In 2024, over 90% of Fortune 1000 companies still rely on Active Directory as their core identity backbone—and attackers know it. A single misconfigured delegation, a forgotten service account with Domain Admin privileges, or an unmonitored Group Policy change can unravel years of security investment. Let's break down the practical steps that separate a hardened AD environment from one that's a lateral movement playground.
Why Active Directory Is Still the Crown Jewel
Active Directory (AD) isn't just an authentication directory—it's the centralized trust authority for access decisions across your entire Windows ecosystem. Compromise AD, and an attacker owns your file servers, databases, applications, and cloud-synced identities. The challenge is that AD was designed in an era where the perimeter was the primary defense. Today, we need defense-in-depth inside the directory itself.
Tier Model: Segmenting Administrative Privilege
Microsoft's Enterprise Access Model (formerly the Tier Model) remains foundational. The principle is simple: never allow credentials from a higher-privilege tier to be exposed on lower-trust systems.
- Tier 0 — Domain Controllers, AD CS, Azure AD Connect
- Tier 1 — Member servers, applications, databases
- Tier 2 — Workstations, end-user devices
Practically, this means a Domain Admin should never log into a workstation. Enforce this with Authentication Policies and Silos in Server 2012 R2+:
New-ADAuthenticationPolicy -Name "Tier0-Restriction" -Enforce `
-UserTGTLifetimeMins 60 `
-Description "Restricts Tier 0 accounts to Tier 0 assets"
New-ADAuthenticationPolicySilo -Name "Tier0-Silo" -Enforce `
-UserAuthenticationPolicy "Tier0-Restriction" `
-ComputerAuthenticationPolicy "Tier0-Restriction"This constrains where high-privilege TGTs can be used, dramatically reducing credential theft exposure.
Auditing and Detecting Dangerous Configurations
Misconfigurations silently accumulate. Use tools like PingCastle or Purple Knight for continuous assessment, but also build your own detection baseline. Here's a quick PowerShell check for accounts with unconstrained delegation—a critical attack vector for Kerberos abuse:
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation |
Where-Object { $_.Name -ne "DC01" } |
Select-Object Name, DNSHostNameAny non-Domain Controller appearing in this list should be immediately investigated and migrated to constrained or resource-based constrained delegation.
Securing Service Accounts with gMSAs
Legacy service accounts with static passwords are a persistent liability. Group Managed Service Accounts (gMSAs) eliminate password management entirely—AD rotates the 240-character password automatically every 30 days:
New-ADServiceAccount -Name "svc_SQLProd" `
-DNSHostName "svc_sqlprod.corp.contoso.com" `
-PrincipalsAllowedToRetrieveManagedPassword "SQLServers_Group" `
-KerberosEncryptionType AES256Every service account that supports gMSA should be migrated. No exceptions.
Monitoring: The Non-Negotiable Event IDs
Forward these critical Security Event IDs to your SIEM and build alerting rules:
| Event ID | Description | Why It Matters |
|---|---|---|
| 4728/4756 | Member added to security/universal group | Privilege escalation detection |
| 4768 | TGT requested (with RC4 encryption) | Kerberoasting indicator |
| 5136 | Directory object modified | Tracks ACL and GPO tampering |
| 4662 | Operation performed on AD object | DCSync detection (Replication-Get-Changes) |
A 4662 event referencing the DS-Replication-Get-Changes-All extended right from a non-DC source? That's an active DCSync attack—respond immediately.
Governance: Making Security Sustainable
Technical controls fail without governance. Implement these practices:
- Quarterly access reviews of all Tier 0 group memberships using
Get-ADGroupMember -Recursive - Privileged Access Workstations (PAWs) for all administrative tasks
- Just-In-Time (JIT) access via Microsoft Identity Manager or third-party PAM solutions
- Change control for all GPO modifications with pre/post snapshots
Final Thoughts
Active Directory security isn't a project—it's a continuous discipline. Start with privilege segmentation, eliminate legacy service accounts, monitor ruthlessly, and build governance into your operational rhythm. The attackers automating AD exploitation aren't waiting, and your defenses shouldn't be static either.
Have questions about active directory security and governance? I'm always happy to talk shop — reach out or connect with me on LinkedIn.