← All glossary terms
Active Directory5 min read

What is Active Directory Security?

Active Directory security is the discipline of protecting AD — the identity backbone of most enterprises — from misconfiguration, abuse, and attack. Learn the risks, controls, and a practical roadmap.

What is Active Directory Security?

Definition

Active Directory (AD) security is the practice of protecting Microsoft Active Directory — the identity and access foundation of most enterprise environments — against misconfiguration, abuse, and attack.

Because AD authenticates users, manages group memberships, controls Group Policy, and underpins access to file shares, applications, and infrastructure, compromising AD usually means compromising the entire enterprise. AD security is therefore one of the most consequential disciplines in cybersecurity.

In simple terms:

AD security is what stops a single phished laptop from becoming a Domain Admin takeover.


Why AD Security Matters

  • Most ransomware operators target Domain Admin within hours of initial access.
  • AD compromise allows mass deployment of malware via Group Policy, scheduled tasks, or PsExec.
  • Tier 0 takeover gives attackers persistence that survives most clean-up efforts.
  • AD often federates with Microsoft Entra ID, extending compromise into cloud and SaaS.
  • CISA, NSA, and Microsoft consistently rank AD misconfigurations among the top enterprise risks.

Major incidents involving AD compromise: NotPetya, SolarWinds (Golden SAML via Entra), Colonial Pipeline, MGM, Caesars, and many ransomware events.


Core AD Security Concepts

1. Tiered Administration (Tier 0 / 1 / 2)

Microsoft's Enterprise Access Model:

  • Tier 0 — assets that control identity (DCs, AD CS, ADFS, Entra Connect, PAM, backup of Tier 0).
  • Tier 1 — servers, applications, business systems.
  • Tier 2 — workstations and end-user devices.

Tier 0 admins must never log in to Tier 1/2 systems, and vice versa.

2. Privileged Group Discipline

  • Domain Admins and Enterprise Admins kept tiny.
  • Members reviewed quarterly.
  • All members use dedicated admin accounts and PAW (Privileged Access Workstations).

3. Authentication Protocols

  • Prefer Kerberos over NTLM.
  • Restrict and monitor NTLM.
  • Disable NTLMv1 and SMBv1.
  • Enable LDAP signing/binding.

4. Delegation Hygiene

  • Avoid unconstrained delegation.
  • Review constrained and resource-based constrained delegation (RBCD).
  • Audit msDS-AllowedToActOnBehalfOfOtherIdentity.

5. AD CS Hardening

  • Audit certificate templates against ESC1–ESC15 misconfigurations.
  • Enforce manager approval where appropriate.
  • Restrict enrollment rights.

6. Continuous Monitoring

  • Log AD changes, group changes, GPO changes.
  • Detect Kerberoasting, AS-REP roasting, DCSync, Golden / Silver / Diamond / Sapphire ticket use.
  • Detect ACL backdoors and shadow admins.

Common AD Attack Techniques

  • Kerberoasting — request service tickets, crack offline.
  • AS-REP Roasting — abuse accounts without preauth.
  • DCSync — replicate from a DC to extract password hashes.
  • Pass-the-Hash / Pass-the-Ticket — credential reuse for lateral movement.
  • Golden Ticket — forge TGT with KRBTGT hash.
  • Silver Ticket — forge service ticket with service account hash.
  • Unconstrained Delegation abuse — capture TGTs of users connecting to compromised hosts.
  • AD CS abuse (ESC1–ESC15) — issue certificates as another identity.
  • GPO abuse — modify policies to push payloads or change permissions.
  • AdminSDHolder abuse — backdoor privileged groups via the SDProp process.
  • Shadow admin permissions — direct ACLs that grant control without group membership.

Real-World Examples

1. Ransomware via Domain Admin

Attackers phish a help desk user, escalate via Kerberoasting and weak service account passwords, reach Domain Admin, then deploy ransomware via Group Policy or PsExec to thousands of endpoints.

2. AD CS ESC1 Exploitation

A certificate template allows low-privilege users to request certificates with Enrollee Supplies Subject and Client Authentication EKU. An attacker requests a certificate as Domain Admin and authenticates with it.

3. Shadow Admin via ACL

A help desk group has Reset Password on an OU. Over time, a Domain Admin account is moved into that OU. The help desk now controls Domain Admin without any group membership change.

4. Unconstrained Delegation Abuse

A web server with unconstrained delegation is compromised. Any privileged user who connects has their TGT stored in memory. Attackers extract it and impersonate that user.

5. Golden Ticket Persistence

After getting Domain Admin, attackers extract the KRBTGT hash and forge tickets to maintain access for years until KRBTGT is reset twice.


AD Security Best Practices

  1. Enforce tiered administration strictly.
  2. Use PAWs for Tier 0 work.
  3. Minimize Domain / Enterprise / Schema Admin membership.
  4. Use LAPS for unique local administrator passwords.
  5. Use gMSA for service accounts where possible.
  6. Audit and remove unconstrained delegation.
  7. Audit AD CS templates against ESC1–ESC15.
  8. Restrict NTLM where compatibility allows.
  9. Enable LDAP signing and channel binding.
  10. Rotate KRBTGT twice annually and after suspected compromise.
  11. Backup AD securely, store offline, and test restoration.
  12. Continuously monitor for AD attack patterns and ACL changes.
  13. Map and remediate attack paths to Tier 0 continuously.
  14. Tabletop exercises for Domain Admin compromise scenarios.

Common AD Misconfigurations

  • Domain Admins used as service accounts.
  • Excessive nested group membership.
  • Service accounts with weak passwords and SPNs (Kerberoastable).
  • Pre-authentication disabled (AS-REP roastable).
  • Misconfigured AD CS templates.
  • Privileged accounts logging into Tier 1/2 systems.
  • Group Policy with permissive DACLs.
  • Authenticated Users granted excessive rights on sensitive objects.
  • AdminSDHolder modified.
  • Stale Tier 0 admin accounts not used in 90+ days.

AD Security Checklist

  • Tier 0 / 1 / 2 model defined and enforced?
  • Domain Admin membership reviewed quarterly?
  • PAWs in use for Tier 0?
  • LAPS deployed?
  • gMSA used for service accounts?
  • AD CS templates audited?
  • Unconstrained delegation removed?
  • NTLMv1 / SMBv1 disabled?
  • KRBTGT rotation schedule in place?
  • Continuous detection for AD attacks?
  • Attack paths to Tier 0 mapped and tracked?
  • Backups secured and tested?

How Forestall Helps

Forestall connects to Active Directory and computes effective access and attack paths across your forest:

  • Surfaces misconfigurations (delegation, ACLs, AD CS, group nesting).
  • Maps every path that leads to Tier 0.
  • Highlights choke points where one fix collapses many paths.
  • Detects shadow admins and ACL backdoors invisible to group-based reviews.
  • Tracks AD posture trends as you remediate.

Frequently Asked Questions

Is AD still important if we're moving to the cloud?

For most organizations, yes. AD often syncs to Entra ID via Entra Connect, so AD compromise frequently becomes cloud compromise.

Can I just buy ITDR and be done?

ITDR catches attacks in flight. Posture management prevents many of them in the first place. Most programs need both.

What's the single highest-impact AD control?

Tiered administration. Most catastrophic AD compromises trace back to Tier 0 credentials being reused on Tier 1/2 systems.

How often should KRBTGT be reset?

Twice per year, with two resets back-to-back when there's any suspicion of compromise.

Does disabling NTLM break things?

It can. Inventory NTLM usage first, then restrict progressively. Disabling fully is a long project but worthwhile.


Conclusion

Active Directory security is the identity foundation for most enterprises — and one of the highest-leverage areas to invest in. Tiered administration, disciplined privileged groups, hardened delegation and AD CS, restricted legacy protocols, and continuous attack-path analysis collectively make the difference between a contained incident and a domain-wide catastrophe.

If you do nothing else this quarter, map the paths to your Tier 0 and start cutting them.

Active DirectoryAD SecurityTier 0KerberoastingDCSync

See every AD attack path before adversaries do.

Forestall maps Active Directory misconfigurations and attack paths to Tier 0, then helps you close them.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is Active Directory Security? | Forestall