords, Logon Scripts)
  • Password Policies (Password Policies, Screensaver Policies)
  • GPO (Obfuscated Passwords, Restricted Groups, Security Settings, Audit Settings, Login Scripts)

This detailed report is a valuable resource for administrators, offering clear guidance on resolving identified issues and enhancing AD security.

Explanation of PingCastle and Usage

PingCastle is designed to be user-friendly, with minimal configuration required to begin assessing your Active Directory (AD) environment. Administrators can initiate scans directly from the tool’s interface, and the results are generated in both HTML and XML formats, making them easy to review and share. Given the straightforward workflow, PingCastle is ideal for ongoing AD health checks, integrating seamlessly into regular security practices to ensure consistent monitoring and quick identification of risks.

Steps for Using PingCastle

1. Launch the Tool: Start PingCastle and select from a list of scan options, including Health Check, AzureAD Risk Scan, Carto (mapping), and more.

2. Run a Scan: Initiate a scan by selecting the relevant module (e.g., Health Check for a domain), and PingCastle will automatically collect the necessary AD data.

3. Review the Report: After the scan is completed, PingCastle generates a report in HTML and XML detailing the security posture of the AD environment. The report includes:

  • Security Score
  • Detailed Findings
  • Recommendations for Remediation

4. Take Action: Use the actionable steps provided in the report to address the identified risks. Administrators can prioritize high-risk issues and take corrective actions based on the severity of each finding.

5. Rerun the Scan: After implementing mitigations and improvements, return to step 1 and rerun the scans. Also, include period scans in your workflows.

Conclusion

Securing Active Directory (AD) is critical for maintaining the integrity of an organization’s IT infrastructure. As a central hub for managing users, permissions, and access to resources, any vulnerability within AD can expose an organization to significant risks, including privilege escalation, data breaches, and lateral movement by attackers.

PingCastle is invaluable in mitigating these risks by offering a clear, actionable view of an AD environment’s security posture. Through its comprehensive scanning modules, rule-based assessments, and easy-to-understand reporting, PingCastle allows administrators to identify and address security gaps quickly. PingCastle can seamlessly integrate into an organization’s regular AD health check process with its low configuration overhead and transparent, risk-based scoring system, ensuring long-term security.

In today’s threat landscape, where attackers continue to evolve their techniques, adopting a proactive approach to AD security is more important than ever. PingCastle’s ability to pinpoint vulnerabilities efficiently and provide practical steps for remediation makes it an essential tool for any organization aiming to protect its AD infrastructure.

Whether managing a small domain or a large enterprise environment, PingCastle lets you focus on the most critical security issues, helping you safeguard your network from potential attacks. By incorporating PingCastle into your security practices, you take a significant step toward strengthening your organization’s overall cybersecurity posture.

References

--

--

Encryptorium
Encryptorium

Written by Encryptorium

Web2 & Web3 Security Researcher | Deep-diving into Cryptography & Cybersecurity | Exploring the edges of digital security | Always learning, always securing.