Active Directory security best practices

Active Directory sits at the center of enterprise identity: every user account, Group Policy Object (GPO), and access decision flows through it.

The Netwrix 2025 Cybersecurity Trends Report found that 28% of organizations experienced a targeted attack on their on-premises infrastructure in 2025, up from 19% in 2023, making Active Directory hardening an urgent priority.

A single misconfigured privileged account or enabled legacy protocol can expand an attacker's access from one endpoint to full domain control.

This guide covers the attack techniques that target AD most frequently, the hardening controls that eliminate the most common footholds, and the monitoring coverage that lets security teams detect abuse before it escalates.

What is Active Directory security?

Active Directory (AD) security covers the practices, controls, and monitoring that protect the directory service responsible for authenticating users, authorizing access, and enforcing policy across Windows environments.

It spans configuration hardening, privilege management, protocol controls, and change monitoring across both on-premises AD DS and hybrid environments that include Entra ID.

Every group membership, delegation assignment, GPO, and service account configuration falls within its scope, because each can create a privilege escalation path when misconfigured.

Why you need to protect Active Directory

AD is simultaneously one of the most targeted systems in the enterprise and one of the easiest to overlook in routine security reviews.

It controls authentication and authorization for the entire network

Every user account, group policy, computer object, and access decision flows through Active Directory. Whoever controls the domain controls the network, not just one system or application, but the authentication layer underneath all of them. A domain compromise exposes every resource that trusts AD for identity decisions.

A single compromise gives attackers broad domain control

A threat actor who reaches Domain Admin level can issue forged Kerberos tickets, push malicious Group Policy to every workstation, extract credentials across the domain, and disable security tooling. Recovery from full AD compromise often requires rebuilding core directory infrastructure, giving identity hardening a direct business impact, not just a technical one.

Privilege debt accumulates silently over years

Service accounts added to Domain Admins for convenience, delegated permissions never revoked, group memberships that survive role changes and departures: most security teams can't produce an accurate list of who holds privileged access. That accumulation persists silently until a review or incident forces it into view.

Legacy protocols and misconfigurations persist across environments

Server Message Block v1 (SMBv1), NTLMv1, unconstrained delegation, and WDigest authentication persist across many enterprise environments as inherited settings.

Microsoft has formally announced the deprecation of NTLM, yet critical vulnerabilities continue to surface, and these configurations rarely trigger alerts before they're exploited.

AD sits at the center of the modern ransomware attack chain

Ransomware operators use Active Directory for lateral movement, privilege escalation, and payload deployment, pushing encryption to every domain-joined endpoint via Group Policy in a single operation.

CISA, Mandiant, and Microsoft DART have all documented GPO modification as a technique used in ransomware and wiper campaigns.

Common Active Directory attack techniques

The techniques below primarily exploit expected AD behavior and common configuration weaknesses rather than software defects. Most require only a valid domain account to initiate, and several produce no useful alerts under default audit settings.

Kerberoasting and AS-REP Roasting

Any authenticated domain user can request a Kerberos TGS for any account with a registered SPN and crack the encrypted ticket offline using the service account password hash. RC4 encryption (etype 0x17) makes this faster.

APT29, Wizard Spider, and FIN7 have all used this technique. AS-REP Roasting applies the same approach to accounts with pre-authentication disabled.

Pass-the-Hash and Pass-the-Ticket

NTLM's challenge-response protocol uses the hash itself as the authentication secret. An attacker who captures it from LSASS memory or NTDS.dit can authenticate without knowing the plaintext password.

"Overpass-the-Hash" converts the hash into a valid TGT, enabling a bridge to Pass-the-Ticket. APT41 has used both techniques in documented campaigns.

DCSync attacks

DCSync abuses the Directory Replication Service protocol: an attacker with replication permissions can impersonate a DC and retrieve NTLM hashes for any account, including krbtgt, without touching NTDS.dit.

Any member of the Domain Admins or Enterprise Admins group has sufficient permissions by default. APT29, Scattered Spider, and LAPSUS$ have all used this technique.

Golden Ticket and Silver Ticket attacks

A Golden Ticket forges a TGT using the krbtgt account hash, granting the ability to generate valid service tickets for any service as any user. It remains valid until krbtgt is reset twice.

A Silver Ticket forges a TGS for a specific service using that service account's hash, and unlike Golden Tickets, never contacts a DC, making it significantly harder to detect.

Active Directory security best practices

The controls below map directly to the attack techniques above. Each one addresses a specific foothold or visibility gap that attackers routinely exploit.

Harden Domain Controller configuration

Deploy domain controllers (DCs) in a dedicated OU with a restrictive GPO based on the Windows Server 2025 Security Baseline. Restrict "Allow log on locally" to Administrators and Enterprise Domain Controllers only.

Disable the print spooler service and RDP where not required. Lock SYSVOL and NETLOGON share permissions: use GPO Security Filtering instead of granting Full Control to Authenticated Users, and don't store passwords or sensitive scripts in Group Policy Preferences. Isolate virtual DCs at the hypervisor layer.

Treat domain controllers and Active Directory Domain Services (AD DS) as Tier 0 assets with an explicit patch SLA, because recent AD privilege-escalation and remote code execution vulnerabilities have shown that unpatched DCs can turn minor footholds into full-domain compromises.

Also remove members from the Group Policy Creator Owners group: members can create GPOs they fully control, creating a path for unauthorized GPO deployment.

Enforce least privilege access

Audit group memberships in Domain Admins, Enterprise Admins, and Schema Admins and reduce to the operational minimum.

Remove users who no longer require elevated access. Use Role-Based Access Control (RBAC) at the OU level.

Don't add service accounts to privileged groups. Even modest privilege reduction improves resilience by removing shared choke points and narrowing the paths that lead to Tier 0 assets.

Identifying and cutting unused privileged accounts is one of the fastest wins available in most AD environments.

Implement a tiered privileged access model

Microsoft now recommends the Enterprise Access Model, which supersedes the legacy three-tier model.

The core principle remains: Tier 0 (Control Plane, covering domain controllers and AD infrastructure) admins must not log on to lower-tier systems, because doing so exposes credentials via LSASS on those machines.

Use separate unprivileged and administrative accounts for each privilege tier: Tier 2 (workstations), Tier 1 (servers), Tier 0 (security infrastructure). Use Privileged Access Workstations (PAWs) for Tier 0 administration, with outbound network restrictions that allow connectivity only to required Microsoft services.

Disable legacy authentication protocols

Disable SMBv1 via Group Policy or PowerShell to eliminate one of the most commonly exploited legacy protocol surfaces:

      Set-SmbServerConfiguration -EnableSMB1Protocol $false
      

Restrict NTLMv1 and enforce NTLMv2-minimum by setting the LAN Manager authentication level to value 5 ("Send NTLMv2 response only. Refuse LM & NTLM") via GPO.

On Windows Server 2025, you can block NTLM on SMB directly with Set-SmbClientConfiguration -BlockNTLM $true.

Audit NTLM usage before restricting to identify application dependencies. Enforce SMB signing on both client and server with RequireSecuritySignature $true on each side.

Configure strong password policies and deploy LAPS

Use Fine-Grained Password Policies (PSOs) for privileged accounts. PSOs can only be assigned to AD users or global security groups, not OUs directly:

      New-ADFineGrainedPasswordPolicy -Name "AdminPSO" -Precedence 10 `
  -MinPasswordLength 20 -PasswordHistoryCount 24 `
  -ComplexityEnabled $true -MaxPasswordAge "30.00:00:00" `
  -LockoutThreshold 5 -LockoutDuration "0.12:00:00"

Add-ADFineGrainedPasswordPolicySubject -Identity "AdminPSO" -Subjects "Domain Admins"
      

Deploy Microsoft Local Administrator Password Solution (LAPS) to rotate local administrator passwords automatically on each endpoint. LAPS eliminates the lateral movement path that comes from shared local admin credentials.

Deployment requires extending the AD schema with LAPS attributes and configuring Group Policy. Remove any accounts with "Password never expires" or "Password not required" flags.

Secure service accounts with MSAs and gMSAs

Replace standalone service accounts with Group Managed Service Accounts (gMSAs), which support automatic password management by the OS and work across multiple servers:

      New-ADServiceAccount -Name "svc-webapp" -DNSHostName "webapp.domain.com" `
  -PrincipalsAllowedToRetrieveManagedPassword "WebServers-Group"
      

Windows Server 2025 introduces Delegated MSAs (dMSAs), which further restrict account usage to a specific device. Where standalone accounts remain, apply Fine-Grained Password Policies and restrict logon rights. Audit your SPNs regularly: orphaned SPNs on unused accounts are a direct Kerberoasting surface.

Audit and restrict AD delegation

Audit accounts configured with unconstrained delegation, which allows any machine with the attribute set to impersonate any user who authenticates to it:

      # Computers with unconstrained delegation (excludes DCs)
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} `
  -Properties trustedfordelegation, serviceprincipalname, description

# Users with unconstrained delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} `
  -Properties TrustedForDelegation, ServicePrincipalName, Description
      

Reconfigure any discovered objects for constrained or resource-based constrained delegation (RBCD). Mark sensitive privileged accounts as "Account is sensitive and cannot be delegated." Monitor Event 5136 for changes to msDS-AllowedToActOnBehalfOfOtherIdentity (RBCD abuse) and msDS-AllowedToDelegateTo (constrained delegation abuse).

Protect LSASS from credential dumping

Apply layered protection against credential extraction from LSASS:

1. LSA Protection (RunAsPPL): Set LSASS to run as Protected Process Light via registry. This prevents non-protected processes from reading LSASS memory or injecting code. Apply a UEFI lock to the RunAsPPL setting via Secure Boot variables, which binds the protection to the firmware and requires physical access to disable.
2. Windows Defender Credential Guard: Enable on Windows 10/Server 2016+ member workstations and servers via GPO. Credential Guard isolates NTLM hashes and Kerberos TGTs in Virtualization-based Security (VBS). Note: Credential Guard explicitly excludes domain controllers.
3. ASR rules: Enable the LSASS Attack Surface Reduction rule to block user-mode credential dumping. If LSA Protection is already enabled, the ASR rule provides no additional protection, but use it as a fallback layer when RunAsPPL can't be deployed.
4. Disable WDigest: Set UseLogonCredential = 0 at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to prevent plaintext credential caching. Threat actor Storm-1175 was observed enabling WDigest as a credential theft step in Medusa ransomware operations.

Remove stale objects and review group memberships

Review accounts inactive for 90 or more days and disable before deleting:

      Get-ADUser -Filter {Enabled -eq $true -and LastLogonDate -lt [datetime]::Today.AddDays(-90)}
      

Review nested group memberships: deeply nested groups obscure effective permissions and create privilege escalation paths that routine audits miss. Stale accounts with privileged group membership never trigger activity-based alerts. Flagler Bank reached value with Netwrix Auditor in 30 minutes and cut AD investigations from hours to 10 minutes, demonstrating how faster review cycles make regular AD hygiene sustainable.

Enable MFA for privileged and remote access

Require MFA for all Domain Admin logins and any remote access path (VPN, RDP gateway, Entra ID-joined devices).

Microsoft began enforcing mandatory MFA for Azure portal and admin center access in October 2024, and extended it to the Microsoft 365 admin center in February 2025.

Phase 2 (October 2025) extended enforcement to the Azure CLI, PowerShell, mobile apps, and infrastructure-as-code (IaC) tools.

For hybrid environments, configure Entra ID Conditional Access policies to enforce phishing-resistant MFA based on directory role, location, or device state. Always exclude emergency access accounts to prevent administrative lockout.

MFA doesn't prevent credential theft, but it breaks the attacker's ability to reuse stolen credentials for follow-on access.

Active Directory security monitoring

Whether Windows generates the events needed to detect the attacks above depends on which audit policy categories are enabled on your domain controllers and member servers. The events below aren't generated by default audit settings.

Several of the most important signals require explicit configuration of the audit policy and the System Access Control List (SACL) on the domain root object before any events appear.

Critical event IDs to monitor

Volume note: Event 4769 is high-volume on domain controllers. Filter on TicketEncryptionType=0x17 (RC4) to control noise. Avoid enabling failure auditing for Directory Service Access; these logs can flood at 10+ million when a single error occurs.

Detect DCSync and Kerberos abuse

DCSync detection requires both advanced audit policy and SACL configuration on the domain root object. Add a Success audit entry on the domain root for Everyone covering Replicating Directory Changes, Replicating Directory Changes All, and Replicating Directory Changes In Filtered Set. Don't enable Failure auditing.

Alert on Event 4662 where AccessMask = 0x100 and Properties contain any of the following replication GUIDs from a non-DC source:

• 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
• 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
• 9923a32a-3607-11d2-b9be-0000f87a36b2 (DS-Replication-Synchronize)
• 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set)

Exclude NT AUTHORITY/MSOL_ accounts and computer accounts. Correlate Event 4662 with Event 4624 via LogonId to extract the source IP.

Monitor for Event ID 4769 as the primary indicator of Kerberoasting.TicketOptions = 0x40810000 is the most common value pattern, but sophisticated attackers vary ticket option flags specifically to evade this signature. Treat it as a high-confidence starting signal, not a complete detection ruleset.

Alert immediately on single occurrences for high-value service accounts and on 5 or more unique ServiceNames in 10 minutes from the same Account_Name for bulk enumeration.

Insight Credit Union cut ransomware detection time from hours to minutes by using real-time alerts for behavioral anomalies, showing how tuned alerting changes the practical outcome of these detections.

Monitor privileged group and object changes

Alert on modifications to Domain Admins, Enterprise Admins, Schema Admins, Administrators, Account Operators, and Backup Operators via Events 4728, 4732, and 4756 for member additions.

Alert on GPO-related directory object creation, modification, or deletion via Events 5136, 5137, and 5141. Monitor Event 5136 for changes to the following attack-relevant attributes:

• msDS-AllowedToActOnBehalfOfOtherIdentity (RBCD abuse)
• msDS-AllowedToDelegateTo (constrained delegation abuse)
• servicePrincipalName on user objects (targeted Kerberoasting setup)
• msDS-KeyCredentialLink (Shadow Credentials attack)

Track changes to the AdminSDHolder object: modifications here can silently grant persistent elevated permissions. All AD object changes should capture before-and-after values, not just the change event, to support forensic reconstruction and determine whether a modification was authorized.

Active Directory security checklist

1. Restrict Domain Admins, Enterprise Admins, and Schema Admins to operational minimum
2. Implement a tiered access model; use PAWs for Tier 0 administration
3. Deploy LAPS for local administrator password rotation
4. Replace standalone service accounts with MSAs or gMSAs
5. Disable SMBv1; restrict NTLM; enforce NTLMv2-minimum LAN Manager authentication level
6. Audit accounts with unconstrained delegation; migrate to constrained delegation
7. Enable Credential Guard on member machines and RunAsPPL on LSASS
8. Review inactive accounts regularly; disable before deleting
9. Configure SACL auditing on the domain root object and enable advanced audit policy
10. Monitor Event IDs 4662, 4769 (RC4 tickets), and 4728/4732/4756 via SIEM
11. Require MFA for all privileged logins and remote access paths
12. Test backup and FSMO recovery procedures regularly

Secure Active Directory at scale with Netwrix

AD is the highest-stakes system in your environment. The hardening practices above remove many common exposure points, but configuration drift and privilege accumulation are continuous processes.

A service account added to Domain Admins today, a delegation setting changed during an emergency and never reverted, an inactive account left enabled after an employee departure: each one reopens an attack surface that earlier work closed. Sustained AD security requires persistent visibility into every change.

Netwrix Auditor records before-and-after values for access and change events across hybrid Microsoft environments, giving teams the audit trail needed for forensic reconstruction and compliance reporting.

Netwrix PingCastle provides a free AD security assessment that scores risks against MITRE ATT&CK and ANSSI framework checks, generating prioritized findings with no internet connection required.

Netwrix Threat Prevention blocks attack activity at the protocol layer before lateral movement begins.

Request a demo to see how Netwrix can help you detect unauthorized AD changes, monitor privileged account activity, and maintain audit coverage across your Active Directory environment.