Purple Knight and PingCastle: A Quick Comparison

By Semperis Team September 15, 2022 | Active Directory

When it comes to protecting your enterprise from cyberattacks, protecting your identity infrastructure is key. Infiltrations of identity systems not only expose your most important assets and business operations to attack but can go undetected for long periods, causing significant damage. So, strengthening your identity security stance is an important step. For at least 90 percent of enterprises, that means prioritizing Active Directory (AD) and Azure AD security. Fortunately, whether you choose PingCastle or Purple Knight, both tools offer free options to help you assess the condition of your AD security and provide insights on how to improve it.

To determine which option is right for your organization, we examine the strengths and primary focus of both tools’ free editions, as well as how you might want to further bolster your defenses.

PingCastle

Developed by Vincent Le Toux, PingCastle is an AD assessment tool written in C#. A free Basic Edition has been available for free since 2017; Auditor, Professional, and Enterprise versions include additional capabilities for a price.

You can use PingCastle Basic Edition to run a health check and provide contextual security information in your AD environment. Based on built-in models and rules, PingCastle evaluates AD subprocesses and generates a risk report. This report includes a score for privileged accounts, trust relationships between AD domains, insights on stale objects, and security anomalies. For hybrid environments, it can also provide insights into whether the trust relationship with Azure AD is secure.

PingCastle provides an AD map, which helps you visualize the hierarchy of trust relationships. The tool also provides an associated AD health score wherever available. You can generate maps based on existing health check reports or via an independent collection of information.

In addition to evaluating AD deployments, PingCastle scans workstations to look for issues like local admin privileges, open shares with poor security permissions, WannaCry vulnerabilities, and startup time irregularities. When delegating user or machine-creation rights, human errors can creep in and enable an attacker to gain access. PingCastle can swiftly scan permissions to detect such delegation vulnerabilities.

The tool also provides a report based on anomaly analysis, which offers insights into any undesirable access rights that might exist for critical objects in your AD environment.

Capabilities

  • Deep insights into AD trust relationships and hierarchy
  • Security scoring via reports to quantify the state of your AD security
  • Visibility into privileged access to your AD environment and accounts that have an access path to critical objects
  • Consolidation of multiple reports to facilitate benchmarking
  • Detailed reporting on stale objects, local admin rights, open file shares, and similar security anomalies

Caveats

  • Difficult to navigate reports for complex environments with multiple domains
  • No reporting of indicators of exposures that might have already happened
  • No advanced reporting or bug-fixing support in the free Basic Edition

Purple Knight

Purple Knight is a free security assessment tool released by Semperis in 2021. The tool has quickly become one of the most widely used AD security assessment tools thanks to its comprehensive feature set.

Purple Knight helps identify security gaps in your AD environment that can leave the door open for attackers. The tool also provides assessment reports with grading based on the following categories: AD delegation, AD infrastructure security, account security, Kerberos, and Group Policy security.

Even teams without deep AD expertise can use Purple Knight. The tool can detect risky configurations and security flaws by running a comprehensive series of tests against the most common attack vectors in an AD environment. In addition, it can provide information on indicators of compromise (IOCs) to gain insights on security breaches, such as backdoor accounts and suspicious user activity.

The tool also helps you test your AD security posture, based on a list of indicators of exposure (IOEs), to identify security misconfigurations that can compound over time and compromise AD security if not addressed. IOE and IOC detection capabilities are also available as part of Semperis’ for-pay Directory Services Protector (DSP) identity threat detection and response (ITDR) solution, which provides additional features for notification and remediation of found vulnerabilities.

AD management teams can further use Purple Knight to address security issues that can arise due to legacy configurations, to implement best practices of AD security, and to prepare for pen testing by gaining the insight needed to identify and fix major issues before testing.

Capabilities

  • 100+ security indicators based on known security vulnerabilities and emerging threat vectors
  • Comprehensive reporting across five key categories related to AD security
  • Assistance implementing AD security best practices at scale
  • Assistance proactive mitigating vulnerabilities before attackers can exploit them
  • Detailed remediation guidance to address identified vulnerabilities
  • Assistance reducing the attack surface and staying ahead of the curve in an ever-changing threat landscape
  • Support for hybrid environments, with security indicators for both on-prem AD and Azure AD

Caveats

  • Point-in-time assessment rather than continuous monitoring
  • No specific mitigation capability (such as that provided by Semperis DSP)

PingCastle or Purple Knight: Which tool is right for you?

So when it comes to tightening AD security, which tool is right for you: PingCastle or Purple Knight? The answer is that both tools might have a potential place in your arsenal. PingCastle provides contextual security information. Purple Knight can help you quantify your security posture and gain in-depth security insights based on IOEs and IOCs.

The 2022 Purple Knight Report highlights what IT and security teams are dealing with when it comes to fixing security flaws in Active Directory. With data collected via an online poll and in-depth interviews, the report reveals a range of security flaws that organizations need to address. With this information, organizations can take steps to close critical security gaps and ensure a healthy security posture.

As one interviewed CISO notes, “The Purple Knight Report helped us take action on items right away, such as shutting down or disabling Active Directory accounts that shouldn’t have been enabled. And then it helped us develop a long-term maintenance plan.”

Download Purple Knight for free to detect and protect your organization from AD vulnerabilities.

Learn more

About the author
Semperis Team
Semperis Team
Semperis, the pioneer of identity-driven cyber resilience for cross-cloud and hybrid environments, offers educational resources, commentary, and research findings to inform technology leaders who are responsible for securing enterprise directory services. Linkedin
Unlock cyber resilience. Get a demo