Active Directory Hardening: 15 Quick Wins

Active Directory remains the number one target in every penetration testing engagement. In my experience, compromising an AD domain almost always starts from the same problems: default configurations never changed, excessive delegations, and inadequate password policies. The good news is that a well-implemented Active Directory hardening checklist can eliminate 80% of the most common attack vectors. Here are the 15 quick wins I always implement.

Identity and access (the first 5)

• Disable LLMNR and NBT-NS - they are used for credential relay attacks (Responder/ntlmrelayx)
• Enable SMB signing on all systems - prevents relay attacks on SMB
• Implement LAPS (Local Administrator Password Solution) - every machine has a unique local admin password
• Reduce Domain Admins members to the absolute minimum - every DA account is a single point of failure
• Implement tiered administration model - Tier 0 admins (DC) do not use the same credentials as Tier 1 (servers) or Tier 2 (workstations)

Monitoring and detection (the second 5)

• Enable Advanced Audit Policy - authentication logs, object access, policy changes
• Monitor critical events: 4625 (failed logins), 4672 (special privilege assignment), 4720 (account creation), 4732 (addition to privileged group)
• Implement Honeytokens in AD - decoy accounts that, if used, indicate compromise
• Configure alerts for Kerberoasting (anomalous TGS requests) and AS-REP Roasting
• Monitor changes to critical GPOs - an attacker modifying a GPO can compromise the entire domain

Advanced hardening (the last 5)

• Disable unconstrained delegation where not necessary
• Implement Protected Users security group for privileged accounts
• Configure Credential Guard on Windows 10/11 workstations
• Block use of legacy protocols (NTLMv1, SMBv1, WDigest)
• Regularly run BloodHound to visualize attack paths in your domain

These 15 interventions do not require significant investments - they are configurations. But the security impact is enormous. In a typical engagement, implementing even just the first 5 makes domain compromise significantly harder.