Active Directory Security Hardening Guide for Enterprise Environments

Microsoft's Privileged Access Model (formerly the AD Tier Model) organizes assets into three tiers based on the administrative scope they control, and enforces that credentials used to manage one tier never touch systems in a lower tier. The logic: if a Domain Admin's credentials are only ever used to log into domain controllers, compromising a workstation cannot expose Domain Admin credentials.

Tier 0 (control plane): Domain Controllers, certificate authority servers, Azure AD Connect servers, ADFS servers, and any system that can control AD itself. Tier 0 credentials must never log into Tier 1 or Tier 2 systems. Tier 1 (management plane): Servers hosting business applications, file shares, and databases. Tier 1 credentials must never log into Tier 2 systems. Tier 2 (user plane): Workstations and end-user devices.

Implementation requires Privileged Access Workstations (PAWs) for Tier 0 and Tier 1 administration — dedicated hardened systems used only for administrative tasks, never for email, web browsing, or general use. This eliminates credential theft via phishing or drive-by compromise of admin workstations. Enforce the tier separation via Authentication Policies and Silos in Windows Server 2012 R2+ or via Kerberos armoring and Protected Users security group membership.

Kerberoasting is one of the most commonly used post-exploitation techniques in enterprise intrusions. Any domain-authenticated user can request a Kerberos service ticket for any service principal name (SPN) registered in AD, and that ticket is encrypted with the service account's password hash — making it crackable offline without any special privileges or triggering lockouts.

Kerberoasting defense: (1) Audit all service accounts with SPNs — query with `Get-ADUser -Filter {ServicePrincipalName -ne $null}` — and identify those using weak or non-rotated passwords. (2) Ensure all service account passwords are at least 25 characters long and randomly generated (Group Managed Service Accounts achieve this automatically). (3) Use AES-only encryption for service accounts by enabling 'This account supports Kerberos AES 256 bit encryption' and disabling RC4 — RC4-encrypted tickets crack significantly faster. (4) Enable Kerberoasting detection in your SIEM — queries for TGS tickets across many SPNs in a short window are a strong signal.

AS-REP Roasting targets accounts with 'Do not require Kerberos preauthentication' enabled — these accounts' hashes can be requested without any credentials at all. Audit for this setting and remove it from all accounts that do not have a documented operational requirement for it.

Pass-the-Hash, Pass-the-Ticket, and Overpass-the-Hash attacks allow attackers to authenticate as other users by capturing credential material from memory without knowing the plaintext password. Credential hygiene controls make this harder and limit the blast radius when credential theft occurs.

LSASS protection: Enable Credential Guard on all supported Windows 10/11 and Windows Server 2016+ systems — it virtualizes the LSASS process and prevents credential extraction tools like Mimikatz from reading NTLM hashes and Kerberos tickets from memory. Enable Protected Users security group membership for all privileged accounts — members cannot be delegated, cannot use NTLM authentication, cannot use DES or RC4, and credentials are not cached on non-DCs. Configure LSA protection (`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1`) on systems where Credential Guard is not supported.

Local Administrator Password Solution (LAPS): Every workstation in most enterprise environments has the same local administrator password — compromise one, and you have local admin on all of them. LAPS (or Windows LAPS, now built into Windows and Azure AD) generates unique random passwords for the local Administrator account on each machine, stored in AD and retrievable by authorized administrators. Deploying LAPS eliminates the single most commonly exploited lateral movement vector in enterprise environments.

BloodHound is the most practical tool for identifying AD attack paths before attackers do. It ingests data collected by SharpHound (or AzureHound for Azure AD) and visualizes the graph of trust relationships, group memberships, and delegation settings that create paths from standard user accounts to Domain Admin.

Run BloodHound in your environment and examine the 'Shortest Paths to Domain Admin' query. Most environments will show multiple paths. Common path components: GenericAll or GenericWrite rights on user or computer objects (allowing password resets or shadow credentials attacks), WriteDACL permissions (allowing privilege escalation by modifying ACLs), Kerberos delegation settings (unconstrained delegation on computers other than DCs allows privilege escalation), and nested group memberships that grant unintended access.

Prioritize remediation starting with the shortest and most accessible paths. Each graph edge in a BloodHound attack path represents an AD misconfiguration or design decision that can be remediated — excessive ACL rights removed, group memberships cleaned up, delegation settings restricted. Focus on paths that start from 'Everyone' or 'Domain Users' — these are exploitable by any authenticated user, not just users who have already compromised a privileged account.

Domain Controllers are Tier 0 assets and should be treated accordingly. Any compromise of a DC is equivalent to a full AD compromise.

DC hardening controls: (1) Restrict who can log into DCs — Domain Admins and DC operators only, via Authentication Policies. (2) Enable Windows Defender Credential Guard on all DCs. (3) Remove all software and roles from DCs that are not required for directory operations — no web servers, no file shares, no antivirus management consoles on domain controllers. (4) Patch DCs on the same cycle as internet-facing systems — DC vulnerabilities like ZeroLogon (CVE-2020-1472) and PrintNightmare (CVE-2021-34527) are exploited within days of publication. (5) Enforce a GPO that prevents DCs from initiating outbound connections to non-whitelisted hosts — if a DC starts talking to an internet IP, something is wrong.

Monitoring: Enable and forward all DC security event logs. Critical events: 4768 (Kerberos TGT requests — baseline and alert on anomalous service account ticket requests), 4769 (TGS requests — Kerberoasting detection), 4624/4625 (logon success and failure), 4720 (user account created), 4728/4732 (members added to privileged groups), 4776 (NTLM authentication — should be rare if Kerberos is enforced), and 7045 (service installed — common malware persistence mechanism).

Active Directory hardening is not a one-time project — it is an ongoing program of privilege hygiene, attack path remediation, and monitoring tuning. The highest-ROI starting points are LAPS deployment (eliminates lateral movement via shared local admin passwords), Credential Guard enablement (blocks in-memory credential theft), and BloodHound-guided attack path remediation (closes the specific paths attackers will use in your specific environment). Every hour spent on AD hardening reduces the effectiveness of the most common enterprise attack techniques.