Last Update: May 23, 2024 | Published: Jun 07, 2022
Purple Knight is a free security assessment tool for Microsoft Active Directory that scans the AD environment for indicators of exposure (IOEs) and indicators of compromise (IOCs), provides an overall security score, and offers remediation guidance from identity security experts.
This article is sponsored by Semperis.
Recently, Petri interviewed several organizations in North America to find out how they are using Purple Knight to secure Active Directory (AD). What follows is a summary of the findings and a link to the full interviews on YouTube for each organization.
IT teams often inherit complex AD environments that have grown, without much thought to security, over a number of years. While Microsoft does include a simple AD best practices scanner as part of Windows Server, it doesn’t provide enough detail or useful reports to enable IT to effectively assess the current state of their AD configuration.
Purple Knight provides IT teams with a security report card, information about pre- and post-attack security indicators, community-driven threat models, prioritized and actionable guidance, and correlation with MITRE ATT&CK and ANSSI frameworks.
Micah Clark, IT Manager for Central Utah Emergency Communications, learned about Purple Knight through a security webinar by Dell Computers and he was intrigued to try it. Central Utah Emergency Communications has an on-premises Windows Server Active Directory domain that is connected to Azure Active Directory. The stressful nature of working in the dispatch center leads to a high staff turnover, and therefore accounts in AD.
Because Central Utah Emergency Communications is a public service, it has become a target for cybercrime gangs. There have been breach attempts where it is thought that criminals could be looking for information connected to criminal justice cases. So, Active Directory security is hardened and the criminal justice certification is regularly maintained.
Micah says that Semperis Purple Knight is the first tool he’s used that digs so deeply into Active Directory security and configuration. He was so happy with how it worked, there was no need to look for an alternative tool.
To find out more about how Central Utah Emergency Communications is using Purple Knight to secure and protect their Active Directory environment, check out the full interview here:
Patrick Emerick, Senior Systems Engineer for Bethel School District, Washington State, started looking into Active Directory auditing tools as they were about to take on a project to update their domain controllers. Before the upgrade, Patrick wanted a tool that would give him insight into any issues that might be lurking in the current AD configuration and uncover legacy settings that needed to be corrected.
Bethel School District uses automation to manage and secure AD. There are also a lot of third parties that require external access to AD. With 20,000-plus students and teachers, there are lots of AD changes that the district automates as much as possible.
One worry is that an attacker could take advantage of the automated functions. And unwanted changes could go unnoticed among the many legitimate changes that occur every day. So, it’s a challenge to make sure malicious activity doesn’t get lost in all the noise that’s generated by genuine activity.
To find out more about how Bethel School District is using Purple Knight to secure and protect its Active Directory environment, check out the full interview here:
Jim Shakespear, Directory of IT Security for Southern Utah University, discovered Purple Knight because he’s really interested in Active Directory security. While Jim has used other tools, he wanted to see what Purple Knight had to offer. The university has implemented a tiered administration model, a security strategy recommended by Microsoft, that aims to separate high-risk devices, like domain controllers, from security entities that don’t get secured to the same degree.
One challenge the university faces is cleaning up user accounts when students leave. But Jim’s team has managed to automate most of the process. While the university is confident that it’s followed best practices and it has a secure AD environment, there are still concerns. One example is the presence of NTLM authentication, because as a legacy authentication protocol, it has a lot of vulnerabilities. Having seen how NTLM hashes can be used to compromise AD accounts without ever knowing the account password, the university is hoping to disable NTLM in the future.
Jim has used PingCastle and BloodHound to improve security. But Purple Knight stands out because it runs quickly and the report categories make it easy to follow the recommendations on the scorecard.
To find out more about how Southern Utah University is using Purple Knight to secure and protect its Active Directory environment, check out the full interview here:
John Hallenberger, Systems Administrator for Fox C-6 Schools, Arnold, MO, found out about Purple Knight through the school district’s Dell representative. He thought that it would be good to have another ‘set of eyes’ on the network to check for any security configuration issues. With 12,000 students and 2,200 staff, the school has a parent/child AD environment. Student accounts are added and removed daily, and staff to a lesser extent, as substitute teachers are often brought in to cover for permanent staff.
Keeping track of disabled accounts and those that are no longer used is a challenge for the school. Additionally, implementing security best practices, like complex passwords, can be challenging for the younger age groups. Other technologies, such as two-factor authentication, are also tough to implement in a K12-school environment. And because funding is limited, it’s not easy to secure AD to the same level that might be normal in a large business.
Purple Knight has helped John and his colleagues get an insight into the network that wouldn’t have otherwise been possible. The school also uses CIS scanning tools and uses Purple Knight as an additional source of information.
To find out more about how the school is using Purple Knight to secure and protect its Active Directory environment, check out the full interview here:
Kevin Dreyer, CISO at Maple Reinders, Canada, learnt about Purple Knight from a security conference. Maple Reinders has a flat AD hierarchy that spreads across the country. The IT team is small, so updating domain controllers to the latest version of Windows Server is a risk and challenge for the organization at the same time.
The biggest AD security challenge is around account security and some of the related settings. Maple Reinders has used Rapid7, Tenable IO, and Qualys for vulnerability scanning, although never a tool specifically for AD before Dreyer brought in Purple Knight. One of the surprising results from running Purple Knight has been that the account security score was actually getting worse and not better over time.
Another finding that surprised Kevin and his team was the number of disabled computer and user accounts in AD that had privileged access to the domain.
To find out more about how Maple Reinders is using Purple Knight to secure and protect their Active Directory environment, check out the full interview here:
As a free standalone utility, Purple Knight helped these users gain insight into their overall Active Directory security posture and gave them a roadmap for systematically addressing uncovered vulnerabilities.
Try out Semperis Purple Knight in your own environment! You can either get a quick demo or request access to download the Community Edition.
Related articles on Petri.com