Active Directory Hardening Best Practices

Active Directory (AD) is the heart of many organizations' IT infrastructure, but it is often considered a prime target for attackers as well. Breaching it can have devastating consequences, leading to access to sensitive data. In this article, we'll share some best practices from real-world experiences and scenarios we've encountered in business environments. From implementing advanced controls, protecting certificates, and defending against common attacks, we'll explore concrete strategies to strengthen your Active Directory security and minimize risks. Stay with us.

1. Domain Controller OS Security

Updates & Patches

• Make sure that the operating system is always up-to-date with the latest security patches. Set Windows Update to automatically install critical updates.
• Test critical patches in a staging environment before deploying to a production environment to avoid compatibility issues.

Local Access Protection

• There should be no interactive access for remote administrators directly on the DC. Number of admin users with
• Minimize direct access to DC. Special access must be made through Jump Server.

Configuring Security Policies

• Disable and rename the default Administrator account.
• Enable Credential Guard and Device Guard to prevent Pass-the-Hash and Credential Dumping attacks.
• Disable SMBv1 and legacy protocols and enable SMB Signing.
• Configure Windows Firewall to block unnecessary connections. Use segmentation rules to separate admin traffic from user traffic.
• Implement Just Enough Administration (JEA) to limit the privileges of administrative users. Also, use JIT (Just-In-Time) Administration to provide high privileges only when needed and for a limited time.

2. Protection of certificates and authentication protocol

NTLM and Kerberos

• Disable NTLMv1 and NTLMv2 and make the use of Kerberos mandatory. NTLMv2 has been available since Windows NT 4.0 SP4, and there has been a debate over whether to make its use mandatory for more than a decade.
• Configure Kerberos Constrained Delegation to reduce the risks of privilege escalation attacks.
• Use the Protected Users group. Users added to this group are subject to security restrictions that can hardly compromise them even if an attacker gains access to their account.
• Kerberos is a key protocol for secure authentication in Active Directory. By applying AES encryption to Kerberos, the security of authentication processes is significantly improved. Enable PAC Validation to prevent tampering with tickets. Sign and encrypt Kerberos with AES256.

Restrict access to special accounts

• Don't use high-rated accounts for everyday tasks and create separate accounts to manage. Create at least two accounts for each admin:
  a regular account (without privileges) → for everyday use.
  Admin account (no internet or email access) → only for managing DC.
• Implement the Tier model (Tier 0, Tier 1, Tier 2) to segment administrative privileges.
• Use gMSA (Group Managed Service Accounts) to protect services running on AD.

Password Protection

• Enable the password complexity policy and set the minimum length to 14 characters. It's best to increase the password length to 16 characters to reduce the risks of brute-force attacks.
• Configure the Fine-Grained Password Policy for specific users and groups.
• Enable Windows Defender Credential Guard to protect in-memory certificates. This technology protects certificates in the LSASS process and prevents malware and attackers from accessing Kerberos tickets and NTLM hashes. Note: Check its compatibility with older apps before activating!

3. Network and communication security

LDAP Protocol Enhancement

• Enable LDAP Signing and LDAP Channel Binding to prevent Man-in-the-Middle attacks.

Configuring LDAP Signing via GPO : Set “Domain Controller: LDAP server signing requirements” to “Require Signing” . Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain Controller: LDAP server signing requirements → Require Signing

• Disable LDAP Anonymous Accesses. Anonymous access to LDAP may allow an attacker to list AD users and objects without authentication.

Set: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain Controller: Allow anonymous LDAP operations → Disabled

Network Connection Protection

• Enable IPSec to encrypt traffic between Domain Controllers. Use IPSec with Kerberos authentication or PKI certificates to encrypt AD traffic.
• Disable the LLMNR service to prevent spoofing and relay attacks (e.g., attacks using Responder).
• Configure firewalls to open only essential ports for Active Directory.

Active Directory (AD) is the heart of many organizations' IT infrastructure, but it is often considered a prime target for attackers as well. Breaching it can have devastating consequences, leading to access to sensitive data. In this article, we'll share some best practices from real-world experiences and scenarios we've encountered in business environments. From implementing advanced controls, protecting certificates, and defending against common attacks, we'll explore concrete strategies to strengthen your Active Directory security and minimize risks.

1. Domain Controller OS Security

Updates & Patches

• Make sure that the operating system is always up-to-date with the latest security patches. Set Windows Update to automatically install critical updates.
• Test critical patches in a staging environment before deploying to a production environment to avoid compatibility issues.

Local Access Protection

• There should be no interactive access for remote administrators directly on the DC. Number of admin users with
• Minimize direct access to DC. Special access must be made through Jump Server.

Configuring Security Policies

• Disable and rename the default Administrator account.
• Enable Credential Guard and Device Guard to prevent Pass-the-Hash and Credential Dumping attacks.
  Disable SMBv1 and legacy protocols and enable SMB Signing.
• Configure Windows Firewall to block unnecessary connections. Use segmentation rules to separate admin traffic from user traffic.
• Implement Just Enough Administration (JEA) to limit the privileges of administrative users. Also, use JIT (Just-In-Time) Administration to provide high privileges only when needed and for a limited time.

2. Protection of certificates and authentication protocol

NTLM and Kerberos

• Disable NTLMv1 and NTLMv2 and make the use of Kerberos mandatory. NTLMv2 has been available since Windows NT 4.0 SP4, and there has been a debate over whether to make its use mandatory for more than a decade.
• Configure Kerberos Constrained Delegation to reduce the risks of privilege escalation attacks.
• Use the Protected Users group. Users added to this group are subject to security restrictions that can hardly compromise them even if an attacker gains access to their account.
• Kerberos is a key protocol for secure authentication in Active Directory. By applying AES encryption to Kerberos, the security of authentication processes is significantly improved. Enable PAC Validation to prevent tampering with tickets. Sign and encrypt Kerberos with AES256.

Restrict access to special accounts

• Don't use high-rated accounts for everyday tasks and create separate accounts to manage. Create at least two accounts for each admin:
  a regular account (without privileges) → for everyday use.
  Admin account (no internet or email access) → only for managing DC.
• Implement the Tier model (Tier 0, Tier 1, Tier 2) to segment administrative privileges.
• Use gMSA (Group Managed Service Accounts) to protect services running on AD.

Password Protection

• Enable the password complexity policy and set the minimum length to 14 characters. It's best to increase the password length to 16 characters to reduce the risks of brute-force attacks.
• Configure the Fine-Grained Password Policy for specific users and groups.
• Enable Windows Defender Credential Guard to protect in-memory certificates. This technology protects certificates in the LSASS process and prevents malware and attackers from accessing Kerberos tickets and NTLM hashes.
  Note: Check its compatibility with older apps before activating!

3. Network and communication security

LDAP Protocol Enhancement

• Enable LDAP Signing and LDAP Channel Binding to prevent Man-in-the-Middle attacks.

Configuring LDAP Signing via GPO : Set “Domain Controller: LDAP server signing requirements” to “Require Signing” . Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain Controller: LDAP server signing requirements → Require Signing

• Disable LDAP Anonymous Accesses. Anonymous access to LDAP may allow an attacker to list AD users and objects without authentication.

Set: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain Controller: Allow anonymous LDAP operations → Disabled Protection of Network Connections

• Enable IPSec to encrypt traffic between Domain Controllers. Use IPSec with Kerberos authentication or PKI certificates to encrypt AD traffic.
• Disable the LLMNR service to prevent spoofing and relay attacks (e.g., attacks using Responder).
• Configure firewalls to open only essential ports for Active Directory.

Essential ports for Domain Controllers

Service	Brings	Protocol
Ldap	389	TCP/UDP
LDAPS	636	Tcp
Global Catalog	3268	Tcp
Global Catalog SSL	3269	Tcp
Kerberos	88	TCP/UDP
SMB	445	Tcp
RPC Endpoint Mapper	135	Tcp
Dns	53	TCP/UDP

4. Active Directory Database Protection (NTDS.dit)

• Use BitLocker to encrypt volumes containing NTDS.dit.
• Enable AD Critical Object Protection to prevent accidental deletion. Protect Admin Accounts and Sensitive Groups such as:
  Domain Admins
  Enterprise Admins
  Schema Admins
  Administrators
  Backup Operators
• Enable the Read-Only Domain Controller (RODC) for DCs in insecure environments (such as branches and remote locations).

5. Monitoring and recording events

Enable advanced event logging

• Configure Windows Event Forwarding (WEF) to centralize the security logs of Domain Controllers.
• Enable advanced PowerShell logs to detect suspicious script executions.
• Enable the NTDS.dit Access Archive to detect attempts to attack this database.

Monitoring Accesses and Changes

• Monitor changes to special groups (such as Domain Admins and Enterprise Admins).

Event ID 4728 → Adding to a privileged group
Event ID 4729 → Removing from a group
Event ID 4732 → Change to “Domain Admins”

• Use Sysmon and Microsoft Defender for Identity to detect suspicious activity in authentication.

Critical events to monitor in Sysmon:

Event ID 1 → Creating Processes
Event ID 3 → Suspicious network connections
Event ID 10 → Critical log changes
Event ID 21 → Loading suspicious drivers

6. Protection against malware and ransomware

• Enable Microsoft Defender for Endpoint on DCs.

Enable Defender for Endpoint via GPO: Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus

“Turn on Microsoft Defender Antivirus”
“Enable real-time protection”
“Enable network protection”

• Use Honeytokens to detect suspicious access attempts. These are fake accounts, passwords, files, or special subscriptions designed to lure attackers.

7. Backup and restore in times of crisis

• Configure regular backups of Domain Controllers.

Windows Server Backup, Veeam Backup & Replication, Rubrik, Commvault, NetBackup

• Enable Active Directory Bin Recycle to recover accidentally deleted objects.

8. Access Policies and Privileges

• Remove unauthorized users from privileged groups. Many companies have forgotten to remove users from groups such as "Domain Admins," which increases the risk of account breaches. Important groups for monitoring and protection:

Group	Description
Domain Admins	Access to all AD domains
Enterprise Admins	Forest Management
Admins Schema	AD Schema Change (Dangerous!)
Administrators	Local and Domain Access
Backup Operators	Perform backups and extract sensitive data
Remote Desktop Users	Access to servers via RDP, potential risk

Track Changes of Privileged Groups with GPO:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > DS Access > Audit Directory Service Changes and Enable Success & Failure

• Use the least privileged principle to reduce access rights.
  Never use high-scoring accounts for daily activities (email, browser). Each manager must have two accounts:
• Regular → account for basic operations (no points)
• Managed account → only for domain management (no internet access)

Disable inactive and guest accounts. Attackers often use old accounts to gain access to the domain. Inactive accounts can be compromised and used for sideways movement.

9. Domain Trust Protection

• Opt-in authentication for external domain trusts. Restrict users' access from external domains to only essential servers and resources.
• By default, a "Forest-Wide" trust allows any authenticated user to access resources on the target domain.
  Selective authentication requires that each resource is specifically granted to users on the external domain. This helps with sideways movement attacks between domains, such as Pass-the-Ticket and Golden Ticket.
• Monitor changes in trust relationships with Event ID 4706. Advanced attackers (such as APTs) try to compromise trusts to move sideways between domains.
• Trust Protection Against AD Replication Attacks (DCSync, DCShadow). DCShadow allows the attacker to create a fake Domain Controller to replicate AD. Defender for Identity detects suspicious new DC logging activities.

10. Automation and Preventive Security

• Use Microsoft Defender for Identity to detect advanced threats. Monitor and detect side movement, pass-the-hash attacks, and Active Directory breach attempts.
• This tool detects advanced attacks such as DCSync, DCShadow, Golden Ticket, Kerberoasting.
• Analyze user behavior and report abnormal activity.
• Protects Active Directory from increased unauthorized access.
• Centralize SIEM tools like Splunk or Microsoft Sentinel to collect logs.
  Conduct a periodic Red Teaming/Pentest to identify vulnerabilities. Real-world attacks take advantage of flaws that aren't evident in logs.
• Simulating attacks helps validate the effectiveness of defenses and monitoring.
  Detect incorrect configurations and unauthorized accesses.

Tools for AD testing:

Tool	Main Usage
Bloodhound	Map the relationships between users and groups in AD
Mimikaze	Detecting weak credentials and PtH attacks, PTT
PowershellEmpire	Simulation of post-exploitation attacks
Responder	Use in DNS/LLMNR poisoning or relay attacks in general
PingCastle	Assess the security of the entire AD domain

Note: Mere use of these tools does not provide an overview of possible attack scenarios. Only with the help of expert experts can we be aware of the problems in the infrastructure.

Other Advanced Aspects for Domain Controller Analysis

In addition to basic best practices, there are several advanced aspects that can further enhance the security and resilience of the Domain Controller. From advanced privilege management to securing authentication channels and proactive monitoring techniques. These strategies help to strengthen defenses against more complex threats.

Let's dive into some of them to delve deeper and make AD infrastructure safer and more resilient.

1. Check and Delete Critical Privileges Some default privileges can be used by attackers to execute high-privileged code or manipulate the system. It is recommended to remove or limit the following privileges from the Domain Controller (DC):
   • SeDebugPrivilege (Debug Programs) → removes from all users except SYSTEM
     This privilege gives attackers access to critical process memory, which is useful for Pass-the-Hash and Credential Dumping attacks (such as Mimikatz).

     whoami /priv | findstr SeDebugPrivilege
     

     To remove this privilege from the "Domain Admins" group, use the following command:

     ntrights -r SeDebugPrivilege -u "Domain Admins"
     

   • SeEnableDelegationPrivilege → Limit Only to Authorized Roles
     This privilege allows attackers to authenticate between systems, which can be exploited for Golden Ticket and Kerberoasting attacks.
   • SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege
     These privileges allow attackers to impersonate other users' identities and execute codes such as SYSTEM (Theft Token Attack).
     Limit these privileges to only essential processes/users.
2. Protection of Group Policy Objects (GPOs)
   • Block unauthorized changes to GPOs using GPO Permissions.
   • Monitor critical policy changes with Event ID 5136.
   • Remove writing access to policies from non-admin users.
3. Windows Service Protection Disable unnecessary
   services on Domain Controllers, including:
   • Server
   • Workstation
   • Fax
   • Spooler (vulnerable to PrintNightmare)
   • Remote Registry (to prevent remote changes)
   • Windows Remote Management (WinRM) if not in use.

   To disable these critical services, use the following commands:

   Set-Service Spooler -StartupType Disabled
   Set-Service RemoteRegistry -StartupType Disabled
   

4. To check who has special privileges
   , use the following command:

   Get-ADGroupMember -Identity "Domain Admins"
   

   To create an alert for suspicious additions to privileged groups:

   • Monitor Event ID 4728 (Add to Privileged Groups)
   • Monitor Event ID 4732 (Add to Local Groups)

These measures help prevent unauthorized or dangerous privileges and improve the security of your domain.

5. Hardening access to the NTDS.dit database
   • Prevent NTDS.dit database from being read directly, by blocking unauthorized users.
   • NTDS.dit volume protection using BitLocker or EFS.
   • ● Monitor attempts to extract information from credentials using tools such as Sysmon and YARA rules.
6. Disable anonymous authentication
   • Prevent Anonymous LDAP by executing the command:

     reg add "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "LDAPServerIntegrity" /t REG_DWORD /d 2 /f
     

   • Disable anonymous connection to LDAP sessions.
7. Remote meeting protection
   • Disable RDP access to Domain Controllers except for authorized administrators.
   • Use Jump Servers (or Bastion Hosts) for remote management instead of connecting directly to DCs.
8. Disable self-signing certificates and protect PKI
   • Do not use your generated certificates on Active Directory Certificate Services (ADCS).
   • Monitor suspicious use of certificates using Event ID 4886 and 4887 (Certificate Changes).
9. Limit queries to DC
   • Prevent regular users from executing AD detection commands, such as:

     Get-ADUser -Filter *
     

   • Enable monitoring of suspicious LDAP queries with Event ID 1644.
10. Kerberos Ticket Granting Ticket Protection (TGT)

• Enable AES protection for Kerberos tickets:

  Set-ADAccountControl -KerberosEncryptionType AES256 -Identity Administrator
  

• Reducing the duration of TGT to limit the risk of credentials being stolen.

11. Use the Protected Users group

• Add critical accounts to the "Protected Users" group to prevent NTLM use, insecure Kerberos, and stolen hashes.

  Add-ADGroupMember -Identity "Protected Users" -Members "Administrator"
  

12. Restrict accounts with reversible passwords

• Check accounts with reversible passwords:

  Get-ADUser -Filter {AllowReversiblePasswordEncryption -eq $true}
  

• Disable Storage of Reversible Passwords via GPO: Path:

Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy → Store passwords using reversible encryption → Disabled

13. Schedule a KRBTGT Account Password Reset

• Set the password of the KRBTGT account twice, the second time 11 hours after the first reset, to cancel the handmade tickets.

  Reset-ADServiceAccountPassword -Identity krbtgt
  

These advanced measures go beyond the usual hardening and can dramatically improve the security of your Domain Controller by dramatically reducing the attack surface.

The most important measures are:

• Disabling SeDebugPrivilege and Other Dangerous Privileges
• Preventing unauthorized remote access and disabling unnecessary services
• NTDS.dit Database Protection with BitLocker and Advanced Monitoring
• Monitoring abnormal activities using Event Logs and SIEM
• Limit LDAP Queries, Privileged Group Changes, and Use of Certificates

Are you familiar with the Microsoft Security Compliance Toolkit? It's a tool that allows you to apply the basic settings that Microsoft has proposed, along with a set of tools to approve and apply them. A Baseline is actually a set of configuration settings that Microsoft has recommended and published to take into account security impacts and, as is the case with many Microsoft products, based on feedback from Microsoft's security engineering teams, product groups, partners, and customers.

Is that all you need? Absolutely not. What makes the difference is a thorough knowledge of our infrastructure, an awareness of what is being used and what can be disabled due to non-use. Culture, Awareness and Control!

Conclusion

Domain Controller hardware is an ongoing and critical process to ensure the security of your company's IT infrastructure. Implementing the best practices described, from rigorous privilege management to credential protection and active monitoring, can significantly reduce the risk of intrusion and targeted attacks.

However, Active Directory security can't rely solely on static configurations: new approaches need to be adopted, security policies are constantly updated, suspicious activity is monitored, and new threats are reacted. Investing in Domain Controller protection means protecting the entire IT environment. It is only with a strong hardening strategy and careful management that a resilient infrastructure can be built that is capable of tackling complex cybersecurity challenges. We hope you found😉 this article helpful.