Securing an Active Directory: operational checklist
Active Directory security requires strict tiered administration (T0/T1/T2), hardened Domain Controllers, and tightly controlled privileged accounts. Key mitigations include gMSA for service accounts, Kerberos Armoring, removal of Shadow Admins, and disabling weak protocols like NTLM. Continuous auditing and logging are essential to prevent attackers from escalating to Domain Admin through misconfigurations or lateral movement.
Securing an Active Directory: operational checklist
This article outlines the minimum technical requirements for securing a modern Active Directory environment.
It is based on Microsoft security guidance, red team offensive techniques, and best practices used in high-security environments.
1. Architecture: Tiering model (T0 / T1 / T2)
The 3-tier administrative model is mandatory to prevent lateral movement and protect AD’s security authority.
Tier 0 (T0)
Resources:
Domain Controllers, ADCS/PKI, ADFS, Azure AD Connect, Kerberos infrastructure, Tier 0 gMSA accounts, Domain Admins.
Technical requirements:
Isolated VLAN + strict ACLs
No RDP from T1/T2
T0 admins operate only from T0 PAWs
NTLM disabled where possible
Kerberos FAST / Armoring enabled
Privileged Access Management (PAM) recommended
Tier 1 (T1)
Application servers, infrastructure systems, hypervisors, business-critical servers.
Requirements:
T1 admin accounts only
Access from T1 PAWs
Deny logon for T0 accounts
No Internet access from T1 PAWs
Tier 2 (T2)
Workstations, laptops, VDI, and user devices.
Requirements:
No T0/T1 accounts allowed
LAPS or gLAPS mandatory
EDR mandatory + Device Guard / AppLocker recommended
2. Accounts & Identity Security
Privileged accounts
No interactive use of Domain Admin accounts
One dedicated admin account per tier
Privileged session expiration (PAM / PIM)
Review and harden AdminSDHolder
Service accounts
gMSA mandatory for supported applications
No DA/EA/SA assignment to services
Automatic rotation of secrets
SPNs only on accounts with AES enabled
Dormant accounts
Automated discovery → disable → delete
Vendor accounts time-bounded
3. Domain Controller Hardening
System security
Remove SMBv1
Enforce LDAP Signing + Channel Binding
Enable LSA Protection
Enable Credential Guard where supported
Kerberos security
AES256 mandatory for sensitive accounts
Disable DES and RC4
Enable FAST/Armoring
No unconstrained delegation
Network exposure
Allow only required DC ports:
TCP 88, 135, 389, 445, 636, 3268, 3269Strict inbound filtering (RPC lockdown)
No RDP exposure outside Tier 0
4. Privilege reduction & control
Critical groups audit
Mandatory review of:
Domain Admins
Enterprise Admins
Schema Admins
Account Operators
Backup Operators
DNSAdmins (privilege escalation risk)
Shadow admins
Identify via:
BloodHound
ACL analysis (DSACLs, ntdsutil, RPC)
Dangerous ACEs: WriteOwner, WriteDACL, GenericAll, GenericWrite
Remove or isolate accordingly.
5. Kerberos attack surface reduction
Kerberoasting
Mitigations:
AES-only service accounts
Use gMSA for SPN accounts
Password rotation < 90 days
No weak or static passwords
AS-REP Roasting
Mitigations:
Disable “Do not require Kerberos preauthentication”
Identify vulnerable accounts via Rubeus/BloodHound
Delegation control
Disable Unconstrained Delegation
Limit Resource-Based Delegation
Validate SPNs and Kerberos mappings
Administrative security controls
PAW (Privileged Access Workstations)
No email
No Internet browsing
Hardening:
AppLocker / WDAC, Device Guard, EDR, restricted PowerShell
Jump Servers / Bastions
Mandatory controlled access
Session recording recommended
MFA required + PAM/PIM integration
PKI / ADCS Security
ADCS is Tier 0 and one of the most commonly abused components (ESC1–ESC8 vulnerabilities).
Requirements:
Offline Root CA
Subordinate CAs only in T0
Restrict certificate templates
No user certificate enrollment for authentication by standard users
Review EKUs and template permissions
Logging & Detection
Security event logging
Forward and analyze:
4624/4625 – Logons
4672 – Special privileges assigned
4768/4769/4771 – Kerberos operations
4728–4732 – Group membership changes
4662 – ACL changes
1102 – Log clear events
Sysmon:
ID 1: Process creation
ID 3: Network connections
ID 10: LSASS access
ID 6: Driver loading
Offensive detection
Honeytokens / Honeyaccounts
SPN activity monitoring
Kerberos “impossible travel”
Regular BloodHound audits
Technical checklists
Domain controller checklist
LSA Protection enabled
SMBv1 removed
AES-only on key accounts
Kerberos Armoring enabled
No unconstrained delegation
DC firewall hardened
EDR in audit mode
No RDP from T1/T2
Tiering checklist
Separate accounts for T0/T1/T2
T0 logon forbidden outside PAWs
PAWs deployed per tier
T0 ACLs secured
Shadow Admins removed
Domain controller checklist
LSA Protection enabled
SMBv1 removed
AES-only on key accounts
Kerberos Armoring enabled
No unconstrained delegation
DC firewall hardened
EDR in audit mode
No RDP from T1/T2
Tiering checklist
Separate accounts for T0/T1/T2
T0 logon forbidden outside PAWs
PAWs deployed per tier
T0 ACLs secured
Shadow Admins removed
Conclusion
Active Directory security depends on three pillars:
Strict privilege isolation through the Tiering Model.
Technical hardening of Domain Controllers, Kerberos, NTLM, and ADCS.
Continuous detection and reduction of implicit privileges (Shadow Admins, ACL abuse, delegation risks).
Without these measures, an attacker with standard user access can escalate to Domain Admin using Kerberoasting, ACL abuse, or lateral movement techniques.