Skip to main content

Active Directory Security & Best Practices Guide: Complete Security Hardening [2026]

14 min read
active directory security AD security best practices kerberos security AD hardening cybersecurity zero trust privileged access management AD audit compliance threat protection

Active Directory security is critical for enterprise protection—90% of Fortune 1000 companies use Active Directory, making it a prime target for attackers. This comprehensive guide covers threat landscapes, security hardening, authentication protection, access control, monitoring, and compliance strategies to secure your AD infrastructure.

Whether you’re a security professional hardening AD, a system administrator implementing best practices, or an IT manager ensuring compliance, this guide provides actionable strategies to protect your Active Directory environment from modern threats.

Table of Contents

  1. Active Directory Threat Landscape
  2. Security Fundamentals
  3. Authentication Security
  4. Access Control & Least Privilege
  5. Privileged Access Management (PAM)
  6. Password Policies & Management
  7. Group Policy Security
  8. Monitoring & Auditing
  9. Domain Controller Hardening
  10. Network Security
  11. Zero Trust Implementation
  12. Compliance & Standards
  13. Incident Response
  14. Best Practices Summary
  15. Frequently Asked Questions

Active Directory Threat Landscape

Why Active Directory is Targeted

Active Directory represents the keys to the kingdom in enterprise environments:

  • Single Point of Control: Compromising AD gives attackers access to all domain resources
  • Privileged Accounts: Domain Admins have unrestricted access across the network
  • Trust Relationships: Attackers can pivot between domains and forests
  • Persistence: Attackers establish long-term access through AD backdoors
  • Lateral Movement: AD enables attackers to move freely across the network

Statistics:

  • 90% of security breaches involve Active Directory exploitation
  • Average time for attackers to compromise AD: 48 hours
  • Average time to detect AD compromise: 280 days
  • Cost of AD-related breach: $4.35 million (average)

Common Attack Vectors

1. Credential Theft

Pass-the-Hash (PtH):

  • Attackers steal NTLM hashes from memory
  • Use hashes directly without cracking passwords
  • Tools: Mimikatz, Windows Credential Editor

Pass-the-Ticket (PtT):

  • Steal Kerberos tickets from memory
  • Use tickets to authenticate to services
  • Tools: Rubeus, Mimikatz

Kerberoasting:

  • Request service tickets for accounts with SPNs
  • Crack tickets offline to recover service account passwords
  • Targets accounts with weak passwords

AS-REP Roasting:

  • Request authentication without pre-authentication
  • Targets accounts with “Do not require Kerberos preauthentication”
  • Offline password cracking

2. Privilege Escalation

AdminSDHolder Abuse:

  • Modify AdminSDHolder ACL to grant persistent permissions
  • Permissions propagate to protected groups

DCSync Attack:

  • Impersonate domain controller to request password hashes
  • Requires “Replicating Directory Changes” permissions
  • Tool: Mimikatz

GPO Abuse:

  • Modify Group Policy to execute malicious code
  • Deploy malware through GPO software installation
  • Requires GPO edit rights

3. Persistence Mechanisms

Golden Ticket:

  • Forge Kerberos TGT with stolen KRBTGT hash
  • Unlimited domain access for years (until KRBTGT password reset)

Silver Ticket:

  • Forge service tickets for specific services
  • Harder to detect than Golden Tickets

Skeleton Key:

  • Inject malicious authentication DLL into Domain Controller
  • Allows backdoor password for all accounts

DCShadow:

  • Register rogue domain controller
  • Replicate malicious changes to legitimate DCs

4. Data Exfiltration

AD Reconnaissance:

  • BloodHound: Maps AD permissions and attack paths
  • PowerView: Enumerates AD objects and relationships
  • ADRecon: Comprehensive AD documentation

Sensitive Data Discovery:

  • Group Policy Preferences passwords (legacy, now patched)
  • SYSVOL file shares with sensitive information
  • LDAP queries for user attributes (email, phone, manager)

Attack Kill Chain

Typical AD compromise progression:

  1. Initial Access: Phishing, compromised credentials, vulnerability exploitation
  2. Discovery: Enumerate AD structure, users, groups, computers
  3. Privilege Escalation: Kerberoasting, credential dumping, exploit misconfigurations
  4. Lateral Movement: Pass-the-Hash, RDP, PsExec, WMI
  5. Credential Harvesting: Mimikatz, LSASS dumping, SAM database
  6. Domain Admin Access: Escalate to Domain Admin or Enterprise Admin
  7. Persistence: Golden Ticket, backdoor accounts, malicious GPOs
  8. Exfiltration: Export AD database, sensitive files, intellectual property
  9. Impact: Ransomware, data destruction, business disruption

Security Fundamentals

Defense in Depth

Implement layered security controls:

Layer 1: Perimeter Security (Firewalls, IPS/IDS)
Layer 2: Network Segmentation (VLANs, subnets)
Layer 3: Endpoint Protection (AV, EDR, host firewalls)
Layer 4: Identity & Access (MFA, Conditional Access)
Layer 5: Application Security (Whitelisting, isolation)
Layer 6: Data Security (Encryption, DLP)
Layer 7: Monitoring & Response (SIEM, SOC)
```powershell

**Active Directory Layer**:
- Secure Domain Controllers
- Harden authentication protocols
- Implement least privilege
- Enable comprehensive auditing
- Monitor for anomalies

### Least Privilege Principle

**Never use Domain Admin for daily tasks**:

```powershell
❌ BAD: Domain Admin for routine administration
✅ GOOD: Delegated permissions for specific tasks

❌ BAD: Service accounts in Domain Admins
✅ GOOD: gMSA with minimal required permissions

❌ BAD: Developers with production AD access
✅ GOOD: Separate dev/test/prod environments
```powershell

**Tiered Administration Model**:
- **Tier 0**: Domain Controllers, AD databases, forest-level admins
- **Tier 1**: Servers, server administrators
- **Tier 2**: Workstations, help desk, end users

**Rules**:
- Higher tier accounts NEVER log into lower tier systems
- Lower tier admins CANNOT manage higher tier assets
- Prevents credential theft from workstations

### Security Baselines

Apply **CIS benchmarks** and **Microsoft security baselines**:

**Windows Server Baseline:**
- [Microsoft Security Compliance Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=55319)
- CIS Microsoft Windows Server Benchmark

**Domain Controller Baseline:**
```powershell
# Apply security baseline GPO
Import-GPO -BackupGpoName "Windows Server 2022 DC Baseline" -Path "C:\Baselines" -TargetName "DC Security Baseline"
```powershell

**Key settings:**
- Disable SMBv1
- Enable credential guard
- Configure Windows Defender
- Harden RDP settings
- Enable PowerShell logging
- Configure Windows Firewall

---

## Authentication Security

### Kerberos Hardening

**Disable RC4 Encryption**:

RC4 is weak and vulnerable to attacks. Require AES:

```powershell
# Set GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
# "Network security: Configure encryption types allowed for Kerberos"
# ✅ AES256_HMAC_SHA1
# ✅ AES128_HMAC_SHA1
# ❌ RC4_HMAC_MD5
# ❌ DES_CBC_CRC
# ❌ DES_CBC_MD5
```powershell

**Configure Kerberos Policies**:

```powershell
# Maximum lifetime for service ticket: 10 hours (default)
Set-ADObject -Identity "CN=Kerberos Policy,CN=System,DC=contoso,DC=com" -Replace @{MaxServiceAge=600}

# Maximum lifetime for user ticket: 10 hours
Set-ADObject -Identity "CN=Kerberos Policy,CN=System,DC=contoso,DC=com" -Replace @{MaxTicketAge=600}

# Maximum lifetime for user ticket renewal: 7 days
Set-ADObject -Identity "CN=Kerberos Policy,CN=System,DC=contoso,DC=com" -Replace @{MaxRenewAge=10080}
```powershell

**Disable Unconstrained Delegation**:

Unconstrained delegation is dangerous—allows server to impersonate any user:

```powershell
# Find computers with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} | Select Name, DNSHostName

# Remove unconstrained delegation
Set-ADComputer -Identity "COMPUTER01" -TrustedForDelegation $false
```powershell

**Use Constrained Delegation or Resource-Based Constrained Delegation instead**.

**Enable Kerberos Armoring (FAST)**:

Flexible Authentication Secure Tunneling protects Kerberos preauthentication:

```powershell
GPO: Computer Configuration > Policies > Administrative Templates > System > KDC
"KDC support for claims, compound authentication, and Kerberos armoring"
Set to: Supported or Always provide claims
```powershell

### NTLM Hardening

**Audit NTLM Usage**:

```powershell
GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
"Network security: Restrict NTLM: Audit NTLM authentication in this domain"
Set to: Enable all
```powershell

**Review logs** in Event Viewer: Applications and Services Logs > Microsoft > Windows > NTLM > Operational

**Gradually Disable NTLM**:

1. **Audit phase**: Monitor NTLM usage for 30-90 days
2. **Identify dependencies**: Update applications to use Kerberos
3. **Block selectively**: Block NTLM for specific accounts/computers
4. **Full block**: Completely disable NTLM (careful—test thoroughly!)

```powershell
GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
"Network security: Restrict NTLM: NTLM authentication in this domain"
Options:
- Deny all (highest security, may break legacy apps)
- Deny for domain accounts
- Deny for domain servers
- Deny for domain accounts to domain servers
```powershell

### Multi-Factor Authentication (MFA)

**Implement MFA for privileged accounts**:

**Azure AD with MFA (Hybrid)**:
- Sync on-premises AD with Azure AD (Azure AD Connect)
- Enable Azure AD MFA
- Conditional Access policies require MFA for admins

**Smart Cards / PIV**:
- Physical authentication
- Certificate-based authentication
- Requires PKI infrastructure

**FIDO2 Security Keys**:
- Passwordless authentication
- Hardware tokens (YubiKey, etc.)

**Configuration**:
```powershell
GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
Configure: "Smart Card Logon"
Require: Smart card for interactive logon
```powershell

---

## Access Control and Least Privilege

### Delegation of Control

**Delegate specific permissions instead of granting Domain Admin**:

**Example: Delegate password reset in specific OU**:

```powershell
# Create help desk group
New-ADGroup -Name "HelpDesk-PasswordReset" -GroupScope DomainLocal -GroupCategory Security

# Delegate password reset permission
dsacls "OU=Users,DC=contoso,DC=com" /G "contoso\HelpDesk-PasswordReset:CA;Reset Password;user"
dsacls "OU=Users,DC=contoso,DC=com" /G "contoso\HelpDesk-PasswordReset:RPWP;lockoutTime;user"
dsacls "OU=Users,DC=contoso,DC=com" /G "contoso\HelpDesk-PasswordReset:RPWP;pwdLastSet;user"
```powershell

For comprehensive delegation examples, see our [Dsacls Guide](/dsacls).

### Administrative Account Separation

**Never use privileged accounts for email or web browsing**:

**Naming Convention**:
- Regular account: `john.doe@contoso.com`
- Admin account: `john.doe-admin@contoso.com` or `admin-john.doe`

**Configuration**:
- Admin accounts: No email, no internet access
- Admin accounts: "User cannot change password" unchecked
- Admin accounts: "Account is sensitive and cannot be delegated"
- Admin accounts: Membership in Protected Users group (when applicable)

### Protected Users Security Group

Automatically enforces security for member accounts:

**Protections:**
- Cannot use NTLM authentication
- Cannot use DES or RC4 in Kerberos preauthentication
- Cannot be delegated with unconstrained or constrained delegation
- TGTs valid for only 4 hours (instead of 10)
- Credentials not cached locally

**Add privileged accounts**:
```powershell
Add-ADGroupMember -Identity "Protected Users" -Members "admin-john.doe", "admin-jane.smith"
```powershell

**⚠️ Test first**: Some legacy applications may break.

---

## Privileged Access Management (PAM)

### Just-in-Time (JIT) Administration

**Temporary privilege elevation**:

**Microsoft Identity Manager (MIM) PAM**:
- Request elevated permissions for limited time
- Approval workflow
- Automatic revocation after time window

**Azure AD Privileged Identity Management (PIM)**:
- Cloud-based JIT for Azure and Microsoft 365
- Requires justification for activation
- MFA enforced for activation
- Comprehensive audit logging

**Example workflow**:
1. User requests Domain Admin access for 2 hours
2. Manager approves request
3. User activated into Domain Admins group
4. User performs administrative task
5. After 2 hours, membership automatically removed

### Privileged Access Workstations (PAWs)

**Dedicated hardened workstations for administrative tasks**:

**PAW Configuration**:
- Clean Windows installation
- No email, web browsing, or productivity apps
- Application whitelisting (only admin tools)
- Network isolation (dedicated management VLAN)
- Regular rebuilds (monthly)
- VPN/Jump server access to production

**Software allowed on PAW**:
- ✅ Remote Desktop Connection
- ✅ Active Directory tools (ADUC, GPMC)
- ✅ PowerShell ISE
- ✅ Sysinternals tools
- ✅ Server management consoles
- ❌ Microsoft Office
- ❌ Web browsers (except edge cases)
- ❌ Email clients
- ❌ Third-party productivity tools

---

## Password Policies and Management

### Fine-Grained Password Policies (FGPP)

Apply different password policies to different user groups:

```powershell
# Create password policy for privileged accounts
New-ADFineGrainedPasswordPolicy -Name "Privileged-Users-PSO" `
    -Precedence 10 `
    -MinPasswordLength 20 `
    -PasswordHistoryCount 24 `
    -MaxPasswordAge "30.00:00:00" `
    -MinPasswordAge "1.00:00:00" `
    -ComplexityEnabled $true `
    -LockoutThreshold 3 `
    -LockoutDuration "00:30:00" `
    -LockoutObservationWindow "00:30:00" `
    -ReversibleEncryptionEnabled $false

# Apply to group
Add-ADFineGrainedPasswordPolicySubject -Identity "Privileged-Users-PSO" -Subjects "Domain Admins", "Enterprise Admins"
```powershell

**Recommended Policies**:

| User Type | Min Length | Complexity | Max Age | Lockout |
|-----------|------------|------------|---------|---------|
| Regular Users | 12 chars | Enabled | 90 days | 5 attempts |
| Privileged Accounts | 20 chars | Enabled | 30 days | 3 attempts |
| Service Accounts | 30+ chars | Enabled | Never | None (use gMSA) |

### Group Managed Service Accounts (gMSA)

**Automatic password management for service accounts**:

**Benefits:**
- 240-character random passwords
- Automatic 30-day password rotation
- No manual password management
- Works with scheduled tasks, IIS, SQL Server

**Create gMSA:**
```powershell
# Create KDS root key (one-time, forest-level)
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

# Create gMSA
New-ADServiceAccount -Name "svc-WebApp" `
    -DNSHostName "svc-webapp.contoso.com" `
    -PrincipalsAllowedToRetrieveManagedPassword "WebServers$"

# Install on server
Install-ADServiceAccount -Identity "svc-WebApp"

# Configure service to use gMSA
# Account name: CONTOSO\svc-WebApp$
# Password: <blank>
```powershell

---

## Monitoring and Auditing

### Enable Advanced Audit Policies

**Configure comprehensive auditing**:

```powershell
GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies
```powershell

**Critical events to audit:**

| Category | Events | Why |
|----------|--------|-----|
| Account Logon | Success, Failure | Track authentication attempts |
| Account Management | Success | User/group creation, modification |
| Directory Service Access | Success, Failure | AD object access |
| Logon/Logoff | Success, Failure | Interactive and remote logins |
| Object Access | Failure | Unauthorized access attempts |
| Policy Change | Success | GPO and security policy modifications |
| Privilege Use | Success, Failure | Use of privileged rights |
| System | Success, Failure | System startups, shutdowns |

**Enable additional logging**:

```powershell
# Enable PowerShell script block logging
GPO: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
"Turn on PowerShell Script Block Logging" = Enabled

# Enable command line process auditing
GPO: Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation
"Include command line in process creation events" = Enabled
```powershell

### Monitor for Suspicious Activity

**Key indicators of compromise (IoCs)**:

1. **Unusual logon patterns**:
   - Logins from multiple locations simultaneously
   - Off-hours logins for privileged accounts
   - Service accounts with interactive logins

2. **Privileged group changes**:
   - Unexpected additions to Domain Admins
   - New Enterprise Admins members
   - Changes to AdminSDHolder

3. **Kerberos anomalies**:
   - Kerberos ticket encryption downgrade (RC4 instead of AES)
   - Unusual SPN requests (Kerberoasting)
   - Ticket granting tickets from unexpected sources

4. **LDAP queries**:
   - Enumeration of all users/computers
   - BloodHound-style queries
   - Large result sets from single queries

**SIEM Integration**:

Forward Windows Event Logs to SIEM:
- Splunk
- Azure Sentinel
- Elastic Stack
- QRadar

**Create alerts for**:
- Event ID 4728: Member added to security-enabled global group
- Event ID 4732: Member added to security-enabled local group
- Event ID 4756: Member added to security-enabled universal group
- Event ID 4625: Failed logon attempts
- Event ID 4672: Special privileges assigned to new logon

---

## Domain Controller Hardening

### Physical and Network Security

**Protect Domain Controllers**:
- **Physical**: Locked server rooms, restricted access
- **Network**: Dedicated management VLAN, firewall rules
- **Backup**: Offline backups, tested recovery procedures
- **Monitoring**: 24/7 monitoring, alerts for anomalies

**Required Firewall Ports** (inbound to DC):
- 88 (TCP/UDP): Kerberos
- 389 (TCP/UDP): LDAP
- 636 (TCP): LDAPS
- 3268 (TCP): Global Catalog
- 3269 (TCP): Global Catalog SSL
- 53 (TCP/UDP): DNS
- 445 (TCP): SMB
- 135 (TCP): RPC Endpoint Mapper
- 49152-65535 (TCP): Dynamic RPC

**Block unnecessary ports/protocols**:
-80/443 (HTTP/HTTPS) - No web browsing from DCs
-25 (SMTP) - No email from DCs
-21 (FTP) - No file transfers

### Patch Management

**Critical: Keep DCs patched**:

```powershell
# Check pending updates
Get-WindowsUpdate

# Install updates
Install-WindowsUpdate -AcceptAll -AutoReboot

# Schedule monthly patching window
# Test on secondary DC first, then primary
```powershell

**Patching schedule**:
1. Test updates in lab environment
2. Apply to secondary DCs
3. Verify replication and services
4. Apply to PDC Emulator
5. Monitor for 24 hours

---

## Zero Trust Implementation

### Zero Trust Principles

**"Never trust, always verify"**:

1. **Verify explicitly**: Authenticate and authorize based on all available data points
2. **Least privilege access**: Limit user access with Just-In-Time and Just-Enough-Access
3. **Assume breach**: Minimize blast radius, segment access, verify end-to-end encryption

### Conditional Access Policies

**Azure AD Conditional Access**:

```powershell
Policy: Block legacy authentication
- Users: All users
- Cloud apps: All cloud apps
- Conditions: Client apps = Other clients (legacy)
- Grant: Block access

Policy: Require MFA for admins
- Users: Directory role = Global Administrator
- Cloud apps: All cloud apps
- Grant: Require multi-factor authentication

Policy: Require compliant device
- Users: All users
- Cloud apps: Office 365
- Conditions: Device platforms = All
- Grant: Require device to be marked as compliant
```powershell

---

## Compliance and Standards

### Regulatory Requirements

**HIPAA (Healthcare)**:
- Audit logging of all PHI access
- Encryption of data at rest and in transit
- Access controls and authentication
- Regular security assessments

**PCI DSS (Payment Cards)**:
- Unique user IDs and strong authentication
- Track and monitor all access to cardholder data
- Regularly test security systems
- Maintain access control lists

**SOC 2 (SaaS/Cloud)**:
- Logical access controls
- Multi-factor authentication
- Audit trail review
- Change management processes

---

## Best Practices Summary

### Top 20 Active Directory Security Best Practices

1. ✅ **Implement tiered administration model** (Tier 0/1/2)
2. ✅ **Enable MFA for all privileged accounts**
3. ✅ **Use Protected Users group** for sensitive accounts
4. ✅ **Deploy Privileged Access Workstations** (PAWs)
5. ✅ **Separate admin accounts** from regular accounts
6. ✅ **Disable NTLM where possible**, require Kerberos
7. ✅ **Remove Domain Admins** from daily tasks
8. ✅ **Use Group Managed Service Accounts** (gMSA)
9. ✅ **Enable comprehensive audit logging**
10. ✅ **Monitor for suspicious activity** with SIEM
11. ✅ **Apply security baselines** (CIS, Microsoft)
12. ✅ **Disable legacy protocols** (SMBv1, LM/NTLMv1)
13. ✅ **Implement Just-in-Time administration**
14. ✅ **Regular security assessments** (quarterly)
15. ✅ **Patch Domain Controllers monthly**
16. ✅ **Backup Active Directory regularly**
17. ✅ **Test disaster recovery procedures** annually
18. ✅ **Segment network** (management VLAN for DCs)
19. ✅ **Enable Windows Defender** on all systems
20. ✅ **Document security policies and procedures**

---

## Frequently Asked Questions

**Q: What's the most important Active Directory security control?**

A: **Protecting Domain Admins and privileged accounts**. If attackers compromise Domain Admin credentials, they own your entire domain. Implement MFA, separate admin accounts, use tiered administration, and monitor privileged account usage.

**Q: Should I disable the built-in Administrator account?**

A: **No, but rename it and set a strong password**. The built-in Administrator (RID 500) cannot be locked out, making it useful for emergency recovery. Rename it to prevent targeted attacks, secure it with a complex password, and monitor its usage closely.

**Q: How do I detect if my Active Directory has been compromised?**

A: Look for indicators of compromise:
- Unexpected changes to Domain Admins or other privileged groups (Event ID 4728, 4732, 4756)
- Unusual Kerberos activity or ticket requests
- Logins from service accounts to workstations
- BloodHound or PowerView reconnaissance tools
- DCSync attack attempts (Event ID 4662 with GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
- Golden Ticket usage (TGT requests with unusual encryption or from non-existent accounts)

Use a SIEM to correlate events and detect attack patterns.

**Q: What is Kerberoasting and how do I prevent it?**

A: Kerberoasting is an attack where attackers request Kerberos service tickets for accounts with Service Principal Names (SPNs), then crack the tickets offline to recover passwords.

**Prevention:**
- Use Group Managed Service Accounts (gMSA) with 240-character auto-rotating passwords
- Set 30+ character complex passwords for service accounts
- Regularly audit SPNs: `setspn -Q */*`
- Monitor for unusual SPN ticket requests (Event ID 4769)
- Ensure service accounts are NOT members of privileged groups

**Q: What's a Golden Ticket attack?**

A: A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) created using the stolen KRBTGT account hash. With a Golden Ticket, attackers have unlimited domain access for years—until the KRBTGT password is reset twice.

**Detection:**
- Monitor for TGTs with unusual encryption types
- Look for tickets with impossibly long lifetimes
- Check for TGTs issued from non-existent or retired DCs

**Prevention:**
- Protect Domain Controllers (hardening, PAWs)
- Reset KRBTGT password twice per year (carefully—test first!)
- Implement zero trust—don't rely solely on Kerberos tickets

**Q: How often should I reset the KRBTGT password?**

A: **At least twice per year** as part of routine maintenance. **Immediately** if you suspect compromise.

**Critical**: Reset twice (10 hours apart) to invalidate all existing tickets:
1. First reset: New password becomes primary
2. Wait 10+ hours (max TGT lifetime)
3. Second reset: Completely invalidates old password

Use Microsoft's [New-KrbtgtKeys.ps1 script](https://github.com/microsoft/New-KrbtgtKeys.ps1) (not a simple Set-ADAccountPassword).

**Q: What's the difference between authentication and authorization in Active Directory?**

A:
- **Authentication**: Verifying identity ("Who are you?") - Handled by Kerberos/NTLM
- **Authorization**: Determining permissions ("What can you do?") - Handled by ACLs, group memberships

Example: Authentication confirms you're "john.doe@contoso.com". Authorization determines if you can access \\fileserver\finance based on group memberships and ACLs.

---

## Additional Resources

### Microsoft Documentation
- [Best Practices for Securing Active Directory](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory)
- [Privileged Access Workstations (PAWs)](https://docs.microsoft.com/en-us/security/compass/privileged-access-devices)
- [Azure AD Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/)

### Security Tools
- [BloodHound](https://github.com/BloodHoundAD/BloodHound) - AD attack path analysis (use for defense!)
- [Purple Knight](https://www.purple-knight.com/) - Free AD security assessment
- [Ping Castle](https://www.pingcastle.com/) - AD security audit tool
- [ADRecon](https://github.com/adrecon/ADRecon) - AD documentation & analysis

### Related Guides
- [Complete Active Directory Guide](/complete-active-directory-guide) - AD fundamentals
- [Dsacls Guide](/dsacls) - Managing AD permissions
- PowerShell Active Directory - AD automation

---

**Last Updated**: February 4, 2026

**About This Guide**: This Active Directory security guide is maintained by ActiveDirectoryTools.net to help IT professionals secure their enterprise infrastructure against modern threats.

---

**Keywords**: active directory security, AD security best practices, kerberos security, AD hardening, privileged access management, domain controller security, zero trust active directory, AD threat protection, active directory audit, AD compliance, cybersecurity

Related Articles

Active Directory Computer Management: Complete Guide

Comprehensive guide to managing computers in Active Directory. Learn to add, query, manage, and troubleshoot computer objects using PowerShell and AD tools.

Active Directory Groups Management Guide: Complete Tutorial

Comprehensive guide to managing Active Directory groups. Learn group types, scopes, creation, membership management, and best practices for IT administrators.

Active Directory OU Structure Design: Best Practices & Patterns

Design effective Active Directory OU structures. Learn patterns, best practices, nesting strategies, and real-world examples for organizational units.