Active Directory Security Checklist for Beginners
A practical, beginner-friendly checklist for hardening Active Directory — from Tier 0 administration to AD CS, delegation, GPOs, NTLM, and continuous attack-path analysis.
Active Directory Security Checklist for Beginners
This checklist is a practical starting point for anyone improving Active Directory security. It is grouped by area, ordered roughly by impact, and based on guidance from Microsoft, CISA, NSA, and major incident responders.
Don't try to do everything at once. Start with high-impact items, build momentum, and re-score regularly.
1. Tiered Administration
- Tier 0 / 1 / 2 model defined and documented.
- Tier 0 admins never log into Tier 1/2 systems.
- PAWs (Privileged Access Workstations) used for Tier 0 work.
- Help desk uses dedicated lower-privilege accounts (no DA for support).
- Cloud admin accounts (Entra Connect, Global Admin) treated as Tier 0.
2. Privileged Groups
- Domain Admins membership in single digits.
- Enterprise Admins / Schema Admins empty by default.
- No service accounts in privileged groups.
- Quarterly review of all protected groups.
- DnsAdmins, Backup Operators, Server Operators treated as near-Tier 0.
3. Authentication
- MFA enforced on all admin accounts (smart cards / FIDO2 preferred).
- MFA on all human accounts where supported.
- NTLMv1 disabled.
- NTLMv2 restricted progressively.
- LLMNR and NBT-NS disabled.
- Kerberos pre-authentication required on all accounts.
- LDAP signing required.
- LDAP channel binding enforced.
- SMB signing required.
4. Service Accounts
- gMSA used wherever supported.
- Static service account passwords ≥ 25 chars and random.
- Service accounts not in Domain Admins.
- Service accounts in Protected Users where compatible.
- Interactive logon restricted for service accounts.
- SPN inventory documented.
- Honeypot SPN account in place for Kerberoasting detection.
5. Delegation
- No unconstrained delegation outside DCs.
- All constrained delegations documented and reviewed.
- All RBCD configurations documented and reviewed.
-
ms-DS-MachineAccountQuotaset to 0 for non-admins. - Sensitive accounts marked "Account is sensitive and cannot be delegated."
- Sensitive accounts in Protected Users group.
6. KRBTGT and Kerberos
- KRBTGT rotated twice in last 6 months.
- Forest recovery procedure tested.
- RC4 disabled / AES enforced where possible.
-
msDS-SupportedEncryptionTypesset on accounts and trusts.
7. AD CS
- All certificate templates audited (ESC1–ESC15).
-
Enrollee Supplies Subjectremoved where not needed. - Manager approval required on sensitive templates.
- CA flag
EDITF_ATTRIBUTESUBJECTALTNAME2disabled (ESC6). - Web enrollment HTTPS-only with EPA, NTLM restricted (ESC8).
- Strong certificate mapping enforced (post-May 2022).
- CA private keys in HSM.
- CAs treated as Tier 0.
- Unused templates removed.
8. ACLs and Shadow Admins
- AdminSDHolder ACL baselined and monitored.
-
adminCount=1accounts inventoried; stale ones cleaned up. - Domain-wide ACL audit (Reset Password, Write Members, WriteDACL, GenericAll on privileged objects).
- DCSync rights audited and minimized.
- OU-level delegations documented.
-
Authenticated Userspermissions audited on sensitive objects.
9. Group Policy
- GPO edit/link rights minimized and audited.
- Tier 0 GPOs isolated.
- GPO links to Tier 0 OUs reviewed.
- GPP cPassword usage eliminated.
- LAPS deployed in place of legacy GPP local admin.
- SYSVOL change monitoring in place.
- Stale GPOs decommissioned.
10. Endpoint Hardening
- LAPS deployed on all Windows endpoints.
- Workstation-to-workstation SMB blocked at host firewall.
- Credential Guard enabled on supported systems.
- RestrictedAdmin / Remote Credential Guard for RDP.
- EDR with credential dumping detections.
- Print Spooler disabled where not needed (especially DCs).
- AppLocker / WDAC for high-value systems.
11. Identity Hygiene
- Stale accounts (90+ days idle) disabled and reviewed.
- Disabled accounts removed after retention period.
- Stale computer objects removed.
- User lifecycle events trigger access review.
- Service accounts documented with owners.
12. Monitoring and Detection (ITDR)
- Identity logs centralized in SIEM.
- Detections for Kerberoasting (4769 anomalies).
- Detections for AS-REP Roasting (4768 without PA-DATA).
- Detections for DCSync (4662 with replication GUIDs from non-DC).
- Detections for Pass-the-Hash / Pass-the-Ticket.
- Detections for Golden / Silver Ticket (long lifetimes, missing AS events, PAC anomalies).
- Detections for AdminSDHolder modifications (5136).
- Detections for protected group membership changes.
- Detections for AD CS abuse (4886, 4887, PetitPotam patterns).
13. Backup and Recovery
- Forest recovery plan documented.
- Forest recovery practiced annually.
- DC backups stored offline, isolated from general infrastructure.
- Backup admins treated as Tier 0.
- NTDS.dit backups protected.
14. Hybrid (Entra Connect)
- Entra Connect server treated as Tier 0.
- MSOL_ account credentials vaulted.
- Sync account replication rights audited.
- Conditional Access aligned with on-premises privilege.
15. Continuous Improvement
- Continuous AD posture monitoring.
- Attack paths to Tier 0 mapped continuously.
- Choke points prioritized for remediation.
- Tabletop exercises for Domain Admin compromise scenarios.
- Quarterly trend reporting to leadership.
How to Use This Checklist
- Score every item as Implemented / Partial / Not Started.
- Identify the worst 5–10 in high-impact sections (Tiered Admin, AD CS, Kerberos, Delegation).
- Make them Q1 goals.
- Re-score quarterly.
- Use trend as your KPI, not the absolute number.
How Forestall Helps
Forestall connects to Active Directory and continuously evaluates posture against the items above (and many more). It surfaces attack paths to Tier 0, identifies choke points, and tracks remediation progress over time — turning this checklist into a measurable, leadership-visible identity security program.
Conclusion
Active Directory security can feel daunting because there's so much to do — and most environments have decades of accumulated configuration. But a small set of high-impact controls (tiered admin, hardened Kerberos, audited AD CS, eliminated unconstrained delegation, LAPS, KRBTGT rotation, attack-path reduction, and identity-focused detection) close most of the risk for most organizations. Use this checklist as your map, fix the highest-impact items first, and watch the path-to-Domain-Admin shrink quarter over quarter.
Turn this checklist into measurable AD risk reduction.
Forestall maps AD misconfigurations and attack paths, then helps you close them in priority order.