Previous All Posts Next

Active Directory Security: Harden Your Domain Before Attackers Do

Posted: December 31, 1969 to Cybersecurity.

Active Directory Security: Harden Your Domain Before Attackers Do

Active Directory is the backbone of identity management in nearly every mid-size and enterprise Windows environment. It controls who can log in, what resources they can access, which policies govern their workstations, and how authentication flows across your entire network. It is also, without question, the single most targeted component in modern cyberattacks.

When attackers breach a network, Active Directory is their primary objective. Gaining control of AD means gaining control of everything: every user account, every server, every workstation, every file share, every application that relies on domain authentication. A compromised Active Directory does not just represent a security incident. It represents a total loss of trust in your IT environment.

Over the past 23 years at Petronella Technology Group, we have responded to incidents where attackers moved from a single compromised workstation to full domain administrator access in under four hours. We have also seen organizations where basic AD hygiene would have stopped the attack cold at the first lateral movement attempt. The difference between those outcomes comes down to whether anyone took the time to harden the domain before attackers showed up.

Why Active Directory Is the Number One Target

Active Directory was designed in an era when the primary concern was making authentication and authorization work reliably across large networks. Security was a consideration, but usability and backward compatibility often took priority. Many of the default configurations that ship with Windows Server were designed to ensure things work out of the box, not to resist sophisticated attacks.

Attackers know this. They know that most organizations deploy Active Directory, configure it just enough to support their operations, and then leave it largely untouched for years. They know that default configurations leave numerous attack paths open. They know that service accounts accumulate excessive privileges over time as IT teams grant access to fix immediate problems without ever removing it afterward.

The result is that most Active Directory environments contain dozens or even hundreds of exploitable weaknesses that attackers can chain together to escalate from a low-privilege foothold to complete domain control.

Common Active Directory Attacks Every Administrator Must Understand

Defending Active Directory starts with understanding how attackers exploit it. These are not theoretical attack methods. They are the techniques we see used in real breaches, the same ones Craig Petronella has analyzed and documented as a certified expert witness in cybersecurity litigation. Understanding the attack gives you the context to understand why each defensive measure matters.

Kerberoasting

Kerberoasting exploits the way Kerberos authentication handles service tickets. Any authenticated domain user can request a service ticket for any service account that has a Service Principal Name (SPN) registered in Active Directory. The ticket is encrypted with the service account's password hash. The attacker captures this ticket and takes it offline to crack using GPU-accelerated brute force tools.

If the service account uses a weak or predictable password, the attacker recovers the plaintext password and now controls that service account. Since service accounts frequently have elevated privileges, including local administrator access on multiple servers, this one technique can escalate an attacker from a regular user to near-domain-admin access.

Pass-the-Hash

Windows caches password hashes in memory on any system where a user has authenticated. Pass-the-hash attacks extract these cached hashes, typically using tools like Mimikatz, and use them to authenticate to other systems without ever knowing the actual password. If an administrator logged into a workstation to troubleshoot an issue, their hash remains in memory on that machine. An attacker who compromises that workstation can harvest the hash and use it to authenticate as the administrator on other systems.

Golden Ticket Attacks

A golden ticket attack targets the KRBTGT account, the master key for all Kerberos authentication in the domain. If an attacker obtains the KRBTGT password hash, they can forge authentication tickets for any user in the domain, including accounts that do not exist, with any group membership they choose. A golden ticket provides persistent, virtually undetectable access to the entire domain that survives password resets for individual accounts. The only remediation is resetting the KRBTGT password twice, which requires careful planning to avoid disrupting authentication across the environment.

DCSync

DCSync attacks abuse the domain controller replication protocol. When an attacker has an account with replication permissions, they can impersonate a domain controller and request the Active Directory database to replicate password hashes for any account, including the KRBTGT account. This is functionally equivalent to stealing the entire AD database without ever touching a domain controller's file system.

AS-REP Roasting

Similar to Kerberoasting, AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled. An attacker can request an authentication response for these accounts and crack it offline. While less common than Kerberoasting, this attack succeeds when legacy accounts are configured without pre-authentication for compatibility reasons.

Conducting an Active Directory Security Assessment

Before you can fix problems, you need to find them. An AD security assessment should be a structured evaluation of your domain's configuration, permissions, trust relationships, and operational practices.

Start by mapping your current state. How many domain admins exist? How many service accounts have elevated privileges? Are there stale accounts that have not logged in for 90 days or more? How many Group Policy Objects are configured, and when were they last reviewed? Are there trusts to other domains, and are those trusts necessary?

Tools like BloodHound, originally built for penetration testers, are invaluable for defenders. BloodHound maps relationships and attack paths within Active Directory, showing you exactly how an attacker could escalate privileges from any given starting point. Running BloodHound against your own environment and reviewing the results is one of the most eye-opening exercises any IT team can perform. You will almost certainly find attack paths you did not know existed.

Purple Knight from Semperis and PingCastle are other assessment tools worth running. They evaluate your AD configuration against known security best practices and produce scored reports with specific remediation recommendations.

Implementing the Tiered Administration Model

The tiered administration model, also called the Enhanced Security Admin Environment (ESAE), is Microsoft's recommended approach for protecting privileged access in Active Directory. The concept is straightforward: separate administrative privileges into tiers so that a compromise at one level cannot cascade to another.

Tier 0 is the crown jewels: domain controllers, the AD database itself, the KRBTGT account, and any system that can directly modify Active Directory. Only dedicated Tier 0 admin accounts should ever touch these systems. These accounts should never log into workstations or member servers.

Tier 1 covers member servers and enterprise applications: file servers, database servers, email servers, application servers. Tier 1 admin accounts manage these systems but never log into Tier 0 systems or end-user workstations.

Tier 2 covers workstations and end-user devices. Helpdesk staff and desktop support use Tier 2 accounts for their daily work. These accounts have no access to servers or domain controllers.

The critical rule is that higher-tier credentials never authenticate to lower-tier systems. A domain admin account never logs into a workstation, period. This single practice eliminates the most common privilege escalation path: harvesting cached admin credentials from compromised workstations.

Group Policy Hardening

Group Policy is one of the most powerful tools in your Active Directory security arsenal, yet it remains underutilized in most environments. Proper GPO hardening can prevent entire categories of attacks.

Start with these critical policies:

  • Disable LLMNR and NetBIOS Name Resolution: These legacy name resolution protocols are exploited by tools like Responder to capture authentication hashes on the local network. Disable them via GPO unless you have a documented business requirement.
  • Enforce SMB signing: Without SMB signing, attackers can perform relay attacks where they intercept SMB authentication and forward it to another system. Enable SMB signing on all systems.
  • Restrict NTLM authentication: NTLM is the legacy authentication protocol that enables pass-the-hash attacks. Wherever possible, restrict or audit NTLM usage and migrate to Kerberos-only authentication.
  • Configure Windows Defender Credential Guard: Credential Guard uses virtualization-based security to isolate credential hashes in a protected container that standard tools like Mimikatz cannot access. Enable it on all Windows 10 and 11 workstations.
  • Restrict PowerShell execution: Constrained Language Mode and script block logging limit what attackers can do with PowerShell while maintaining visibility into any PowerShell activity that does occur.
  • Disable WDigest authentication: WDigest stores plaintext passwords in memory. It is disabled by default on modern Windows versions, but verify this setting across your environment.

Implementing LAPS for Local Administrator Passwords

The Local Administrator Password Solution (LAPS) addresses one of the most persistent problems in Windows environments: shared local administrator passwords. In many organizations, every workstation uses the same local admin password, often one that was set during the imaging process and never changed. If an attacker recovers that password from one machine, they have local admin access to every machine in the environment.

LAPS automatically generates unique, random local administrator passwords for each computer in the domain and stores them securely in Active Directory. Passwords are rotated on a configurable schedule, and access to view them is controlled through AD permissions. The newer Windows LAPS, built into Windows 11 and Windows Server 2025, adds support for password encryption and cloud backup through Azure AD.

Deploying LAPS is one of the highest-value, lowest-effort security improvements you can make. It eliminates lateral movement through shared local admin credentials, which is one of the most common techniques we see in real-world attacks.

Monitoring Active Directory for Signs of Compromise

Hardening reduces your attack surface, but monitoring tells you when someone is testing what remains. Effective AD monitoring requires collecting the right logs and knowing what to look for.

Enable advanced audit policies rather than relying on the basic audit configuration. At minimum, audit these event categories:

  • Event ID 4769 (Kerberos Service Ticket Operations): Watch for high volumes of service ticket requests from a single account, which may indicate Kerberoasting.
  • Event ID 4768 with failure code 0x12: Indicates AS-REP Roasting attempts against accounts with pre-authentication disabled.
  • Event ID 4672 (Special Privileges Assigned): Triggers when an account with admin privileges logs on. Unexpected occurrences warrant investigation.
  • Event ID 4724/4738 (Password Resets and Account Changes): Watch for mass password resets or modifications to privileged accounts outside change windows.
  • Event ID 4662 (Directory Service Access): Configure this to detect DCSync attacks by monitoring for replication-related access to the domain naming context.

Forward these events to a SIEM or log management platform where they can be correlated and alerted on. The logs are useless if nobody is watching them.

Credential Hygiene Practices

Beyond technical controls, operational practices around credential management make a substantial difference. Enforce these standards across your organization:

Service accounts should use managed service accounts (gMSAs) wherever the application supports them. Group Managed Service Accounts use automatically rotated, cryptographically complex passwords managed by Active Directory itself, eliminating the risk of Kerberoasting against those accounts entirely.

For service accounts that cannot use gMSAs, enforce minimum 25-character randomly generated passwords and rotate them on a defined schedule. Document every service account, its purpose, its owner, and the systems it accesses. Review this inventory quarterly.

Eliminate standing privileges wherever possible. Just-in-time (JIT) access solutions allow administrators to request elevated access for a defined period, after which the access is automatically revoked. This reduces the window during which compromised admin credentials are useful to an attacker.

Require multi-factor authentication for all privileged access. At the domain level, implement smart card or FIDO2 authentication for Tier 0 and Tier 1 accounts. This makes stolen password hashes useless because the attacker also needs the physical authentication token.

Building a Defensible Active Directory

Active Directory security is not a one-time project. It is an ongoing discipline that requires regular assessment, continuous monitoring, and a commitment to maintaining the hardened configuration even when it creates friction. Every time a team member creates a shortcut, grants excessive permissions to solve an immediate problem, or skips a review cycle, the attack surface grows.

The organizations that defend their AD environments most effectively are the ones that treat Active Directory as critical infrastructure deserving the same attention as firewalls, endpoint protection, and compliance frameworks. They assess regularly, remediate deliberately, and monitor continuously.

At Petronella Technology Group, we have spent over two decades helping Raleigh-area businesses and organizations nationwide secure their Active Directory environments. Our approach starts with a comprehensive assessment using the same tools and techniques that attackers use, then moves into structured hardening aligned with your operational requirements, and continues with ongoing monitoring through our managed IT services.

If your Active Directory has not been assessed recently, or if you suspect it still runs with many of its default configurations intact, contact our team to schedule an AD security assessment. The attackers already know what to look for in your domain. The question is whether you will find those weaknesses first.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

Zero Trust Vendors Compared: Top 10 for SMBs in 2026 Zero Trust Vendors Compared: Top 10 for SMBs in 2026 Automated Penetration Testing Tools: 2026 Comparison Automated Penetration Testing Tools: 2026 Comparison Incident Response Plan Template: Free Download & Guide Incident Response Plan Template: Free Download & Guide Cyber Threat Intelligence: What It Is and How to Use It Cyber Threat Intelligence: What It Is and How to Use It
Craig Petronella
Craig Petronella
CEO & Founder, Petronella Technology Group | CMMC Registered Practitioner

Craig Petronella is a cybersecurity expert with over 24 years of experience protecting businesses from cyber threats. As founder of Petronella Technology Group, he has helped over 2,500 organizations strengthen their security posture, achieve compliance, and respond to incidents.

LinkedIn Twitter About
Related Service
Protect Your Business with Our Cybersecurity Services

Our proprietary 39-layer ZeroHack cybersecurity stack defends your organization 24/7.

Explore Cybersecurity Services
Previous All Posts Next
Free cybersecurity consultation available Schedule Now