Home 0P3N Blog Active Directory Security Checks
Ready to Start Your Career?
Create Free Account
manishp s profile image
By: manishp
September 7, 2016

Active Directory Security Checks

By: manishp
September 7, 2016
manishp s profile image
By: manishp
September 7, 2016

Active Directory Security Checks

So Again a recreation of work with little modification from recent blackhat event by Sean Metcalf (@Pyrotek3) which talks in detail about the AD Security checks to be performed to increase the security level of the complete setup. i just collaborated all the points to one place to make it easy to implement.

General Recommendations

  • Manage local Administrator passwords (LAPS).
  • Implement RDP Restricted Admin mode (as needed).
  • Remove unsupported OSs from the network.
  • Monitor scheduled tasks on sensitive systems (DCs, etc.).
  • Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
  • Use SMB v2/v3+
  • Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
  • Remove trusts that are no longer necessary & enable SID filtering as appropriate.
  • All domain authentications should be set (when possible) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
  • Block internet access for DCs, servers, & all administration systems.

Protect Admin Credentials

  • No “user” or computer accounts in admin groups.
  • Ensure all admin accounts are “sensitive & cannot be delegated”.
  • Add admin accounts to “Protected Users” group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
  • Disable all inactive admin accounts and remove from privileged groups.

Protect AD Admin Credentials

  • Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
  • ‘Tiered’ Administration mitigating credential theft impact.
  • Ensure admins only logon to approved admin workstations & servers.
  • Leverage time-based, temporary group membership for all admin accounts.

Protect Service Account Credentials

  • Limit to systems of the same security level.
  • Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
  • Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
  • Logon restrictions - prevent interactive logon & limit logon capability to specific computers.
  • Disable inactive SAs & remove from privileged groups.

Protect Resources

  • Segment network to protect admin & critical systems.
  • Deploy IDS to monitor the internal corporate network.
  • Network device & OOB management on separate network.

Protect Domain Controllers

  • Only run software & services to support AD.
  • Minimal groups (& users) with DC admin/logon rights.
  • Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
  • Validate scheduled tasks & scripts.

Protect Workstations (& Servers)

  • Patch quickly, especially privilege escalation vulnerabilities.
  • Deploy security back-port patch (KB2871997).
  • Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
  • Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders - home dir & profile path.
  • Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).


  • Enable enhanced auditing:
  • “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  • Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
  • Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
  • SIEM or equivalent to centralize as much log data as possible.
  • User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).

Security Pro's Checks

  • Identify who has AD admin rights (domain/forest).
  • Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
  • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
  • Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
  • Limit service account rights that are currently DA (or equivalent).
Credit: Sean Metcalf (@Pyrotek3), s e a n [@] TrimarcSecurity.com, www.ADSecurity.orgTrimarcSecurity.comDetailed References:

• Active Directory Domains and Trusts


• Understanding Trusts


• Trust Types


• Active Directory Replication Overview


• How Active Directory Replication Topology Works


• How the Active Directory Replication Model Works


• Group Policy Basics



• Optimizing Group Policy Performance


• Organizational Units


• Organizational Unit Design



• How DNS Support for Active Directory Works


• Active Directory-Integrated DNS


• Understanding DNS Zone Replication in Active Directory Domain Services


• What is an RODC?


• AD DS: Read-Only Domain Controllers


• Read-Only Domain Controllers Step-by-Step Guide


• Service Principal Names (SPNs) Overview





• Register a Service Principal Name for Kerberos Connections


• Active Directory Reading Library


• Read-Only Domain Controller (RODC) Information


• Active Directory Recon Without Admin Rights


• Mining Active Directory Service Principal Names


• SPN Directory:


• MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege


• Securing Active Directory – An Overview of Best Practices


• Microsoft Enhanced security patch KB2871997


• Tim Medin’s DerbyCon 2014 presentation: “Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades”


• Microsoft: Securing Privileged Access Reference Material


• Mimikatz


• Attack Methods for Gaining Domain Admin Rights in Active Directory


• Microsoft Local Administrator Password Solution (LAPS)


• The Most Common Active Directory Security Issues and What You Can Do to Fix Them


• How Attackers Dump Active Directory Database Credentials


• Sneaky Active Directory Persistence Tricks


Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry