Best Practices for Active Directory Security

Active Directory provides directory services for Windows networks. The forest is the security boundary; domains within a forest share trust by default. Domain controllers (DCs) host the directory and authenticate users using Kerberos (primary) and NTLM (legacy). Group Policy distributes configuration. ACLs grant fine-grained permissions on objects.

Modern attacks against AD rarely use traditional memory-corruption exploits. Instead, attackers abuse legitimate protocols and built-in features: Kerberoasting, AS-REP roasting, NTLM relay, DCSync, ACL abuse, Group Policy hijacking, ZeroLogon, and lateral movement via stolen credentials. The attack surface is the protocol and configuration, not just code.

Authoritative references include Microsoft's "Securing Privileged Access" reference and "Active Directory Tiered Administrative Model," the CIS Microsoft Windows Server benchmarks, the NSA/CISA AD guidance, and community resources like Sean Metcalf's ADSecurity.org and SpecterOps research.

Two principles drive almost every recommendation. Least privilege: nobody and no system has more access than necessary. Tiering: high-privilege credentials only touch high-trust systems, never workstations or random servers.

Microsoft's tiered model separates administration into three tiers. Tier 0 contains domain controllers, AD-integrated PKI, federation infrastructure, and identity systems. Tier 1 contains servers and business applications. Tier 2 contains workstations and end-user devices.

Credentials and admin tools are tier-bound. Tier 0 admin accounts never log on to Tier 1 or Tier 2 systems. Tier 1 admin accounts never log on to workstations. Tier 2 admin accounts never log on to servers or DCs. This prevents the classic kill chain where attackers harvest tier-0 credentials from a compromised workstation.

Implement Privileged Access Workstations (PAWs) for Tier 0 administration. PAWs are dedicated, hardened devices used only for sensitive admin tasks. They have no email, no general web browsing, and limited software. Combined with strong baselines and monitoring, PAWs dramatically reduce the risk of credential theft.

Use separate admin accounts. Each privileged user has at least two accounts: a regular user account for day-to-day work and a tier-bound admin account for elevated tasks. Admin accounts are never used for email, browsing, or productivity apps.

Apply Just-In-Time (JIT) elevation. Tools like Microsoft Identity Manager's PAM module, Azure AD Privileged Identity Management (for hybrid scenarios), and third-party platforms (CyberArk, BeyondTrust, Delinea) provide time-bound, approval-based privilege activation. Standing privilege is eliminated wherever possible.

Disable NTLM where possible. NTLM is decades old and vulnerable to relay, downgrade, and credential reuse attacks. Microsoft now ships features to audit NTLM use, restrict it, and eventually disable it. Move toward Kerberos and modern authentication. Where NTLM cannot be removed (legacy apps, some appliances), audit usage and restrict surface.

Require SMB signing universally. Without SMB signing, NTLM relay against SMB is trivial. Enforce signing on domain controllers (required by default since 2003) and on workstations and servers via Group Policy. Extended Protection for Authentication adds channel binding to mitigate relay against HTTPS-based services.

Disable LLMNR and NetBIOS Name Service. These broadcast protocols are routinely abused by Responder and similar tools to capture NetNTLM hashes. Configure GPO to disable both. Use proper DNS instead.

Disable IPv6 on segments that do not need it, or otherwise constrain mitm6-style attacks. mitm6 abuses IPv6 autoconfiguration to position itself as a DHCPv6 server and respond to WPAD queries, harvesting credentials at scale. Where IPv6 is needed, deploy RA Guard and DHCPv6 Guard.

Use strong passwords for service accounts. Service accounts are the prime target of Kerberoasting: attackers request service tickets and crack them offline. Passwords longer than 25 characters with sufficient entropy resist offline cracking. Better: use Group Managed Service Accounts (gMSAs), which rotate automatically and have non-cracking-friendly password complexity.

Enable AES Kerberos and disable RC4 where possible. RC4 is the algorithm Kerberoasting attacks usually target. AES tickets are vastly harder to crack offline. Auditing tools can identify accounts still issued RC4 tickets.

Enable Kerberos pre-authentication for every account. Accounts with pre-auth disabled are exposed to AS-REP roasting. The setting persists for backward compatibility; audit and remove it.

Audit and minimize membership of high-privilege groups. Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Backup Operators, Print Operators, and Server Operators all carry effective tier-0 power, often unintentionally. Document who is in each and why. Remove anyone whose role does not require it.

Empty default admin groups in production. Microsoft recommends keeping Domain Admins and Enterprise Admins empty under normal operations. Use just-in-time elevation to populate them temporarily when needed.

Watch for shadow paths to privilege. ACL abuse is a major class of attack. Write access to a privileged group, GenericAll on a domain controller computer object, GenericWrite on a service account, DCSync rights (Replicating Directory Changes), or Write Owner on sensitive objects all provide paths to escalation. BloodHound surfaces these paths automatically.

Protect built-in administrative accounts. The local Administrator account, the krbtgt account, and break-glass accounts all need extra care. Disable local Administrator accounts where possible or use LAPS (Local Administrator Password Solution, now Windows LAPS) to randomize passwords per device. Rotate krbtgt twice (with the documented procedure) on a schedule and after suspected compromise to invalidate forged Golden Tickets.

Apply secure baselines. Microsoft Security Compliance Toolkit and the CIS Windows Server benchmarks provide tested baselines for DCs, servers, and workstations. Deploy via Group Policy or Intune.

Audit Group Policy permissions. GPO ownership and write permissions on sensitive GPOs (especially those targeting DCs or admin OUs) are common privilege escalation paths. Review who can modify each GPO and restrict to dedicated admin groups.

Restrict where privileged credentials can be used. "Deny logon locally," "Deny logon as a service," and "Deny access to this computer from the network" enforce the tier model. Combined with "Authentication Policies and Silos" introduced in Windows Server 2012 R2, you can hard-bind privileged accounts to designated hosts.

Configure Credential Guard. Credential Guard isolates LSA Secrets in a virtualization-based security container, defeating classic Mimikatz hash dumping on compatible hardware. Combine with Device Guard for code integrity.

Enable LSA Protection. LSASS process protection prevents non-protected processes from injecting into LSASS, blocking many credential dumping techniques.

Disable WDigest. Older Windows versions cached plaintext passwords for WDigest authentication. Disable WDigest and enforce its removal everywhere.

Enable detailed audit policy. Windows Advanced Audit Policy provides granular categories: account logon, logon/logoff, account management, directory service access, object access, privilege use, system events. Apply consistently across DCs, servers, and workstations.

Forward logs centrally. Windows Event Forwarding, Sysmon, and EDR agents stream events to a SIEM. Specific events worth alerting on include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4768 (Kerberos TGT request, especially with RC4), 4769 (service ticket request), 4738 (user account changed), 5136 (directory service object modified), and Sysmon process and image load events.

Detect Kerberoasting and AS-REP roasting. Unusual volumes of service ticket requests for many SPNs from a single host suggest Kerberoasting. AS-REQ events with PreAuthRequired = false flag AS-REP roasting candidates.

Detect DCSync. DCSync abuses the Replicating Directory Changes permission to extract password hashes from DCs. Event 4662 with the specific GUIDs for replication operations, sourced from a host that is not a DC, is a strong indicator.

Watch for Golden Ticket and Silver Ticket abuse. Service ticket use without preceding TGT issuance, tickets with unusually long lifetimes, and tickets for accounts that should not exist all suggest forgery. Detection is difficult but possible with careful baselining.

Monitor privileged group changes in real time. Adds to Domain Admins, Enterprise Admins, or other tier-0 groups should fire immediate alerts and trigger investigation.

Use BloodHound defensively. Run SharpHound on a schedule and analyze attack paths your environment exposes. Close them before adversaries find them.

Patch DCs aggressively. ZeroLogon (CVE-2020-1472), noPac (CVE-2021-42278/42287), PrintNightmare (CVE-2021-34527), CVE-2022-26925, and many others have provided one-hop paths to domain admin. Stay current; do not let DCs run unpatched for months.

Conduct regular AD security assessments. Tools like PingCastle, Purple Knight, Microsoft Defender for Identity assessments, and BloodHound provide free or low-cost AD posture checks. Run quarterly and remediate findings.

Plan AD-specific incident response. Compromise of a domain controller or krbtgt account requires specific procedures: rotate krbtgt twice, rebuild affected DCs, audit all accounts and tickets, and ideally rebuild the forest if root compromise is suspected. Document these playbooks; they are not the same as standard server compromise response.

For hybrid environments, harden the Entra ID / Azure AD integration. Federation services (ADFS, third-party SAML providers) hold private keys whose theft enables forging tokens across cloud services. Azure AD Connect synchronizes sensitive data; protect the Connect server like a DC.

Consider AD Tier 0 rebuild for legacy estates. Many environments accumulated decades of ACL drift, orphaned trusts, and misplaced admin accounts. A clean rebuild of the tier-0 plane (often called "ESAE" or "Red Forest" historically; now reframed as "Privileged Access Strategy") is sometimes the only path back to a defensible posture.

The 2017 NotPetya outbreak weaponized stolen credentials and AD-based lateral movement to reach global impact within hours. Companies like Maersk rebuilt their entire AD forest as part of recovery. The lesson: AD recovery planning is part of business continuity.

ZeroLogon (CVE-2020-1472) allowed unauthenticated attackers with network access to a DC to reset its computer account password and effectively own the domain. Public exploit code appeared within days; widespread exploitation followed.

Ransomware groups including Conti, LockBit, BlackCat, and many others have demonstrated repeatable AD-based playbooks: phishing for initial access, BloodHound for path discovery, Kerberoasting and credential theft for escalation, then mass encryption via Group Policy or SCCM. AD hardening directly disrupts each step.

The 2024 Microsoft "Midnight Blizzard" incident, in which a Russian state actor compromised the company's corporate Microsoft 365 environment, included extensive AD/Entra ID activity. The post-mortem emphasized password spray, missing MFA on legacy test accounts, and limited monitoring.