PingCastle vs Purple Knight — Active Directory Security
Having managed (and attacked) an on-premises Microsoft Active Directory domain for many years, I want to ensure our domain is secure. Many organization are looking for a good place to start in reviewing their Active Directory (AD) environment for vulnerabilities. Based on my observations, the longer an AD environment has been around, the more misconfigurations and attack paths are available. Two tools I have used in both offense and defense situations with AD are PingCastle and Purple Knight.
PingCastle has been around for quite a few years (since at least 2017) and touts the ability to get 80% of the AD security in 20% of the time. Having used the tool for many years, I agree with the tagline.
The tool is written in C# by a security consultant, Vincent LE TOUX, and runs a default health check pretty quickly in a domain with thousands of objects. One significant note on the program is its software license and agreement. PingCastle source code is licensed under a proprietary license and the Non-Profit Open source License 3.0. The agreement allows companies to run the tool without purchasing a license if the company itself is running it within their own environment. For those who want to run PingCastle on other company environments and build services on it (for example in penetration assessments), PingCastle requires a purchased license.
I have personally used PingCastle for many years for my employer’s Active Directory environment. Running it is as simple as downloading the latest version from https://www.pingcastle.com/download/, extracting the contents, and running the PingCastle.exe program from a computer joined to the Active Directory environment you wish to assess. The text-based program provides multiple options, but I simply use option 1 for a Health Check. After the program runs, it will output an HTML report in a folder in the same directory as the PingCastle.exe file.
After opening the HTML report, it is important to understand the scoring. Domains with high scores = high risks. There is an overall score for the Domain Risk Level, which will be equal to the worst score out of 4 sub-scores. The scoring it out of 100 and the 4 sub score sections are Privileged Accounts, Trusts, Stale Objects, and Security anomalies. Each of these subsections will have descriptions and “rules” that were found and given different scores based on the importance of a rule. Over the years, these points for rules have changed based on severity or importance as different tactics are seen in the wild. I have typically seen a rule go from informational to then being given points after a few new versions of the tool are released. Each rule can be expanded for further details. This is where PingCastle shines and highlights its maturity because of the many details and references. These rules provide a detailed checklist of where to start securing the AD environment, as the ones with the higher points should be given attention first.
Summary thoughts on PingCastle: I have used the tool for many years and am familiar with the output. The HTML report is easy to use and has lots of details. In many cases, it may be overwhelming for some IT administrators at first, but the details and references provided for each rule will save a significant amount of time in researching the mitigating work that needs to be applied. I have recommended and continue to recommend PingCastle to IT administrators.
Purple Knight was released in March of 2021 by Semperis as a free AD Security Assessment tool. Built and managed by a team of Microsoft Identity experts, this tool is packed with great insights into improving the security posture of an AD environment.
In order to obtain a download link, the free tool does require registration and a representative will reach out. I was able to get access to their community version in March and I have had respectful contact from Semperis a couple of times. Since obtaining the download in March, I have been notified of updates with a link to the new download directly.
Running Purple Knight is as easy as downloading and extracting the zip file and running the PurpleKnight.exe application. Purple Knight is a GUI application that first presents the license agreement and then attempts to find AD forests and domains to assess. After selecting a forest and domain(s), Purple Knight provides a list of what it describes as Indicators of Exposure (IOE). This granularity to select which tests to run on a domain is a distinguishing feature, allowing red teams to limit checks to avoid detection or blue teams to apply recommendations and quickly validate controls are in place. For a simple test environment, version 1.3.0 of Purple Knight scanned for 75 IOEs in just over one minute.
After the scan is complete, Purple Knight provides an assessment report. I prefer the scoring method used as it is a report card providing a letter grade and percentage. The overall grade is determined by varying weights for five different categories: AD Delegation, Account Security, AD Infrastructure Security, Group Policy Security, and Kerberos Security. Each category will have various IOEs to review stating whether the IOE check passed or if it was found and needs remediation. In reviewing an IOE, I appreciate that Purple Knight provides a severity score of Informational, Warning, or Critical. Details for the IOE also provide information related to security frameworks, a description, the likelihood of compromise, resulting data, and remediation steps if an IOE is found.
The Purple Knight application saves the report in an HTML format for later review. The top of the report provides a quick checklist of any critical IOEs found to focus on the most important issues. I enjoy the format of the document as it flows quite well and the information provided is efficiently organized and explanations are very direct with links to documentation.
Summary thoughts on Purple Knight: Although Purple Knight has not been on the market very long, it has a polished feel and the expert advise provided is highly valuable. Being an interactive GUI application with configurable Indicators of Exposure to check makes this tool easy to get up and running. This past year, I have recommended the tool to colleagues and will continue to do so. Purple Knight has released multiple versions during the year, so it is actively being developed and the Semperis team continues to solicit feedback for improvements. I believe the community support behind the tool will increase the value of the application significantly.
Overall Recommendations
For IT professionals who are familiar with Active Directory, PingCastle provides significant insights and details. The level of maturity with the tool provides deep insights and relationships between objects and settings to find fix risks in an AD environment in all the nooks and crannies. Because of all the details, it may be difficult to review and navigate for large environments with multiple domains.
For smaller IT teams, large environments that haven’t been assessed much before, or those who want quick prioritized to do list, Purple Knight fits the bill. The overview and scoring is the easiest to pick up on and quickly get a summary of the risks in an environment.
If you are just getting started in securing an Active Directory environment, I’d suggest starting with Purple Knight. As remediation steps are taken over time, it would then be beneficial to encompass the use of PingCastle in the AD environment as well. One of the benefits of using PingCastle is that the task can be run as a scheduled task to output the report at specific intervals. Depending on your environment and size of your team, it may be beneficial to run and review reports weekly, monthly, quarterly, or whatever interval makes the most sense.
I personally plan to continue to use both tools. Are you willing to try them both out?
Resources
Purple Knight | Evaluate the security of your Active Directory. (purple-knight.com)
PingCastle | Get Active Directory Security at 80% in 20% of the time. (pingcastle.com)
