Active Directory Security Guide

Posted: March 27, 2026 to Cybersecurity.

Why Active Directory Is the Top Target for Attackers

Active Directory (AD) is the identity backbone of over 90% of enterprise networks worldwide. It controls who can log in, what resources they can access, and how security policies are enforced across the organization. When an attacker compromises Active Directory, they compromise everything. Domain Admin credentials grant unrestricted access to every server, workstation, file share, email account, and application in the environment.

According to Microsoft's own threat intelligence, 95% of advanced cyberattacks involve Active Directory compromise at some stage. Ransomware operators like Conti, LockBit, and BlackCat specifically target AD during the lateral movement phase because a single compromised domain controller gives them the ability to deploy ransomware to every joined system simultaneously through Group Policy.

Despite its critical importance, Active Directory security is frequently neglected. Many organizations run AD configurations that have accumulated years of misconfigurations, excessive privileges, legacy compatibility settings, and orphaned objects. These security debts compound over time, creating attack surfaces that threat actors readily exploit.

Active Directory Attack Vectors You Need to Understand

Kerberoasting

Kerberoasting exploits the Kerberos authentication protocol to extract service account password hashes that can be cracked offline. Any authenticated domain user can request a Kerberos service ticket (TGS) for any service account with a Service Principal Name (SPN). The ticket is encrypted with the service account's password hash. The attacker extracts this hash and cracks it offline using tools like Hashcat or John the Ripper without generating any authentication failure alerts.

Service accounts are particularly vulnerable because they often have weak passwords that never expire, elevated privileges, and SPNs that make them discoverable. A single Kerberoasted service account with Domain Admin privileges gives the attacker complete control.

Pass-the-Hash and Pass-the-Ticket

When a user authenticates on a Windows system, their NTLM password hash is cached in memory. An attacker who gains local administrator access to a workstation can extract these cached hashes using tools like Mimikatz and use them to authenticate as that user on other systems without knowing the plaintext password. This technique is called Pass-the-Hash.

Similarly, Kerberos Ticket Granting Tickets (TGTs) cached in memory can be extracted and reused on other systems, a technique called Pass-the-Ticket. If a Domain Admin has logged into a workstation that an attacker compromises, their cached credentials provide a direct path to domain dominance.

DCSync Attack

An attacker with the Replicating Directory Changes and Replicating Directory Changes All permissions (typically held by Domain Admins and domain controllers) can impersonate a domain controller and request password hash replication for any account in the domain, including the krbtgt account. Compromising the krbtgt hash enables Golden Ticket attacks that provide persistent, undetectable domain access.

Group Policy Abuse

Group Policy Objects (GPOs) push configuration changes to every computer and user in their scope. An attacker who can modify a GPO linked to the domain or key OUs can deploy malware, create backdoor accounts, disable security controls, or push ransomware to every system in the organization simultaneously. GPO permissions are often overly broad, with legacy delegation settings granting edit rights to groups that should not have them.

LDAP Reconnaissance

Any authenticated domain user can query Active Directory via LDAP and enumerate virtually the entire directory: all users, groups, group memberships, computers, organizational units, trusts, SPNs, and GPO configurations. Attackers use tools like BloodHound to map these relationships and identify the shortest path from their current access to Domain Admin. This reconnaissance generates minimal noise because LDAP queries are normal AD operations.

Active Directory Security Hardening: Essential Controls

Tiered Administration Model

Microsoft's Enterprise Access Model (formerly the Tiered Administration Model) is the foundation of AD security. It establishes three tiers of administrative access:

• Tier 0 (Control Plane): Domain controllers, AD administration tools, PKI infrastructure, and the accounts that manage them. Tier 0 assets must be protected with the highest security controls.
• Tier 1 (Management Plane): Member servers, applications, and the server administrator accounts that manage them. Tier 1 admins must never log into Tier 0 systems.
• Tier 2 (User Access): Workstations, mobile devices, and standard user accounts. Help desk accounts that manage workstations must never log into servers.

The critical principle is that higher-tier credentials must never be exposed on lower-tier systems. If a Domain Admin logs into a workstation, their credentials are cached on that workstation. If the workstation is compromised, the Domain Admin credentials are compromised. Tiered administration prevents this credential exposure.

Privileged Access Workstations (PAWs)

Domain controllers and other Tier 0 systems should only be administered from dedicated Privileged Access Workstations. PAWs are hardened systems with restricted network access, no internet browsing, no email access, application whitelisting, and enhanced monitoring. They provide a clean, controlled environment for performing sensitive administrative tasks.

Service Account Hardening

Service accounts are the most common weak point in Active Directory. Harden them with these measures:

• Replace standard service accounts with Group Managed Service Accounts (gMSAs) wherever possible. gMSAs use 240-character randomly generated passwords that rotate automatically every 30 days, eliminating password management entirely.
• For service accounts that cannot use gMSAs, enforce 25+ character passwords with annual rotation.
• Remove service accounts from privileged groups (Domain Admins, Enterprise Admins, Administrators). Service accounts should have only the specific permissions they need.
• Audit all SPNs and remove any that are no longer needed.
• Enable AES encryption for Kerberos tickets and disable RC4 where compatible to make Kerberoasting significantly harder.

Credential Protection

Protecting credentials in memory and at rest is essential to prevent Pass-the-Hash and credential theft attacks:

• Windows Credential Guard: Uses virtualization-based security to isolate NTLM hashes and Kerberos tickets in a protected memory space that even local administrators cannot access
• Protected Users security group: Members cannot use NTLM authentication, DES or RC4 encryption, be delegated, or have credentials cached on non-domain controllers
• LAPS (Local Administrator Password Solution): Randomizes local administrator passwords on every domain-joined computer, preventing lateral movement through shared local admin credentials
• Disable NTLM where possible: NTLM is inherently vulnerable to relay and Pass-the-Hash attacks. Move to Kerberos-only authentication wherever application compatibility permits

Group Policy Security

Lock down Group Policy to prevent abuse:

• Audit GPO permissions and remove unnecessary edit rights. Only Tier 0 administrators should modify GPOs linked to the domain root or Tier 0 OUs.
• Enable Advanced Audit Policy Configuration to log GPO changes.
• Monitor for GPO modifications using your security monitoring solution.
• Review GPO inheritance regularly to identify unintended policy application.

Domain Controller Hardening

Domain controllers are the crown jewels of your network and require specific hardening:

• Run only the AD DS role and DNS on domain controllers. No other applications or services.
• Disable internet access from domain controllers.
• Enable BitLocker full-disk encryption on all domain controllers.
• Restrict who can log into domain controllers interactively to Tier 0 administrators only.
• Deploy Microsoft Defender for Identity (formerly Azure ATP) for domain controller-specific threat detection.
• Ensure domain controllers run a supported Windows Server version with current patches.

Active Directory Monitoring and Detection

Hardening reduces the attack surface, but you also need to detect attacks in progress. Configure monitoring for these critical events:

• Event ID 4769 (Kerberos Service Ticket Operations): Monitor for unusual volumes of service ticket requests, particularly with RC4 encryption, which indicates Kerberoasting
• Event ID 4672 (Special Privileges Assigned): Track when accounts receive elevated privileges
• Event ID 4728/4732/4756 (Members Added to Security Groups): Alert on additions to Domain Admins, Enterprise Admins, Schema Admins, and other privileged groups
• Event ID 4662 (Directory Service Access): Detect DCSync attacks by monitoring for replication permission usage from non-domain controller sources
• Event ID 5136 (Directory Service Changes): Track modifications to AD objects including GPOs, user attributes, and group memberships
• Event ID 4624 Type 10 (Remote Interactive Logon): Monitor for interactive logons to domain controllers from unexpected sources

Active Directory Security Assessment: Where to Start

If your organization has not conducted an AD security assessment, start with these steps:

1. Run BloodHound or PingCastle: These free tools map AD relationships and identify the most critical attack paths. PingCastle generates a security score and actionable findings report.
2. Audit privileged group membership: List all members of Domain Admins, Enterprise Admins, Schema Admins, Administrators, Backup Operators, Account Operators, and Server Operators. Each membership should be justified and documented.
3. Inventory service accounts: Identify all service accounts with SPNs and evaluate their passwords, permissions, and necessity.
4. Review password policies: Check Default Domain Policy and Fine-Grained Password Policies. Ensure privileged accounts have stronger requirements than standard users.
5. Check domain and forest functional levels: Ensure they are at Windows Server 2016 or higher to enable modern security features.
6. Assess trust relationships: Inventory all domain and forest trusts. External and forest trusts expand your attack surface and should be validated.

Active Directory Security in Hybrid Environments

Most organizations now operate hybrid environments with on-premises AD synchronized to Azure AD (now Entra ID) via Azure AD Connect. This expands the security considerations:

• Azure AD Connect server security: The sync server holds credentials for both on-premises AD and Azure AD. It is a Tier 0 asset that must be protected accordingly.
• Password Hash Synchronization (PHS): When enabled, password hashes are synchronized to the cloud. Ensure conditional access policies and MFA are configured in Azure AD to protect these accounts.
• Seamless SSO: Creates a computer account (AZUREADSSOACC) in AD whose Kerberos key can be used for Silver Ticket attacks. Rotate this key every 30 days.
• Hybrid identity attack paths: Compromising on-premises AD can lead to Azure AD compromise and vice versa. Your security assessment must cover both environments.

Active Directory Disaster Recovery

Active Directory disaster recovery is one of the most critical and most neglected aspects of AD security. When ransomware encrypts your domain controllers or an attacker corrupts the AD database, the ability to recover your identity infrastructure determines whether your organization is down for hours or weeks.

Common AD Disaster Scenarios

The most likely AD disaster scenarios include ransomware encryption of domain controllers (the most common, as ransomware operators specifically target DCs for maximum impact), accidental deletion of critical AD objects (OUs, groups, or GPOs), Active Directory database corruption from hardware failures or improper shutdowns, and a malicious insider or compromised admin account making destructive changes to the directory. Each scenario requires a different recovery approach, and your disaster recovery plan should address all of them.

AD Backup Best Practices

Standard server backups are not sufficient for Active Directory recovery. AD-specific backup considerations include maintaining at least two full system state backups of domain controllers from different replication partners. Store backups offline and disconnected from the network so ransomware cannot encrypt them. Test AD recovery in an isolated environment at least annually. Document the complete forest recovery procedure and ensure multiple team members are trained to execute it. Keep backup retention within the AD tombstone lifetime (default 180 days) to avoid USN rollback issues. Consider dedicated AD recovery tools like Semperis ADFR that automate the complex forest recovery process.

The most dangerous gap in AD disaster recovery is that most organizations have never tested a full forest recovery. The procedure is complex, error-prone, and requires steps that are counter-intuitive (like restoring the PDC emulator role holder first and performing authoritative restores on specific DCs). Without practice, the recovery will take significantly longer than planned and may fail entirely.

Active Directory Security Tools and Resources

Several free and commercial tools can help assess and improve your AD security posture:

Assessment Tools

• PingCastle: Free tool that generates a comprehensive AD security score with detailed findings and remediation guidance. Run it quarterly to track improvement.
• BloodHound: Open-source tool that maps AD relationships and identifies attack paths to Domain Admin. The Community Edition is free; the Enterprise Edition adds continuous monitoring.
• Purple Knight: Free AD security assessment tool from Semperis that checks for over 130 indicators of exposure and compromise aligned with the MITRE ATT&CK framework.
• Microsoft Secure Score: Built into Microsoft 365 and Azure, provides security recommendations for Azure AD (Entra ID) configuration.

Monitoring and Detection Tools

• Microsoft Defender for Identity: Cloud-based service that monitors AD traffic for attack indicators including Kerberoasting, Pass-the-Hash, DCSync, and reconnaissance. Integrates with Microsoft Sentinel for SIEM correlation.
• CrowdStrike Falcon Identity Protection: Real-time identity threat detection and prevention for AD and Azure AD environments.
• Semperis Directory Services Protector: Monitors AD for suspicious changes and provides automatic rollback of unauthorized modifications.

Recovery Tools

• Semperis Active Directory Forest Recovery (ADFR): Automates AD forest recovery after ransomware or destructive attacks, reducing recovery time from days to hours.
• Microsoft AD Forest Recovery guide: Free documentation from Microsoft for manual forest recovery procedures. Every AD administrator should be familiar with this process before an incident occurs.

Active Directory Security Roadmap

Implementing comprehensive AD security is a phased effort. Here is a practical roadmap organized by priority and effort level:

Phase 1: Quick Wins (Week 1-2)

• Run PingCastle or Purple Knight assessment to baseline your security score
• Audit and reduce Domain Admins group membership to the minimum necessary
• Enable Advanced Audit Policy Configuration for critical event categories
• Deploy LAPS for local administrator passwords on all domain-joined workstations
• Identify and inventory all service accounts with SPNs

Phase 2: Foundation Hardening (Month 1-2)

• Implement Fine-Grained Password Policies for privileged and service accounts
• Begin migrating service accounts to Group Managed Service Accounts (gMSAs)
• Enable Windows Credential Guard on all supported workstations via Group Policy
• Restrict domain controller logon rights to Tier 0 administrators only
• Configure GPO permissions to limit edit rights to appropriate administrators
• Deploy Microsoft Defender for Identity or equivalent monitoring

Phase 3: Tiered Administration (Month 2-4)

• Design and implement the tiered administration model with separate admin accounts per tier
• Deploy Privileged Access Workstations (PAWs) for Tier 0 administration
• Configure authentication policy silos and claims to enforce tier boundaries
• Implement just-in-time privileged access using PAM solutions
• Remove unnecessary domain trusts and tighten trust configurations

Phase 4: Advanced Protection (Month 4-6)

• Implement Red Forest (Enhanced Security Admin Environment) for highest-security environments
• Deploy deception technology (honeypots, honey credentials) to detect attacker reconnaissance
• Configure conditional access policies for hybrid Azure AD environments
• Implement automated AD change monitoring with alerting and rollback capabilities
• Conduct internal penetration testing focused on AD attack paths
• Develop and test AD disaster recovery procedures

Frequently Asked Questions