Brief note for people who are concerned with the topic of security under Active Directory and AzureAD (today called EntraID). Vincent Le Toux has released his PingCastle version 3.1 at the beginning of August 2023. PingCastle can be used to perform a security audit in Active Directory & AzureAD within seconds. The project is available in C# source code and can be used partially free of charge under certain licenses.
I came across the publication in question by Vincent Le Toux the other day via the following tweet. The program generates a report on security; an example generated with the basic version is available on this page. While the basic version is probably free for non-commercial use, for commercial use cases you need an appropriate Auditor license, the page says (but the following notes on the license terms show that there are also ways to use the tool free of charge in companies).
Vincent Le Toux writes that the level of risk has changed with regard to Active Directory security.The background: There were/are several vulnerabilities that can be abused with tools like mimikatz to read information from AD. Websites like adsecurity.org have made these approaches known.
Vincent Le Toux has therefore developed Ping Castle as a tool to quickly assess Active Directory security levels using a methodology based on a risk assessment and maturity framework. The tool, he says, does not aim for a perfect assessment, but rather a compromise between security and efficiency.
Source code available
Now not every administrator will unleash such a tool on the Active Directory, you don't know what it does. But Vincent Le Toux has published the source code of the application written in C# on GitHub. So, in principle, you can audit the source code. PingCastle can be converted into an executable program file as a C# project Visual Studio 2012 to Visual Studio 2022.
The PingCastle source code is licensed under a proprietary license and the Non-Profit Open Software License ("Non-Profit OSL") 3.0. It is allowed to use PingCastle without purchasing a license in for-profit companies if the company itself (or its IT service management provider) uses the tool.
