Active Directory Hardening: The 15-Point Enterprise Checklist

Active Directory attacks follow predictable patterns. Privilege escalation paths are well-documented in the BloodHound attack graphs your red team will use against you. Harden before they do.

1. Tiered Administration Model. Implement the Microsoft Enterprise Access Model. Tier 0 (domain controllers, PKI) must never be administered from endpoints used for email or browsing.

1. Protected Users Group. Add all privileged accounts to the Protected Users group. This prevents NTLM authentication, Kerberos delegation, and RC4 encryption for those principals.

1. Privileged Access Workstations. Tier 0 and Tier 1 administration must occur from hardened, dedicated PAWs that have no internet access and do not receive email.

1. Credential Guard. Enable Windows Defender Credential Guard on all Windows 10/11 and Server 2016+ systems to prevent LSASS memory credential extraction.

1. LAPS. Deploy Microsoft LAPS to randomise local administrator passwords on every domain-joined machine, eliminating pass-the-hash lateral movement.

1. Constrained Delegation. Audit all accounts with unconstrained delegation using BloodHound. Eliminate or convert to resource-based constrained delegation.

1. AdminSDHolder. Review AdminSDHolder-protected group memberships quarterly. Stale entries create persistent privilege escalation paths.

1. KRBTGT Rotation. Rotate the KRBTGT account password twice per year. This invalidates any Golden Tickets issued by a compromised domain controller.

1. Audit Policy. Enable advanced audit policy for logon events, account management, DS access, and privilege use. Forward to your SIEM within 60 seconds.

1. DCSync Monitoring. Alert on any non-DC account performing directory replication via the MS-DRSR protocol. This is the DCSync attack precursor.

1. Kerberoastable Accounts. Enumerate service accounts with SPNs and weak passwords. Use Group Managed Service Accounts (gMSA) to eliminate the Kerberoast attack surface.

1. AS-REP Roastable Accounts. Identify accounts with pre-authentication disabled. These accounts expose their password hashes without any authentication.

1. ACL Abuse Paths. Use BloodHound to identify WriteDACL, GenericAll, and GenericWrite ACEs on privileged objects. Remove non-default ACEs immediately.

1. Domain Controller Hardening. Restrict DC network access to management networks only. Block SMB, RPC, and WinRM from user VLANs to your DCs.

1. Incident Response Runbooks. Document your DC recovery procedure and test it annually. A compromised DC scenario is your highest-impact IR exercise.