Merge branch 'WI361499-restructure-and-categorise-secure-posture-docs' of https://github.com/DeCohen/defender-docs-pr into WI361499-restructure-and-categorise-secure-posture-docs

DeCohen · DeCohen · commit 689467023583 · 2025-03-02T18:03:12.000+02:00
diff --git a/ATPDocs/security-assessment.md b/ATPDocs/security-assessment.md
@@ -9,13 +9,13 @@ ms.topic: how-to
 
 Typically, organizations of all sizes have limited visibility into whether or not their on-premises apps and services could introduce a security vulnerability to their organization. The problem of limited visibility is especially true regarding use of unsupported or outdated components.
 
-While your company may invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an on-going project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
+While your company may invest significant time and effort on hardening identities and identity infrastructure (such as Active Directory, Active Directory Connect) as an ongoing project, it's easy to remain unaware of common misconfigurations and use of legacy components that represent one of the greatest threat risks to your organization. 
 
 Microsoft security research reveals that most identity attacks utilize common misconfigurations in Active Directory and continued use of legacy components (such as NTLMv1 protocol) to compromise identities and successfully breach your organization. To combat this effectively, Microsoft Defender for Identity now offers proactive identity security posture assessments to detect and recommend actions across your on-premises Active Directory configurations.
 
 ## What do Defender for Identity security assessments provide?
 
-Defender for Identity's security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
+Defender for Identity security posture assessments are available in [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score), and provide:
 
 - **Detections and contextual data** on known exploitable components and misconfigurations, along with relevant paths for remediation.
 
@@ -25,11 +25,20 @@ Defender for Identity's security posture assessments are available in [Microsoft
 
 Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at <https://security.microsoft.com/securescore> in the [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender).
 
+### Categorization of MDI security posture assessments
+
+For a deeper understanding of identity security risks and how to address them, Defender for Identity security posture assessments are categorized into five key areas:
+- **Hybrid security**: Addresses security considerations in hybrid environments including Entra Connect.
+- **Identity infrastructure**: Focuses on resolving misconfigurations and vulnerabilities in core identity components, such as domain controllers.
+- **Certificates**: Identifies security gaps in Active Directory Certificate Services (AD CS) that could enable unauthorized access due to improper certificate management.
+- **Group policy**: Identifies risky Group Policy configurations that could lead to privilege escalation or lateral movement within the network, ensuring that Group Policy settings are secure and don't introduce other risks.
+- **Accounts**: Covers security issues related to Active Directory (AD) users, devices, and groups such as old passwords, dormant accounts, and other related vulnerabilities.
+
 ## Access Defender for Identity security posture assessments
 
 You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
 
-While *certificate template* assessments are available to all customers that have AD CS installed on their environment, *certificate authority* assessments are available only to customers who've installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
+While *certificate template* assessments are available to all customers that have AD CS installed on their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
 
 **To access identity security posture assessments**:
 
diff --git a/ATPDocs/toc.yml b/ATPDocs/toc.yml
@@ -158,88 +158,92 @@ items:
       href: remediation-actions.md
   - name: Security posture
     items:
-    - name: Accounts with non-default Primary Group ID
-      href: accounts-with-non-default-pgid.md
-    - name: Built-in Active Directory Guest account is enabled
-      href: built-in-active-directory-guest-account-is-enabled.md
-    - name: Ensure privileged accounts are not delegated
-      href: ensure-privileged-accounts-with-sensitive-flag.md
-    - name: Change Domain Controller computer account old password
-      href: domain-controller-account-password-change.md
-    - name: Change password of built-in domain Administrator account
-      href: change-password-domain-administrator-account.md
-    - name: GPO assigns unprivileged identities to local groups with elevated privileges
-      href: gpo-assigns-unprivileged-identities.md
-    - name: Overview
-      href: security-assessment.md
-      displayName: security posture, security assessment
-    - name: Reversible passwords found in GPOs
-      href: reversible-passwords-group-policy.md
-    - name: GPO can be modified by unprivileged accounts
-      href: modified-unprivileged-accounts-gpo.md
-    - name: Change password for krbtgt account
-      href: change-password-krbtgt-account.md
-    - name: Unsafe permissions on the DnsAdmins group
-      href: unsafe-permissions-dns-admins-group.md
-    - name: Change password for Microsoft Entra seamless SSO account
-      href: change-password-microsoft-entra-seamless-single-sign-on.md
-      displayName: Microsoft Entra connect
-    - name: "Rotate password for Microsoft Entra Connect connector account "
-      href: rotate-password-microsoft-entra-connect.md
-      displayName: Microsoft Entra Connect
-    - name: Admin SDHolder permissions
-      href: security-assessment-remove-suspicious-access-rights.md
-    - name: DCSync permissions
-      href: security-assessment-non-admin-accounts-dcsync.md
-    - name: Deploy Defender for Identity
-      href: security-assessment-deploy-defender-for-identity.md
-    - name: Domain controllers with Print spooler service available assessment
-      href: security-assessment-print-spooler.md
-    - name: Dormant entities in sensitive groups assessment
-      href: security-assessment-dormant-entities.md
-    - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
-      href: security-assessment-enforce-encryption-rpc.md
-    - name: Entities exposing credentials in clear text assessment
-      href: security-assessment-clear-text.md
-    - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
-      href: remove-replication-permissions-microsoft-entra-connect.md
-      displayName: Microsoft Entra Connect
-    - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
-      href: security-assessment-insecure-adcs-certificate-enrollment.md
-    - name: LAPS usage assessment
-      href: security-assessment-laps.md
-    - name: Misconfigured Certificate Authority ACL  (ESC7)
-      href: security-assessment-edit-misconfigured-ca-acl.md
-    - name: Misconfigured certificate templates ACL (ESC4)
-      href: security-assessment-edit-misconfigured-acl.md
-    - name: Misconfigured certificate templates owner  (ESC4)
-      href: security-assessment-edit-misconfigured-owner.md
-    - name: Misconfigured enrollment agent certificate template  (ESC3)
-      href: security-assessment-edit-misconfigured-enrollment-agent.md
-    - name: Overly permissive certificate template with privileged EKU (ESC2)
-      href: security-assessment-edit-overly-permissive-template.md
-    - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
-      href: prevent-certificate-enrollment-esc15.md
-    - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
-      href: security-assessment-prevent-users-request-certificate.md
-    - name: Remove local admins on identity assets
-      href: security-assessment-remove-local-admins.md      
-    - name: Riskiest lateral movement paths
-      href: security-assessment-riskiest-lmp.md
-    - name: Unmonitored domain controllers
-      href: security-assessment-unmonitored-domain-controller.md
-    - name: Unsecure account attributes
-      href: security-assessment-unsecure-account-attributes.md
-    - name: Unsecure domain configurations
-      href: security-assessment-unsecure-domain-configurations.md
-    - name: Unsecure Kerberos delegation assessment
-      href: security-assessment-unconstrained-kerberos.md
-    - name: Unsecure SID History attributes
-      href: security-assessment-unsecure-sid-history-attribute.md
-    - name: Vulnerable Certificate Authority setting (ESC6)
-      href: security-assessment-edit-vulnerable-ca-setting.md
-    - name: Weak cipher usage assessment
-      href: security-assessment-weak-cipher.md
+     - name: Overview
+       href: security-assessment.md
+     - name: Hybrid security
+       items:
+       - name: Change password for Microsoft Entra seamless SSO account
+         href: change-password-microsoft-entra-seamless-single-sign-on.md
+         displayName: Microsoft Entra connect
+       - name: Rotate password for Microsoft Entra Connect connector account
+         href: rotate-password-microsoft-entra-connect.md
+         displayName: Microsoft Entra Connect
+       - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
+         href: remove-replication-permissions-microsoft-entra-connect.md
+     - name: Identity infrastructure
+       items:
+       - name: Built-in Active Directory Guest account is enabled
+         href: built-in-active-directory-guest-account-is-enabled.md
+       - name: Change Domain Controller computer account old password
+         href: domain-controller-account-password-change.md
+       - name: Domain controllers with Print spooler service available assessment
+         href: security-assessment-print-spooler.md
+       - name: Remove local admins on identity assets
+         href: security-assessment-remove-local-admins.md   
+       - name: Unmonitored domain controllers
+         href: security-assessment-unmonitored-domain-controller.md
+       - name: Unsecure domain configurations
+         href: security-assessment-unsecure-domain-configurations.md
+     - name: Certificates
+       items: 
+        - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
+          href: security-assessment-enforce-encryption-rpc.md
+        - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
+          href: security-assessment-insecure-adcs-certificate-enrollment.md
+        - name: Misconfigured certificate templates owner  (ESC4)
+          href: security-assessment-edit-misconfigured-owner.md
+        - name: Misconfigured Certificate Authority ACL  (ESC7)
+          href: security-assessment-edit-misconfigured-ca-acl.md
+        - name: Misconfigured certificate templates ACL (ESC4)
+          href: security-assessment-edit-misconfigured-acl.md
+        - name: Misconfigured enrollment agent certificate template  (ESC3)
+          href: security-assessment-edit-misconfigured-enrollment-agent.md    
+        - name: Overly permissive certificate template with privileged EKU (ESC2)
+          href: security-assessment-edit-overly-permissive-template.md
+        - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+          href: prevent-certificate-enrollment-esc15.md
+        - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
+          href: security-assessment-prevent-users-request-certificate.md
+        - name: Vulnerable Certificate Authority setting (ESC6)
+          href: security-assessment-edit-vulnerable-ca-setting.md
+     - name: Group policy 
+       items: 
+        - name: GPO assigns unprivileged identities to local groups with elevated privileges
+          href: gpo-assigns-unprivileged-identities.md
+        - name: GPO can be modified by unprivileged accounts
+          href: modified-unprivileged-accounts-gpo.md
+        - name: Reversible passwords found in GPOs
+          href: reversible-passwords-group-policy.md
+     - name: Accounts
+       items: 
+         - name: Accounts with non-default Primary Group ID
+           href: accounts-with-non-default-pgid.md 
+         - name: Admin SDHolder permissions
+           href: security-assessment-remove-suspicious-access-rights.md
+         - name: Change password for krbtgt account
+           href: change-password-krbtgt-account.md
+         - name: Change password of built-in domain Administrator account
+           href: change-password-domain-administrator-account.md
+         - name: Dormant entities in sensitive groups assessment
+           href: security-assessment-dormant-entities.md
+         - name: DCSync permissions
+           href: security-assessment-non-admin-accounts-dcsync.md
+         - name: Ensure privileged accounts are not delegated
+           href: ensure-privileged-accounts-with-sensitive-flag.md
+         - name: Entities exposing credentials in clear text assessment
+           href: security-assessment-clear-text.md
+         - name: LAPS usage assessment
+           href: security-assessment-laps.md
+         - name: Riskiest lateral movement paths
+           href: security-assessment-riskiest-lmp.md
+         - name: Unsecure Kerberos delegation assessment
+           href: security-assessment-unconstrained-kerberos.md
+         - name: Unsecure SID History attributes
+           href: security-assessment-unsecure-sid-history-attribute.md
+         - name: Unsecure account attributes
+           href: security-assessment-unsecure-account-attributes.md
+         - name: Weak cipher usage assessment
+           href: security-assessment-weak-cipher.md
 - name: Reference
   items:
   - name: Operations guide
