Internal Pentest vs Active Directory Security Assessment
Understand the differences between a standard internal penetration test and an identity-focused Active Directory Security Assessment, including scope, methodology, deliverables, and when each approach makes sense.
Both internal penetration tests and Active Directory security assessments are valuable, but they address different questions and priorities.
Executive Summary
Many organizations conduct annual internal penetration tests and assume their Active Directory environment is adequately covered. Active Directory is usually reviewed during an internal penetration test, especially if the tester obtains domain credentials or the client provides a standard domain user account. The challenge is that identity compromise often occurs through privilege relationships, delegated administration, certificate services, trust relationships, and attack paths that may receive limited attention during a traditional host-focused penetration test.
An Active Directory Security Assessment focuses specifically on identity security and domain compromise risk. Rather than identifying vulnerabilities one system at a time, the assessment evaluates how misconfigurations combine into attack paths that could allow an attacker to obtain privileged access or full control of the environment.
While both assessments provide value, they answer different questions and are often most effective when used together.
Primary Focus
Internal Penetration Test: Finds exploitable vulnerabilities across internal hosts, applications, and services. Often CVE-driven and host-focused.
AD Security Assessment: Finds and breaks attack chains that lead to domain compromise. Identity-focused and relationship-driven.
What Each Assessment Is Trying to Answer
A standard internal penetration test usually asks: "What can an attacker exploit across the internal network?" That can include exposed services, missing patches, weak credentials, insecure applications, misconfigured network services, Active Directory attack paths, and opportunities for lateral movement across many systems.
Active Directory is commonly included in that work, but the depth depends on the test conditions. Sometimes the tester cannot obtain an initial foothold, and the client chooses not to provide credentials for deeper authenticated review. Other times the client does provide credentials, and the tester can dig into Active Directory. Even then, a full 360-degree AD review is usually not realistic during a broad internal penetration test because there is limited time and much more outside of AD to evaluate.
An Active Directory Security Assessment asks a narrower but deeper question: "How could an attacker abuse identity relationships to compromise the domain?" The assessment focuses on the systems, permissions, trusts, policies, and administrative paths that control access across the Windows environment.
This distinction matters because many domain compromise scenarios do not depend on a single critical vulnerability. They often come from chains of smaller identity issues, such as excessive group membership, weak ACLs, stale privileged accounts, risky delegation, insecure certificate templates, and misconfigured authentication controls.
Typical Output
Internal Pentest: Vulnerabilities by host, often organized by system or application. May include AD enumeration and attacks, but AD is one component among many.
AD Security Assessment: Attack paths, privilege relationships, and identity control failures. AD is the center of the assessment.
What's Included in an AD Security Assessment
A typical Active Directory Security Assessment evaluates:
- Privileged groups and administrative access
- Delegated permissions and ACL abuse opportunities
- Kerberos security controls and attack paths
- Active Directory Certificate Services (AD CS)
- SMB signing and LDAP signing configurations
- Group Policy security settings
- Domain trust relationships
- Tier 0 exposure and privilege escalation paths
- Stale accounts and identity hygiene issues
- File share permission and access review
- File share review for exposed secrets and other sensitive data such as PII/PHI
- Attack chain analysis and domain compromise scenarios
- Credential security analysis
- Users, groups, computers, and OU structure
- Excessive Domain Admin or Enterprise Admin membership
- Sensitive built-in groups that are not empty
- Risky services running on domain controllers
- KRBTGT rotation and other critical account hygiene signals
- Legacy protocols and insecure authentication settings
- Configuration issues visible only from a Domain Admin perspective
The goal is to understand how multiple weaknesses can be combined to achieve domain compromise, while also identifying standalone identity issues that create meaningful exposure. A good AD assessment should give defenders both an attack path view and a practical Active Directory hygiene roadmap.
Testing Perspectives
Active Directory risk looks different depending on where testing begins. A mature assessment usually evaluates the environment from multiple permission levels:
- Unauthenticated: Identify internal exposure and foothold opportunities without credentials.
- Standard domain user: Evaluate what a low-privileged user can access, abuse, or escalate through.
- Domain Admin: Validate high impact configuration and hygiene gaps that may not be visible from lower privilege.
The Domain Admin perspective is not about proving that a Domain Admin can take over the domain. It is about seeing the full configuration, identifying issues that lower-privileged views may miss, and giving the organization a more complete remediation plan.
What Gets Missed
Internal Pentest: Often reviews Active Directory, but may not have time or access for a full identity-focused review. Subtle privilege chains, delegated admin abuse, trust relationships, and identity misconfigurations can be missed, especially when no foothold is obtained or credentials are not provided for deeper testing.
AD Security Assessment: Very little in AD scope, since AD is the focus. May miss host-level vulnerabilities outside of identity systems.
Common AD Issues That Need Deeper Review
Internal penetration tests can identify many Active Directory findings, especially when the tester obtains domain credentials or the client provides a domain user account. The challenge is depth and time. A broad test may need to cover hosts, applications, network services, patching, exposed management interfaces, lateral movement, and reporting across the full internal environment. Because of that, it may not have enough time to fully evaluate complex identity relationships across the forest.
Common issues that benefit from deeper AD assessment include:
- Over-permissive ACLs that allow password resets, group modification, DCSync rights, or object takeover
- Delegated administration paths that unintentionally grant control over privileged users or systems
- AD CS templates that allow certificate-based privilege escalation
- Trust relationships that expose one domain or forest to compromise from another
- Group Policy Objects that grant excessive local admin rights or weaken security controls
- Weak Kerberos settings, including roastable accounts and outdated encryption support
- Inconsistent SMB signing, LDAP signing, and channel binding posture
- File shares that expose credentials, scripts, database connection strings, PII, PHI, or sensitive business data
- Stale privileged accounts, unused service accounts, and excessive standing access
- Tier 0 assets that are administered from lower-trust workstations or broadly accessible systems
Identity Hygiene
Internal Pentest: Usually limited or out of scope. Focus is on exploitable vulnerabilities.
AD Security Assessment: Included. Examples include stale accounts, privilege sprawl, risky DC services, and KRBTGT rotation signals.
Identity hygiene matters because small weaknesses accumulate. A stale account may not be critical by itself. A stale account with group membership, exposed credentials on a file share, and delegated rights over a privileged OU can become part of a domain compromise path.
Methodology
Internal Pentest: Often starts from unauthenticated access and expands via exploitation across multiple systems.
AD Security Assessment: Three-phase approach: unauthenticated, standard user, then Domain Admin for maximum coverage of identity issues.
Deliverables and Remediation
An internal penetration test typically delivers findings grouped by host, vulnerability, affected service, or exploit path. That format is useful when the goal is to fix exposed systems and reduce broad network attack surface.
An Active Directory Security Assessment should deliver identity-focused findings with:
- Evidence showing the affected users, groups, computers, policies, templates, or permissions
- Business impact tied to domain compromise, privilege escalation, or sensitive data exposure
- Clear remediation steps for each finding
- Attack chain diagrams or narratives showing how issues combine
- Prioritized short-term, medium-term, and long-term recommendations
- Guidance for reducing standing privilege and improving AD hygiene over time
- A live debrief so defenders understand the most important attack paths and fixes
- Optional post-remediation validation after changes are applied
Remediation Approach
Internal Pentest: Fix the findings, often one host at a time.
AD Security Assessment: Clear fixes plus a roadmap for short-term, medium-term, and long-term improvements that break attack chains.
Production Safety and Scope
An AD assessment should be designed to be safe for production environments. Collection is usually read-only where possible, and validation should be coordinated carefully with AD and infrastructure owners. If a scenario requires higher-risk testing, it should be discussed before execution and either excluded or scheduled for an approved window.
Scope should also be explicit. Larger environments, multi-domain forests, multiple trusts, AD CS deployments, complex delegation models, and hybrid identity architecture can all change the level of effort required.
Alignment With Security Frameworks
The most useful AD assessments are threat-driven first. The priority is reducing real domain takeover risk, not creating a generic compliance checklist. That said, results can often be mapped to Microsoft security baselines, CIS guidance, NIST controls, and MITRE ATT&CK techniques where that helps with governance, reporting, or remediation planning.
When to Choose Each
Choose an internal pentest when:
- You need broad vulnerability coverage across your network
- You want to test multiple systems and applications
- You need to validate patch management and host security
- You want to understand internal exposure across hosts, services, and applications
Choose an AD security assessment when:
- You need to understand identity takeover risk specifically
- You want to break attack chains before they become incidents
- You already run internal pentests but want deeper identity coverage
- You need a roadmap for AD hardening and hygiene improvements
- You have AD CS, multiple domains, forest trusts, complex delegation, or a large privileged access model
- You need a clearer view of Tier 0 exposure and domain compromise scenarios
Complementary Approaches
If you already run internal pentests, an AD security assessment complements them by covering identity takeover risk that scans and host-driven testing often miss.
For many organizations, the strongest approach is to use both. The internal pentest finds broad technical exposure across the network. The AD assessment focuses deeply on identity control, privilege relationships, and domain compromise risk. Together, they provide a clearer picture of how an attacker could move from initial access to business impact.
Need a Deeper Review of Active Directory?
Looking for a deeper review of your Active Directory environment? Learn more about our Active Directory Security Assessment service.
Need this validated in your environment?
Our Active Directory security assessment identifies these issues and provides prioritized remediation guidance.
Learn About AD Security Assessments