Skillplan AD Checklist
2026-05-20 16:32
AD
Security Checklist
de
en
fr
it
System Online
← Back to sections
Mitigation Controls · Section 13 of 17
Mitigating a Golden SAML
Assessment Progress
0
/ 95 items
0%
Fulfillment so far
0
/ 0 controls
0%
Explain this attack
Ensure the AD FS service account is a gMSA.
Not Fulfilled
Fulfilled
Accepted
Ensure the AD FS service account is used only for AD FS and no other purpose.
Not Fulfilled
Fulfilled
Accepted
Ensure passwords for AD FS server local administrator accounts are long (30-character minimum), unique, unpredictable and managed.
Not Fulfilled
Fulfilled
Accepted
Limit access to AD FS servers to only privileged users that require access.
Not Fulfilled
Fulfilled
Accepted
Restrict privileged access pathways to AD FS servers using only the ports and services that are required.
Not Fulfilled
Fulfilled
Accepted
Only use AD FS servers for AD FS and ensure no other non-security-related services or applications are installed.
Not Fulfilled
Fulfilled
Accepted
Centrally log and analyse AD FS server logs in a timely manner to identify malicious activity.
Not Fulfilled
Fulfilled
Accepted
Encrypt and securely store backups of AD FS servers and limit access to only Backup Administrators.
Not Fulfilled
Fulfilled
Accepted
Rotate AD FS token-signing and encryption certificates every 12 months, or sooner if an AD FS server has been compromised or suspected to have been compromised.
Not Fulfilled
Fulfilled
Accepted
Save and Continue →
