Active Directory Hardening Best Practices for Secure Windows Networks

Active Directory is the backbone of most Windows networks, managing authentication and access for thousands of users and devices. But default configurations leave dangerous security gaps. Attackers specifically target AD because compromising it means owning your entire network. Here's how to harden Active Directory against common attacks.

Why Active Directory is a Prime Target

Active Directory (AD) controls access to nearly everything in your Windows environment:

User authentication and authorization
Group policies that configure workstations and servers
Access to file shares, applications, and databases
Privileged accounts with administrative rights

When attackers compromise AD, they can:

Elevate privileges to Domain Admin
Move laterally across your entire network
Access any system or data
Deploy ransomware organization-wide
Create persistent backdoors

Most ransomware attacks succeed because attackers gained Domain Admin credentials and used Group Policy to deploy malware to every computer simultaneously.

Common Active Directory Vulnerabilities

1. Excessive Domain Admin Accounts

The Problem: Many organizations have 10+ Domain Admin accounts when they should have 2-3. Every additional admin account increases attack surface.

The Risk: If any Domain Admin account is compromised, the attacker owns your entire domain.

2. Stale Accounts and Passwords

The Problem: Old user accounts that haven't logged in for years, service accounts with passwords that never expire, disabled accounts that still have permissions.

The Risk: These accounts are easy targets—no one notices if they're compromised.

3. Weak Kerberos Configurations

The Problem: Default Kerberos settings allow attacks like Kerberoasting, where attackers request service tickets and crack them offline.

The Risk: Attackers can obtain passwords for service accounts without triggering alerts.

4. Unrestricted LDAP Queries

The Problem: Any authenticated user can query AD for user lists, group memberships, and administrator accounts.

The Risk: Attackers map your network structure and identify high-value targets.

5. Insecure Group Policy Objects (GPOs)

The Problem: GPOs with overly permissive settings, passwords stored in SYSVOL, or misconfigured application deployments.

The Risk: Attackers modify GPOs to deploy malware or create backdoor accounts.

Essential Hardening Steps

1. Minimize and Protect Privileged Accounts

Limit Domain Admins

Reduce Domain Admins to absolute minimum (2-3 accounts maximum)
Use separate accounts for administrative tasks (never use admin accounts for email/browsing)
Implement "Admin by Exception" model—temporary elevation only when needed

Use Tiered Administration Model

Tier 0: Domain Controllers, Domain Admins (most privileged)
Tier 1: Server administrators
Tier 2: Workstation administrators

Never allow Tier 0 accounts to log into Tier 1 or 2 systems. This prevents credential theft.

Implement Privileged Access Workstations (PAWs)

Dedicated hardened workstations for administrative tasks only
No internet browsing, no email, restricted application access
Admin accounts can only log in from PAWs

2. Implement Strong Password Policies

Fine-Grained Password Policies

Different password requirements for different user groups
Admins: 25+ character passwords or passphrases, 60-day expiration
Service accounts: 64+ character passwords, monitored for use
Regular users: 14+ characters, 90-day expiration

Disable LM and NTLMv1

Legacy authentication protocols with known vulnerabilities
Require NTLMv2 minimum, prefer Kerberos
Audit for applications still using old protocols before disabling

Enable Password Breach Detection

Use Azure AD Password Protection to block commonly breached passwords
Prevent use of company name, season+year patterns
Check against known breach databases

3. Secure Service Accounts

Use Managed Service Accounts (MSAs)

Group Managed Service Accounts (gMSAs) for most services
Automatic password rotation (120-character passwords)
No manual password management

For Non-MSA Service Accounts:

64+ character passwords
Deny interactive logon rights
Monitor for unusual authentication patterns
Document what each service account is used for

Implement Service Account Tiering

No service accounts with Domain Admin rights
Grant only specific permissions needed
Separate service accounts per application/tier

4. Enable Advanced Auditing

Critical Events to Log:

All logon events (success and failure)
Account management changes (creation, deletion, modifications)
Privilege use and elevation
Group Policy changes
Directory service changes
Logon events from unusual locations
Kerberos ticket requests

Send Logs to SIEM or Log Management

Centralize logs for analysis
Alert on suspicious patterns
Retain logs for at least 90 days (365 for compliance)

5. Protect Domain Controllers

Physical Security

Domain Controllers in locked server room or data center
No physical console access for non-admins
Boot from approved media only (disable USB boot)

Network Isolation

Domain Controllers on separate VLAN
Firewall rules limiting access to DC ports
No internet access from DCs
No browsing or email on Domain Controllers

Backup and Recovery

Separate backups of AD (System State)
Test restoration procedures quarterly
Maintain offline DC backup for disaster recovery
Document AD recovery procedures

6. Implement LAPS (Local Administrator Password Solution)

What is LAPS?

Microsoft's free tool that randomizes local administrator passwords on workstations and servers, storing them in AD.

Why it's critical:

Prevents lateral movement using shared local admin passwords
Automatic password rotation (e.g., every 30 days)
Passwords retrievable only by authorized IT staff
Each computer has unique local admin password

Deployment:

Install LAPS client on all workstations and servers
Configure via Group Policy
Restrict who can read LAPS passwords in AD

7. Disable Unnecessary Protocols and Features

Disable LLMNR and NetBIOS

These protocols are vulnerable to man-in-the-middle attacks
Attackers use them to capture credentials
Modern networks don't need them

Disable SMBv1

Legacy protocol with known vulnerabilities (WannaCry exploited SMBv1)
No modern systems require it
Enable only SMBv2 and SMBv3

Disable Print Spooler on Domain Controllers

Print Spooler has been exploited in privilege escalation attacks
Domain Controllers don't need printing capabilities

8. Regular Security Assessments

Quarterly AD Security Audits

Review privileged group memberships
Identify and remove stale accounts
Check for accounts with password never expires
Review service account permissions
Audit GPO changes

Use Tools to Identify Weaknesses

Bloodhound: Maps AD attack paths
PingCastle: AD security assessment
Purple Knight: AD security posture scanner
ADRecon: AD enumeration tool

Penetration Testing

Annual penetration tests focusing on AD
Simulate real-world attack scenarios
Test ability to detect and respond to compromise

Detection and Response

Indicators of Active Directory Compromise

Unusual admin account activity (logins at odd hours)
Spike in Kerberos ticket requests
Changes to privileged groups (Domain Admins, Enterprise Admins)
New user accounts created in quick succession
GPO modifications from non-admin accounts
LDAP queries for all users from single source
Failed login attempts against service accounts

Response Procedures

If you detect AD compromise:

Isolate Domain Controllers: Limit network access immediately
Reset all privileged passwords: Including service accounts and admin accounts
Review and revert GPO changes: Check for malicious modifications
Hunt for persistence mechanisms: Backdoor accounts, Golden Tickets, scheduled tasks
Engage incident response: Consider bringing in AD forensics experts
Consider forest rebuild: For severe compromises, cleanest solution may be new AD forest

Compliance Considerations

AD hardening aligns with multiple compliance frameworks:

CMMC Level 2 Requirements:

AC.1.001 - Limit system access to authorized users
AC.2.007 - Employ least privilege
AC.2.013 - Monitor and control remote access sessions
IA.2.078 - Use multifactor authentication
AU.2.041 - Ensure audit logs are retained

NIST 800-171 Controls:

3.1.1 - Authorized access control
3.1.5 - Employ least privilege principle
3.3.1 - Create system accounts
3.3.7 - Enforce minimum password complexity

Implementation Roadmap

Month 1: Assessment & Quick Wins

Audit current Domain Admin accounts (remove unnecessary)
Enable advanced auditing
Identify stale accounts
Document service accounts

Month 2: Administrative Controls

Implement admin tiering model
Create separate admin accounts
Deploy LAPS to all workstations
Strengthen password policies

Month 3: Technical Hardening

Disable LLMNR, NetBIOS, SMBv1
Implement service account hardening
Review and secure GPOs
Configure DC network isolation

Month 4: Detection & Response

Deploy SIEM or log aggregation
Configure alerting for suspicious activities
Create incident response playbooks
Conduct tabletop exercise

Ongoing: Monitoring & Maintenance

Quarterly AD security audits
Annual penetration testing
Regular training for IT staff
Stay current with AD security patches

The Bottom Line

Active Directory is too critical to leave with default configurations. Attackers know this and specifically target AD because it's the keys to your kingdom. Hardening AD isn't a one-time project—it's an ongoing process of reducing attack surface, monitoring for threats, and quickly responding to anomalies.

For small and mid-sized manufacturers and aerospace contractors, AD compromise often means business-ending consequences: production shutdown, loss of intellectual property, failed audits, and inability to bid on future contracts.

Start with the basics: reduce privileged accounts, implement LAPS, enable logging. Build from there. Every hardening step makes attackers' jobs harder and gives you better visibility into potential compromises.