In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective

To guide users in configuring the Attack Surface Analyzer for servers and endpoints in ADAudit Plus, enabling the identification of security misconfigurations by comparing Group Policy settings with industry-standard benchmarks.

Prerequisites

1. Group Policy Management Console (GPMC) must be installed on the machine where ADAudit Plus is hosted. [Installation steps here]

2. The ADAudit Plus user must have domain admin or local admin rights on all scanned computers.

3. Required ADMX/ADML administrative template files must be installed or updated:

• AdmPwd.admx/adml

• SecGuide.admx/adml

• MSS legacy.admx/adml

• And other templates listed under Required ADMX Files section.

Steps to follow  

Step 1: Create a profile  

1. Log in to the ADAudit Plus web console.

2. Navigate to Server Audit > Attack Surface Analyzer.

3. Click Profile Management under System Security Misconfigurations, then select + Create Profile.

4. Provide a profile name and description.

5. Choose the domain from the drop-down list.

6. Select a benchmark template (e.g., CIS Windows Server 2019 Benchmark).

7. Under the DC, Member Server, and Workstation tabs, select the computers you want to scan.

8. Click Create Profile.

Step 2: View Misconfiguration Reports  

1. Navigate to Server Audit > Attack Surface Analyzer.

2. Click Scan Overview under System Misconfigurations.

3. Choose the domain and scan schedule from the respective drop-down menus.

4. Click one of the following profile tabs:

• Scanned Computers

• Highly Exposed Computers

• Moderately Exposed Computers

• Mildly Exposed Computers

• Scan Failed Computers

5. Hover over a profile name and click the Export icon to download the full report.

6. Click on a computer to view its GPO insights, including:

• Properly vs. misconfigured settings

• Tree/Table view comparisons

• Recommended actions under Details

7. Export a single computer's report using the Export as option at the top.

Step 3: Understand RSoP methodology  

• Planning Mode: Retrieves GPOs directly from the primary DC. Does not require target systems to be online.

• Logging Mode: Pulls GPO settings directly from the computers (must be online).

Available benchmarks  

Listed below are the available benchmark templates that can be used for comparison:

• CIS Microsoft Windows Server 2022 Benchmark v2.0.0

• CIS Microsoft Windows Server 2019 Benchmark v2.0.0

• CIS Microsoft Windows Server 2016 Benchmark v2.0.0

• CIS Microsoft Windows Server 2012 R2 Benchmark v2.0.0

• CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0

• CIS Microsoft Windows 10 Enterprise Benchmark v2.0.0

Required ADMX files  

  Validation and confirmation  

• Confirm the selected domain computers are online and reachable.

• Check that RSoP data is correctly retrieved under your created profile.

• Verify benchmark comparison data under Profile Overview.

• Ensure no ADMX/ADML errors are shown during the analysis.

Tips  

• Start with critical servers like Domain Controllers and expand coverage gradually.

• Schedule regular scans to maintain compliance.

• Use the Export option to archive and review baseline reports periodically.

• Train IT teams on how to interpret exposure levels (high, moderate, and mild).

• Ensure all ADMX files are up to date for accurate scanning.

Related topics and articles  

• How to configure Attack Surface Analyzer for Active Directory