Active Directory Hardening

In more than 90% of Windows-based enterprise environments, Active Directory controls authentication, authorisation, and group policies. Whoever gains control over AD controls the entire IT infrastructure. This makes AD the most valuable target for ransomware groups, APT actors, and insider attackers: a Domain Admin account provides full access to all systems, all data, and all backups.

The technical attack vectors against AD are well documented and actively exploited. Kerberoasting extracts service ticket hashes from network traffic, enabling offline password cracking against service accounts with weak passwords. Pass-the-Hash and Pass-the-Ticket allow attackers to authenticate using stolen NTLM hashes or Kerberos tickets without knowing the plaintext password. DCSync abuses replication permissions to extract password hashes of all domain accounts from the Domain Controller.

Particularly critical is the attack chain against Active Directory Certificate Services (ADCS). ESC1 through ESC8 are known misconfigurations in AD CS environments that allow an attacker with low privileges to create certificates for privileged accounts – including Domain Admins – and thereby achieve full domain control. Most organisations have ADCS deployed and are unaware that their configuration is vulnerable.

BloodHound is the most important tool for analysing Active Directory attack paths. It maps all relationships within AD – group memberships, delegated permissions, ACL configurations, session data – and visualises the shortest paths from any starting point to privileged targets such as Domain Admins or Domain Controllers. What would take weeks manually, BloodHound delivers in minutes.

We conduct a complete BloodHound analysis of your AD environment and identify the most critical attack paths: which accounts are directly exploitable via multi-step permission chains? Which service accounts have unnecessarily elevated privileges? Which groups have transitive permissions that were never intended? Where do ACL misconfigurations (WriteDACL, GenericAll) exist that could allow an attacker to establish persistence?

The analysis results form the basis for prioritised hardening measures. Not every attack path is equally critical – we identify the paths where a small number of hardening steps reduce the largest attack surface, and prioritise these for immediate implementation.

The Microsoft Tier Model (also known as the Enterprise Access Model) separates administrative access by criticality level: Tier 0 covers Domain Controllers, CA servers, and other highly privileged systems; Tier 1 covers member servers and applications; Tier 2 covers workstations and end-user devices. The model prevents credentials from crossing tier boundaries: an administrator who logs in to a compromised Tier-2 machine with Tier-1 credentials hands the attacker a pivot point.

Privileged Access Workstations (PAWs) are a central element of the tiering model: dedicated workstations used exclusively for Tier-0 administration, with no internet access, email, or productive use permitted. PAWs dramatically reduce the attack risk but are only effective when consistently enforced.

We implement the tiering model incrementally and pragmatically – adapted to the reality of your environment and operational capacity. This includes defining admin accounts per tier, configuring Authentication Policy Silos and Protected Users, hardening Group Policy configurations, and remediating the ACL misconfigurations BloodHound identified as critical.

Hardening without monitoring is incomplete: after the initial remediation, we set up continuous AD monitoring that detects and alerts on critical events. These include: creation or modification of privileged accounts and groups, changes to critical GPOs, new Kerberos delegation configurations, DCSync activity, unusual NTLM authentications, and indicators of Golden/Silver Ticket attacks.

Detection rules are developed based on MITRE ATT&CK and tailored specifically to your AD topology. We integrate with existing SIEM solutions (Microsoft Sentinel, Splunk, Elastic Security) or recommend a suitable monitoring platform if none is in place. The goal is not an alert flood but precise detection rules with a high signal-to-noise ratio.

At project completion you receive full documentation of all implemented measures, a baseline of the AD configuration for comparison in future audits, and recommendations for ongoing maintenance. AD hardening is not a one-off project – permissions change, new systems are integrated, configurations drift. We recommend an annual review.