Ready to Start Your Career?

Active Directory Security Checks

manishp 's profile image

By: manishp

September 7, 2016

Active Directory Security Checks

So Again a recreation of work with little modification from recent blackhat event by Sean Metcalf (@Pyrotek3) which talks in detail about the AD Security checks to be performed to increase the security level of the complete setup. i just collaborated all the points to one place to make it easy to implement.

General Recommendations

  • Manage local Administrator passwords (LAPS).
  • Implement RDP Restricted Admin mode (as needed).
  • Remove unsupported OSs from the network.
  • Monitor scheduled tasks on sensitive systems (DCs, etc.).
  • Ensure that OOB management passwords (DSRM) are changed regularly & securely stored.
  • Use SMB v2/v3+
  • Default domain Administrator & KRBTGT password should be changed every year & when an AD admin leaves.
  • Remove trusts that are no longer necessary & enable SID filtering as appropriate.
  • All domain authentications should be set (when possible) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
  • Block internet access for DCs, servers, & all administration systems.

Protect Admin Credentials

  • No “user” or computer accounts in admin groups.
  • Ensure all admin accounts are “sensitive & cannot be delegated”.
  • Add admin accounts to “Protected Users” group (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
  • Disable all inactive admin accounts and remove from privileged groups.

Protect AD Admin Credentials

  • Limit AD admin membership (DA, EA, Schema Admins, etc.) & only use custom delegation groups.
  • ‘Tiered’ Administration mitigating credential theft impact.
  • Ensure admins only logon to approved admin workstations & servers.
  • Leverage time-based, temporary group membership for all admin accounts.

Protect Service Account Credentials

  • Limit to systems of the same security level.
  • Leverage “(Group) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
  • Implement FGPP (DFL =>2008) to increase PW requirements for SAs and administrators.
  • Logon restrictions - prevent interactive logon & limit logon capability to specific computers.
  • Disable inactive SAs & remove from privileged groups.

Protect Resources

  • Segment network to protect admin & critical systems.
  • Deploy IDS to monitor the internal corporate network.
  • Network device & OOB management on separate network.

Protect Domain Controllers

  • Only run software & services to support AD.
  • Minimal groups (& users) with DC admin/logon rights.
  • Ensure patches are applied before running DCPromo (especially MS14-068 and other critical patches).
  • Validate scheduled tasks & scripts.

Protect Workstations (& Servers)

  • Patch quickly, especially privilege escalation vulnerabilities.
  • Deploy security back-port patch (KB2871997).
  • Set Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
  • Deploy workstation whitelisting (Microsoft AppLocker) to block code exec in user folders - home dir & profile path.
  • Deploy workstation app sandboxing technology (EMET) to mitigate application memory exploits (0-days).


  • Enable enhanced auditing:
  • “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  • Enable PowerShell module logging (“*”) & forward logs to central log server (WEF or other method).
  • Enable CMD Process logging & enhancement (KB3004375) and forward logs to central log server.
  • SIEM or equivalent to centralize as much log data as possible.
  • User Behavioural Analysis system for enhanced knowledge of user activity (such as Microsoft ATA).

Security Pro's Checks

  • Identify who has AD admin rights (domain/forest).
  • Identify who can logon to Domain Controllers (& admin rights to virtual environment hosting virtual DCs).
  • Scan Active Directory Domains, OUs, AdminSDHolder, & GPOs for inappropriate custom permissions.
  • Ensure AD admins (aka Domain Admins) protect their credentials by not logging into untrusted systems (workstations).
  • Limit service account rights that are currently DA (or equivalent).
Credit: Sean Metcalf (@Pyrotek3), s e a n [@], www.ADSecurity.orgTrimarcSecurity.comDetailed References:

• Active Directory Domains and Trusts

• Understanding Trusts

• Trust Types

• Active Directory Replication Overview

• How Active Directory Replication Topology Works

• How the Active Directory Replication Model Works

• Group Policy Basics


• Optimizing Group Policy Performance

• Organizational Units

• Organizational Unit Design


• How DNS Support for Active Directory Works

• Active Directory-Integrated DNS

• Understanding DNS Zone Replication in Active Directory Domain Services

• What is an RODC?

• AD DS: Read-Only Domain Controllers

• Read-Only Domain Controllers Step-by-Step Guide

• Service Principal Names (SPNs) Overview


• Register a Service Principal Name for Kerberos Connections

• Active Directory Reading Library

• Read-Only Domain Controller (RODC) Information

• Active Directory Recon Without Admin Rights

• Mining Active Directory Service Principal Names

• SPN Directory:

• MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege

• Securing Active Directory – An Overview of Best Practices

• Microsoft Enhanced security patch KB2871997

• Tim Medin’s DerbyCon 2014 presentation: “Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades”

• Microsoft: Securing Privileged Access Reference Material

• Mimikatz

• Attack Methods for Gaining Domain Admin Rights in Active Directory

• Microsoft Local Administrator Password Solution (LAPS)

• The Most Common Active Directory Security Issues and What You Can Do to Fix Them

• How Attackers Dump Active Directory Database Credentials

• Sneaky Active Directory Persistence Tricks

Schedule Demo