Auditing Samba-AD with PingCastle

PingCastle is a tool developed by the French company PingCastle SAS.

PingCastle provides Active Directory security indicators. PingCastle works with both Samba-AD and MS-AD.

The tool launches a battery of AD queries (LDAP or AD webservice) to check a set of best practices and configurations.

It gives an overall Active Directory health rating.

The objective of the exercise is to act on AD configurations and good practices to improve this rating as much as possible.

PingCastle is therefore an excellent measure of the effectiveness of your Active Directory security actions.

Note

The PingCastle license (version 2.8.1.0) grants you internal use to audit your own system. If you are auditing a third party network in a commercial setting, then a license must be purchased. So if you use the tool as part of your services, please support Ping castle <https://www.pingcastle.com/services/>_.

The software can be downloaded from the PingCastle site. Then unzip the file and execute the following line with cmd.exe.

By default, PingCastle will try to connect to the AD with the AD webservices. Since the AD webservices are not implemented in Samba-AD, PingCastle must be told to execute its queries in LDAP mode. Finally, it is necessary to point the commands to a RWDC server (not a RODC).

pingcastle --server dc2 --protocol LDAPOnly --healthcheck

The execution time depends on the size of the domain, the number of GPOs and the access time to the AD. It can range from one minute to several tens of minutes.

After executing the script an HTML report is created in the same directory where the script was launched with the name ad_hc_mydomain.lan.html. An XML file is also created.