Active Directory Security & Best Practices Guide: Complete Security Hardening [2026]

Active Directory security is critical for enterprise protection;90% of Fortune 1000 companies use Active Directory, making it a prime target for attackers. This comprehensive guide covers threat landscapes, security hardening, authentication protection, access control, monitoring, and compliance strategies to secure your AD infrastructure.

Whether you’re a security professional hardening AD, a system administrator implementing best practices, or an IT manager ensuring compliance, this guide provides actionable strategies to protect your Active Directory environment from modern threats.

Table of Contents

1. Active Directory Threat Landscape
2. Security Fundamentals
3. Authentication Security
4. Access Control & Least Privilege
5. Privileged Access Management (PAM)
6. Password Policies & Management
7. Group Policy Security
8. Monitoring & Auditing
9. Domain Controller Hardening
10. Network Security
11. Zero Trust Implementation
12. Compliance & Standards
13. Incident Response
14. Best Practices Summary
15. Frequently Asked Questions

---

Active Directory Threat Landscape

Why Active Directory is Targeted

Active Directory represents the keys to the kingdom in enterprise environments:

• Single Point of Control: Compromising AD gives attackers access to all domain resources
• Privileged Accounts: Domain Admins have unrestricted access across the network
• Trust Relationships: Attackers can pivot between domains and forests
• Persistence: Attackers establish long-term access through AD backdoors
• Lateral Movement: AD enables attackers to move freely across the network

Statistics:

• 90% of security breaches involve Active Directory exploitation
• Average time for attackers to compromise AD: 48 hours
• Average time to detect AD compromise: 280 days
• Cost of AD-related breach: $4.35 million (average)

Common Attack Vectors

1. Credential Theft

Pass-the-Hash (PtH):

• Attackers steal NTLM hashes from memory
• Use hashes directly without cracking passwords
• Tools: Mimikatz, Windows Credential Editor

Pass-the-Ticket (PtT):

• Steal Kerberos tickets from memory
• Use tickets to authenticate to services
• Tools: Rubeus, Mimikatz

Kerberoasting:

• Request service tickets for accounts with SPNs
• Crack tickets offline to recover service account passwords
• Targets accounts with weak passwords

AS-REP Roasting:

• Request authentication without pre-authentication
• Targets accounts with “Do not require Kerberos preauthentication”
• Offline password cracking

2. Privilege Escalation

AdminSDHolder Abuse:

• Modify AdminSDHolder ACL to grant persistent permissions
• Permissions propagate to protected groups

DCSync Attack:

• Impersonate domain controller to request password hashes
• Requires “Replicating Directory Changes” permissions
• Tool: Mimikatz

GPO Abuse:

• Modify Group Policy to execute malicious code
• Deploy malware through GPO software installation
• Requires GPO edit rights

3. Persistence Mechanisms

Golden Ticket:

• Forge Kerberos TGT with stolen KRBTGT hash
• Unlimited domain access for years (until KRBTGT password reset)

Silver Ticket:

• Forge service tickets for specific services
• Harder to detect than Golden Tickets

Skeleton Key:

• Inject malicious authentication DLL into Domain Controller
• Allows backdoor password for all accounts

DCShadow:

• Register rogue domain controller
• Replicate malicious changes to legitimate DCs

4. Data Exfiltration

AD Reconnaissance:

• BloodHound: Maps AD permissions and attack paths
• PowerView: Enumerates AD objects and relationships
• ADRecon: Comprehensive AD documentation

Sensitive Data Discovery:

• Group Policy Preferences passwords (legacy, now patched)
• SYSVOL file shares with sensitive information
• LDAP queries for user attributes (email, phone, manager)

Attack Kill Chain

Typical AD compromise progression:

1. Initial Access: Phishing, compromised credentials, vulnerability exploitation
2. Discovery: Enumerate AD structure, users, groups, computers
3. Privilege Escalation: Kerberoasting, credential dumping, exploit misconfigurations
4. Lateral Movement: Pass-the-Hash, RDP, PsExec, WMI
5. Credential Harvesting: Mimikatz, LSASS dumping, SAM database
6. Domain Admin Access: Escalate to Domain Admin or Enterprise Admin
7. Persistence: Golden Ticket, backdoor accounts, malicious GPOs
8. Exfiltration: Export AD database, sensitive files, intellectual property
9. Impact: Ransomware, data destruction, business disruption

---

Security Fundamentals

Defense in Depth

Implement layered security controls:

Layer 1: Perimeter Security (Firewalls, IPS/IDS)
Layer 2: Network Segmentation (VLANs, subnets)
Layer 3: Endpoint Protection (AV, EDR, host firewalls)
Layer 4: Identity & Access (MFA, Conditional Access)
Layer 5: Application Security (Whitelisting, isolation)
Layer 6: Data Security (Encryption, DLP)
Layer 7: Monitoring & Response (SIEM, SOC)

Active Directory Layer:

• Secure Domain Controllers
• Harden authentication protocols
• Implement least privilege
• Enable comprehensive auditing
• Monitor for anomalies

Least Privilege Principle

Never use Domain Admin for daily tasks:

❌ BAD: Domain Admin for routine administration
✅ GOOD: Delegated permissions for specific tasks

❌ BAD: Service accounts in Domain Admins
✅ GOOD: gMSA with minimal required permissions

❌ BAD: Developers with production AD access
✅ GOOD: Separate dev/test/prod environments

Tiered Administration Model:

• Tier 0: Domain Controllers, AD databases, forest-level admins
• Tier 1: Servers, server administrators
• Tier 2: Workstations, help desk, end users

Rules:

• Higher tier accounts NEVER log into lower tier systems
• Lower tier admins CANNOT manage higher tier assets
• Prevents credential theft from workstations

Security Baselines

Apply CIS benchmarks and Microsoft security baselines:

Windows Server Baseline:

• Microsoft Security Compliance Toolkit
• CIS Microsoft Windows Server Benchmark

Domain Controller Baseline:

# Apply security baseline GPO
Import-GPO -BackupGpoName "Windows Server 2022 DC Baseline" -Path "C:\Baselines" -TargetName "DC Security Baseline"

Key settings:

• Disable SMBv1
• Enable credential guard
• Configure Windows Defender
• Harden RDP settings
• Enable PowerShell logging
• Configure Windows Firewall

---

Authentication Security

Kerberos Hardening

Disable RC4 Encryption:

RC4 is weak and vulnerable to attacks. Require AES:

# Set GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
# "Network security: Configure encryption types allowed for Kerberos"
# ✅ AES256_HMAC_SHA1
# ✅ AES128_HMAC_SHA1
# ❌ RC4_HMAC_MD5
# ❌ DES_CBC_CRC
# ❌ DES_CBC_MD5

Configure Kerberos Policies:

# Maximum lifetime for service ticket: 10 hours (default)
Set-ADObject -Identity "CN=Kerberos Policy,CN=System,DC=contoso,DC=com" -Replace @{MaxServiceAge=600}

# Maximum lifetime for user ticket: 10 hours
Set-ADObject -Identity "CN=Kerberos Policy,CN=System,DC=contoso,DC=com" -Replace @{MaxTicketAge=600}

# Maximum lifetime for user ticket renewal: 7 days
Set-ADObject -Identity "CN=Kerberos Policy,CN=System,DC=contoso,DC=com" -Replace @{MaxRenewAge=10080}

Disable Unconstrained Delegation:

Unconstrained delegation is dangerous;allows server to impersonate any user:

# Find computers with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} | Select Name, DNSHostName

# Remove unconstrained delegation
Set-ADComputer -Identity "COMPUTER01" -TrustedForDelegation $false

Use Constrained Delegation or Resource-Based Constrained Delegation instead.

Enable Kerberos Armoring (FAST):

Flexible Authentication Secure Tunneling protects Kerberos preauthentication:

GPO: Computer Configuration > Policies > Administrative Templates > System > KDC
"KDC support for claims, compound authentication, and Kerberos armoring"
Set to: Supported or Always provide claims

NTLM Hardening

Audit NTLM Usage:

GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
"Network security: Restrict NTLM: Audit NTLM authentication in this domain"
Set to: Enable all

Review logs in Event Viewer: Applications and Services Logs > Microsoft > Windows > NTLM > Operational

Gradually Disable NTLM:

1. Audit phase: Monitor NTLM usage for 30-90 days
2. Identify dependencies: Update applications to use Kerberos
3. Block selectively: Block NTLM for specific accounts/computers
4. Full block: Completely disable NTLM (careful;test thoroughly!)

GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
"Network security: Restrict NTLM: NTLM authentication in this domain"
Options:
- Deny all (highest security, may break legacy apps)
- Deny for domain accounts
- Deny for domain servers
- Deny for domain accounts to domain servers

Multi-Factor Authentication (MFA)

Implement MFA for privileged accounts:

Azure AD with MFA (Hybrid):

• Sync on-premises AD with Azure AD (Azure AD Connect)
• Enable Azure AD MFA
• Conditional Access policies require MFA for admins

Smart Cards / PIV:

• Physical authentication
• Certificate-based authentication
• Requires PKI infrastructure

FIDO2 Security Keys:

• Passwordless authentication
• Hardware tokens (YubiKey, etc.)

Configuration:

GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
Configure: "Smart Card Logon"
Require: Smart card for interactive logon

---

Access Control and Least Privilege

Delegation of Control

Delegate specific permissions instead of granting Domain Admin:

Example: Delegate password reset in specific OU:

# Create help desk group
New-ADGroup -Name "HelpDesk-PasswordReset" -GroupScope DomainLocal -GroupCategory Security

# Delegate password reset permission
dsacls "OU=Users,DC=contoso,DC=com" /G "contoso\HelpDesk-PasswordReset:CA;Reset Password;user"
dsacls "OU=Users,DC=contoso,DC=com" /G "contoso\HelpDesk-PasswordReset:RPWP;lockoutTime;user"
dsacls "OU=Users,DC=contoso,DC=com" /G "contoso\HelpDesk-PasswordReset:RPWP;pwdLastSet;user"

For comprehensive delegation examples, see our Dsacls Guide.

Administrative Account Separation

Never use privileged accounts for email or web browsing:

Naming Convention:

• Regular account: john.doe@contoso.com
• Admin account: john.doe-admin@contoso.com or admin-john.doe

Configuration:

• Admin accounts: No email, no internet access
• Admin accounts: “User cannot change password” unchecked
• Admin accounts: “Account is sensitive and cannot be delegated”
• Admin accounts: Membership in Protected Users group (when applicable)

Protected Users Security Group

Automatically enforces security for member accounts:

Protections:

• Cannot use NTLM authentication
• Cannot use DES or RC4 in Kerberos preauthentication
• Cannot be delegated with unconstrained or constrained delegation
• TGTs valid for only 4 hours (instead of 10)
• Credentials not cached locally

Add privileged accounts:

Add-ADGroupMember -Identity "Protected Users" -Members "admin-john.doe", "admin-jane.smith"

⚠️ Test first: Some legacy applications may break.

---

Privileged Access Management (PAM)

Just-in-Time (JIT) Administration

Temporary privilege elevation:

Microsoft Identity Manager (MIM) PAM:

• Request elevated permissions for limited time
• Approval workflow
• Automatic revocation after time window

Azure AD Privileged Identity Management (PIM):

• Cloud-based JIT for Azure and Microsoft 365
• Requires justification for activation
• MFA enforced for activation
• Comprehensive audit logging

Example workflow:

1. User requests Domain Admin access for 2 hours
2. Manager approves request
3. User activated into Domain Admins group
4. User performs administrative task
5. After 2 hours, membership automatically removed

Privileged Access Workstations (PAWs)

Dedicated hardened workstations for administrative tasks:

PAW Configuration:

• Clean Windows installation
• No email, web browsing, or productivity apps
• Application whitelisting (only admin tools)
• Network isolation (dedicated management VLAN)
• Regular rebuilds (monthly)
• VPN/Jump server access to production

Software allowed on PAW:

• ✅ Remote Desktop Connection
• ✅ Active Directory tools (ADUC, GPMC)
• ✅ PowerShell ISE
• ✅ Sysinternals tools
• ✅ Server management consoles
• ❌ Microsoft Office
• ❌ Web browsers (except edge cases)
• ❌ Email clients
• ❌ Third-party productivity tools

---

Password Policies and Management

Fine-Grained Password Policies (FGPP)

Apply different password policies to different user groups:

# Create password policy for privileged accounts
New-ADFineGrainedPasswordPolicy -Name "Privileged-Users-PSO" `
    -Precedence 10 `
    -MinPasswordLength 20 `
    -PasswordHistoryCount 24 `
    -MaxPasswordAge "30.00:00:00" `
    -MinPasswordAge "1.00:00:00" `
    -ComplexityEnabled $true `
    -LockoutThreshold 3 `
    -LockoutDuration "00:30:00" `
    -LockoutObservationWindow "00:30:00" `
    -ReversibleEncryptionEnabled $false

# Apply to group
Add-ADFineGrainedPasswordPolicySubject -Identity "Privileged-Users-PSO" -Subjects "Domain Admins", "Enterprise Admins"

Recommended Policies:

User Type	Min Length	Complexity	Max Age	Lockout
Regular Users	12 chars	Enabled	90 days	5 attempts
Privileged Accounts	20 chars	Enabled	30 days	3 attempts
Service Accounts	30+ chars	Enabled	Never	None (use gMSA)

Group Managed Service Accounts (gMSA)

Automatic password management for service accounts:

Benefits:

• 240-character random passwords
• Automatic 30-day password rotation
• No manual password management
• Works with scheduled tasks, IIS, SQL Server

Create gMSA:

# Create KDS root key (one-time, forest-level)
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

# Create gMSA
New-ADServiceAccount -Name "svc-WebApp" `
    -DNSHostName "svc-webapp.contoso.com" `
    -PrincipalsAllowedToRetrieveManagedPassword "WebServers$"

# Install on server
Install-ADServiceAccount -Identity "svc-WebApp"

# Configure service to use gMSA
# Account name: CONTOSO\svc-WebApp$
# Password: <blank>

---

Monitoring and Auditing

Enable Advanced Audit Policies

Configure comprehensive auditing:

GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies

Critical events to audit:

Category	Events	Why
Account Logon	Success, Failure	Track authentication attempts
Account Management	Success	User/group creation, modification
Directory Service Access	Success, Failure	AD object access
Logon/Logoff	Success, Failure	Interactive and remote logins
Object Access	Failure	Unauthorized access attempts
Policy Change	Success	GPO and security policy modifications
Privilege Use	Success, Failure	Use of privileged rights
System	Success, Failure	System startups, shutdowns

Enable additional logging:

# Enable PowerShell script block logging
GPO: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
"Turn on PowerShell Script Block Logging" = Enabled

# Enable command line process auditing
GPO: Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation
"Include command line in process creation events" = Enabled

Monitor for Suspicious Activity

Key indicators of compromise (IoCs):

1. Unusual logon patterns:

   • Logins from multiple locations simultaneously
   • Off-hours logins for privileged accounts
   • Service accounts with interactive logins

2. Privileged group changes:

   • Unexpected additions to Domain Admins
   • New Enterprise Admins members
   • Changes to AdminSDHolder

3. Kerberos anomalies:

   • Kerberos ticket encryption downgrade (RC4 instead of AES)
   • Unusual SPN requests (Kerberoasting)
   • Ticket granting tickets from unexpected sources

4. LDAP queries:

   • Enumeration of all users/computers
   • BloodHound-style queries
   • Large result sets from single queries

SIEM Integration:

Forward Windows Event Logs to SIEM:

• Splunk
• Azure Sentinel
• Elastic Stack
• QRadar

Create alerts for:

• Event ID 4728: Member added to security-enabled global group
• Event ID 4732: Member added to security-enabled local group
• Event ID 4756: Member added to security-enabled universal group
• Event ID 4625: Failed logon attempts
• Event ID 4672: Special privileges assigned to new logon

---

Domain Controller Hardening

Physical and Network Security

Protect Domain Controllers:

• Physical: Locked server rooms, restricted access
• Network: Dedicated management VLAN, firewall rules
• Backup: Offline backups, tested recovery procedures
• Monitoring: 24/7 monitoring, alerts for anomalies

Required Firewall Ports (inbound to DC):

• 88 (TCP/UDP): Kerberos
• 389 (TCP/UDP): LDAP
• 636 (TCP): LDAPS
• 3268 (TCP): Global Catalog
• 3269 (TCP): Global Catalog SSL
• 53 (TCP/UDP): DNS
• 445 (TCP): SMB
• 135 (TCP): RPC Endpoint Mapper
• 49152-65535 (TCP): Dynamic RPC

Block unnecessary ports/protocols:

• ❌ 80/443 (HTTP/HTTPS) - No web browsing from DCs
• ❌ 25 (SMTP) - No email from DCs
• ❌ 21 (FTP) - No file transfers

Patch Management

Critical: Keep DCs patched:

# Check pending updates
Get-WindowsUpdate

# Install updates
Install-WindowsUpdate -AcceptAll -AutoReboot

# Schedule monthly patching window
# Test on secondary DC first, then primary

Patching schedule:

1. Test updates in lab environment
2. Apply to secondary DCs
3. Verify replication and services
4. Apply to PDC Emulator
5. Monitor for 24 hours

---

Zero Trust Implementation

Zero Trust Principles

“Never trust, always verify”:

1. Verify explicitly: Authenticate and authorize based on all available data points
2. Least privilege access: Limit user access with Just-In-Time and Just-Enough-Access
3. Assume breach: Minimize blast radius, segment access, verify end-to-end encryption

Conditional Access Policies

Azure AD Conditional Access:

Policy: Block legacy authentication
- Users: All users
- Cloud apps: All cloud apps
- Conditions: Client apps = Other clients (legacy)
- Grant: Block access

Policy: Require MFA for admins
- Users: Directory role = Global Administrator
- Cloud apps: All cloud apps
- Grant: Require multi-factor authentication

Policy: Require compliant device
- Users: All users
- Cloud apps: Office 365
- Conditions: Device platforms = All
- Grant: Require device to be marked as compliant

---

Compliance and Standards

Regulatory Requirements

HIPAA (Healthcare):

• Audit logging of all PHI access
• Encryption of data at rest and in transit
• Access controls and authentication
• Regular security assessments

PCI DSS (Payment Cards):

• Unique user IDs and strong authentication
• Track and monitor all access to cardholder data
• Regularly test security systems
• Maintain access control lists

SOC 2 (SaaS/Cloud):

• Logical access controls
• Multi-factor authentication
• Audit trail review
• Change management processes

---

Best Practices Summary

Top 20 Active Directory Security Best Practices

1. ✅ Implement tiered administration model (Tier 0/1/2)
2. ✅ Enable MFA for all privileged accounts
3. ✅ Use Protected Users group for sensitive accounts
4. ✅ Deploy Privileged Access Workstations (PAWs)
5. ✅ Separate admin accounts from regular accounts
6. ✅ Disable NTLM where possible, require Kerberos
7. ✅ Remove Domain Admins from daily tasks
8. ✅ Use Group Managed Service Accounts (gMSA)
9. ✅ Enable comprehensive audit logging
10. ✅ Monitor for suspicious activity with SIEM
11. ✅ Apply security baselines (CIS, Microsoft)
12. ✅ Disable legacy protocols (SMBv1, LM/NTLMv1)
13. ✅ Implement Just-in-Time administration
14. ✅ Regular security assessments (quarterly)
15. ✅ Patch Domain Controllers monthly
16. ✅ Backup Active Directory regularly
17. ✅ Test disaster recovery procedures annually
18. ✅ Segment network (management VLAN for DCs)
19. ✅ Enable Windows Defender on all systems
20. ✅ Document security policies and procedures

---

Frequently Asked Questions

Q: What’s the most important Active Directory security control?

A: Protecting Domain Admins and privileged accounts. If attackers compromise Domain Admin credentials, they own your entire domain. Implement MFA, separate admin accounts, use tiered administration, and monitor privileged account usage.

Q: Should I disable the built-in Administrator account?

A: No, but rename it and set a strong password. The built-in Administrator (RID 500) cannot be locked out, making it useful for emergency recovery. Rename it to prevent targeted attacks, secure it with a complex password, and monitor its usage closely.

Q: How do I detect if my Active Directory has been compromised?

A: Look for indicators of compromise:

• Unexpected changes to Domain Admins or other privileged groups (Event ID 4728, 4732, 4756)
• Unusual Kerberos activity or ticket requests
• Logins from service accounts to workstations
• BloodHound or PowerView reconnaissance tools
• DCSync attack attempts (Event ID 4662 with GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
• Golden Ticket usage (TGT requests with unusual encryption or from non-existent accounts)

Use a SIEM to correlate events and detect attack patterns.

Q: What is Kerberoasting and how do I prevent it?

A: Kerberoasting is an attack where attackers request Kerberos service tickets for accounts with Service Principal Names (SPNs), then crack the tickets offline to recover passwords.

Prevention:

• Use Group Managed Service Accounts (gMSA) with 240-character auto-rotating passwords
• Set 30+ character complex passwords for service accounts
• Regularly audit SPNs: setspn -Q */*
• Monitor for unusual SPN ticket requests (Event ID 4769)
• Ensure service accounts are NOT members of privileged groups

Q: What’s a Golden Ticket attack?

A: A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) created using the stolen KRBTGT account hash. With a Golden Ticket, attackers have unlimited domain access for years;until the KRBTGT password is reset twice.

Detection:

• Monitor for TGTs with unusual encryption types
• Look for tickets with impossibly long lifetimes
• Check for TGTs issued from non-existent or retired DCs

Prevention:

• Protect Domain Controllers (hardening, PAWs)
• Reset KRBTGT password twice per year (carefully;test first!)
• Implement zero trust;don’t rely solely on Kerberos tickets

Q: How often should I reset the KRBTGT password?

A: At least twice per year as part of routine maintenance. Immediately if you suspect compromise.

Critical: Reset twice (10 hours apart) to invalidate all existing tickets:

1. First reset: New password becomes primary
2. Wait 10+ hours (max TGT lifetime)
3. Second reset: Completely invalidates old password

Use Microsoft’s New-KrbtgtKeys.ps1 script (not a simple Set-ADAccountPassword).

Q: What’s the difference between authentication and authorization in Active Directory?

A:

• Authentication: Verifying identity (“Who are you?”) - Handled by Kerberos/NTLM
• Authorization: Determining permissions (“What can you do?”) - Handled by ACLs, group memberships

Example: Authentication confirms you’re “john.doe@contoso.com”. Authorization determines if you can access \fileserver\finance based on group memberships and ACLs.

---

Additional Resources

Microsoft Documentation

• Best Practices for Securing Active Directory
• Privileged Access Workstations (PAWs)
• Azure AD Conditional Access

Security Tools

• BloodHound - AD attack path analysis (use for defense!)
• Purple Knight - Free AD security assessment
• Ping Castle - AD security audit tool
• ADRecon - AD documentation & analysis

Related Guides

• Complete Active Directory Guide - AD fundamentals
• Dsacls Guide - Managing AD permissions
• PowerShell Active Directory - AD automation