Active Directory (AD) is a high-value target for attackers, who frequently attempt to compromise it to escalate their privileges and expand their access. Unfortunately, its operational necessity means that AD must be easily accessible to users throughout the enterprise—making it notoriously difficult to secure. Microsoft has stated that more than 95 million AD accounts come under attack every day, underscoring the seriousness of the problem.
While protecting AD is a challenge, it is far from impossible—it just requires the right tools and tactics. Below are ten tips that enterprises can use to more effectively secure AD against some of today’s most common attack tactics.
1. Prevent and Detect Enumeration of Privileged, Delegated Admin, Service, and Network Sessions
Once an adversary has penetrated perimeter defenses and established a foothold within the network, they will conduct reconnaissance to identify potentially valuable assets—and how they can get to them. One of the best ways they do this is to target AD since they can disguise those as normal business activities with little chance of detection.
The ability to detect and prevent enumerations of privileges, delegated admins, and service accounts can alert defenders to the presence of an adversary early in the attack cycle. Deploying deceptive domain accounts and credentials on endpoints can also trip up attackers and allow defenders to redirect them to decoys for engagement.
2. Identify and Remediate Privileged Account Exposures
Users often store credentials on their workstations. Sometimes they do this accidentally, while other times willingly—usually for convenience. Attackers know this and will target those stored credentials to gain access to the network environment. The right set of credentials can go a long way, and intruders will always look to escalate their privileges and access further.
Enterprises can avoid giving attackers an easy way into the network by identifying privileged account exposures, remediating misconfigurations, and removing saved credentials, shared folders, and other vulnerabilities.
3. Protect and Detect “Golden Ticket” and “Silver Ticket” Attacks
Pass-the-Ticket (PTT) attacks are among the most powerful techniques adversaries use to move laterally throughout the network and escalate their privileges. Kerberos’s stateless design strategy makes it easy to abuse, which means attackers can easily forge tickets within the system. “Golden Ticket” and “Silver Ticket” are two of the most severe types of PTT attacks that adversaries use to achieve domain compromise and domain persistence.
Addressing this requires the ability to detect vulnerable Kerberos Ticket Granting Ticket (TGT) and computer service accounts, identifying and alerting on misconfigurations that could potentially lead to PTT attacks. Additionally, a solution like Singularity Identity can prevent the use of forged tickets at the endpoints.
4. Protect Against Kerberoasting, DCSync, and DCShadow Attacks
A “Kerberoasting” attack is an easy way for adversaries to gain privileged access, while DCSync and DCShadow attacks maintain domain persistence within an enterprise.
Defenders need the ability to perform a continuous assessment of AD that provides real-time analysis of AD attacks while alerting on the misconfigurations that lead to those attacks. Furthermore, a solution capable of leveraging endpoint presence to prevent bad actors from discovering accounts to target can inhibit their ability to carry out these incursions.
5. Prevent Credential Harvesting From Domain Shares
Adversaries commonly target plaintext or reversible passwords stored in scripts or group policy files stored in domain shares like Sysvol or Netlogon.
A solution like Singularity Identity Posture Management can help detect these passwords, allowing defenders to remediate the exposures before attackers can target them. Mechanisms like those in the Singularity Identity solution can also deploy deceptive Sysvol group policy objects in the production AD, helping to further disrupt the attacker by misdirecting them away from production assets.
6. Identify Accounts With Hidden Privileged SID
Using the Windows Security Identifier (SID) injection technique, adversaries can take advantage of the SID “history” attribute, allowing them to move laterally within the AD environment and further escalate their privileges.
Preventing this requires detecting accounts set with well-known privileged SID values in the SID history attribute and reports.
7. Detect Dangerous Access Rights Delegation on Critical Objects
Delegation is an AD feature that allows a user or computer account to impersonate another account. For example, when a user calls a web application hosted on a web server, the application can mimic the user’s credentials to access resources hosted on a different server. Any domain computer with unconstrained delegation enabled can impersonate user credentials to any other service on the domain. Unfortunately, attackers can exploit this feature to gain access to different areas of the network.
Continuous monitoring of AD vulnerabilities and delegation exposures can help defenders identify and remediate these vulnerabilities before adversaries can exploit them.
8. Identify Privileged Accounts With Delegation Enabled
Speaking of delegation, privileged accounts configured with unconstrained delegation can lead directly to Kerberoasting and Silver Ticket attacks. Enterprises need the ability to detect and report on privileged accounts with delegation enabled.
A comprehensive list of privileged users, delegated admins, and service accounts can help defenders take stock of potential vulnerabilities. In this instance, delegation is not automatically bad. It is often necessary for an operational reason, but defenders can use a tool like Singularity Identity to prevent attackers from discovering those accounts.
9. Identify Unprivileged Users in AdminSDHolder ACL
Active Directory Domain Services (AD DSs) use the AdminSDHolder object and the Security Descriptor propagator (SDProp) process to secure privileged users and groups. The AdminSDHolder object has a unique Access Control List (ACL), which controls the permissions of security principals that are members of built-in privileged AD groups. To enable lateral movement, attackers can add accounts to the AdminSDHolder, granting them the same privileged access as other protected accounts.
Organizations can prevent this activity with a tool like Singularity Identity Posture Management to detect and alert on the presence of unusual accounts within the AdminSDHolder ACL.
10. Identify Recent Changes to Default Domain Policy or Default Domain Controllers Policy
Within AD, organizations use group policies to manage several operational configurations by defining security settings specific to the environment. These often configure administrative groups and include startup and shutdown scripts. Administrators configure them to set organization-defined security requirements at each level, install software, and set file and registry permissions. Unfortunately, attackers can change these policies to achieve domain persistence within the network.
Monitoring changes to default group policies can help defenders quickly spot these attackers, mitigating security risks and helping to prevent privileged access to AD.
Putting the Right Tools in Place
Understanding the most common tactics adversaries use to target AD can help enterprises defend it. When developing tools like Singularity Identity Posture Management and Singularity Identity, we considered many attack vectors and identified how best to detect and derail them.
With these tools in place, today’s enterprises can effectively identify vulnerabilities, detect malicious activity early, and remediate security incidents before intruders can escalate their privileges and turn a small-scale attack into a major breach. Protecting AD is a challenge, but it is not an insurmountable one, thanks to today’s AD protection tools.
Active Directory Security Best Practices FAQs
What is Active Directory Security?
Active Directory security is the set of measures and practices you can use to protect your Microsoft Active Directory environment from cyber threats. It controls who can access what resources in your network by managing user accounts, computers, and permissions from one central place. Basically, it’s the gatekeeper that verifies users are who they say they are and decides what they can do once they get in.
This includes authentication, authorization, access controls, and monitoring to keep unauthorized users from messing with your systems and data.
Why is Active Directory Security Important?
Active Directory security is critical because if attackers get into your AD, they essentially hold the keys to your entire kingdom. Your AD controls access to all systems, applications, and sensitive data across your network. A compromised AD can lead to massive data breaches, system corruption, and even complete network shutdowns.
There are now 25 billion Azure AD attacks yearly, and if you fail to secure this central hub, threat actors can escalate privileges, move laterally through your network, and deploy ransomware or steal credentials. The damage can paralyze your business operations and result in substantial financial losses.
What are Top Active Directory Security Best Practices?
You should maintain minimal privileged users and use groups to assign access instead of individual permissions. Apply strong password policies with modern requirements and enforce multi-factor authentication on all admin accounts. Turn off unnecessary services like Print Spooler, disable SMBv1, and restrict NTLM where possible. Conduct regular security assessments to find dormant accounts and remove them before they become attack vectors.
Monitor your AD continuously for suspicious activities, especially around privileged group changes and failed login attempts. Keep domain controllers physically secure and maintain proper backup and recovery plans.
How Does MFA Improve AD Security?
MFA makes your AD much more secure by adding extra verification steps beyond just passwords. Even if attackers steal your credentials through phishing or brute-force attacks, they can’t get in without the second factor like a mobile app or hardware token. MFA blocks over 99.9% of automated attacks and reduces breach risk by 98.56% even when credentials are leaked.
You can use various methods like Microsoft Authenticator, FIDO2 keys, biometrics, and platforms like SentinelOne to make it harder for threat actors to compromise accounts. MFA also provides better audit trails for forensic analysis if something goes wrong.
What are Key Active Directory Security Checklist Items?
Your AD security checklist should start with auditing current security status and identifying outdated accounts that need removal. It will review and strengthen password policies, then implement account lockout policies to stop brute-force attempts. Another item is to deploy multi-factor authentication for all privileged accounts and establish secure access control policies based on least privilege. Set up regular patch management, run vulnerability assessments, and conduct AD audits to spot configuration issues.
Enable proper logging and monitoring for critical events, especially around domain admin group changes and failed authentications. Document your security policies, train staff on best practices, and test your AD recovery processes regularly.
How to Detect Suspicious Activity in Active Directory?
You need to monitor specific event IDs in your security logs, particularly failed logins (4625), account lockouts (4740), and privilege escalation attempts (4672). Watch for unauthorized changes to privileged groups like domain admins and enterprise admins, as these often signal security breaches. Set up real-time alerts for unusual login patterns, such as multiple failed attempts from single IP addresses or logins outside normal work hours.
Monitor Group Policy changes, password resets on admin accounts, and any modifications to domain controller settings. SentinelOne can help you track these activities, and assist with automated detection and alerting