Understanding Active Directory Attack Vectors

Active Directory is attractive to attackers because it’s a single point of authentication and authorization for entire organizations. Compromising AD means an attacker can impersonate legitimate users, access sensitive data, deploy ransomware, and maintain persistence for months or years undetected.

Common AD attack vectors include:

• Credential Theft: Attackers extract cached credentials from memory, registry, or network traffic to gain initial access
• Kerberos Exploitation: Techniques like Kerberoasting and ASREProasting target weak encryption on service accounts and user accounts with pre-authentication disabled
• Delegation Abuse: Misconfigured constrained or unconstrained delegation settings allow attackers to forge tickets and impersonate high-privilege accounts
• Group Policy Manipulation: Modifying GPOs grants attackers code execution on thousands of machines simultaneously
• Domain Trust Exploitation: Compromised domains can be used as bridges to attack other domains in forest trust relationships
• Password Spray Attacks: Weak password policies enable low-and-slow attacks against multiple accounts

Understanding these attack vectors is the first step toward implementing effective defenses. Organizations that treat Active Directory security as a strategic priority rather than a checkbox exercise see dramatically lower breach dwell times and reduced incident severity.

Authentication Security Hardening

Authentication is the foundation of AD security. Weak authentication mechanisms create pathways that attackers exploit repeatedly. Here’s how to strengthen your authentication posture:

Kerberos Encryption and Protocol Security

Kerberos is the primary authentication protocol in Active Directory, but weak encryption undermines its security. Ensure your environment enforces strong encryption standards:

• Set Kerberos maximum ticket age to 10 hours (default is often 10 hours, but verify this is enforced)
• Disable RC4 encryption for Kerberos—require AES-256 instead. This prevents Kerberoasting attacks from being trivial to execute
• Enable Kerberos armoring (FAST) for domain controllers running Windows Server 2012 R2 or later
• Configure account options to require pre-authentication for all user accounts (disable “Do not require Kerberos pre-authentication” setting)

NTLM Restrictions

NTLM is legacy authentication that should be minimized or eliminated in modern environments:

• Set domain-wide NTLM restrictions through Group Policy: “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny all” where possible
• Audit NTLM usage extensively before restricting—many legacy applications still depend on it
• Use Windows Event ID 8004 to track NTLM authentication attempts and identify applications requiring remediation

Password Policy Enforcement

Default password policies are insufficient for security-conscious organizations:

• Enforce minimum 14-character passwords (Microsoft now recommends 14+ characters over complexity requirements)
• Implement password history of at least 24 previous passwords to prevent recycling
• Set account lockout threshold to 5 failed attempts within 30 minutes
• Configure account lockout duration of at least 30 minutes to frustrate brute-force attacks
• Consider implementing password-less authentication through Windows Hello for Business or FIDO2 security keys for privileged accounts

Organizations implementing these authentication controls see measurable reductions in compromise incidents. Pairing strong authentication with identity and access management best practices creates formidable barriers against attackers.

Delegation and Privilege Management

Delegation is a critical feature of Active Directory but is frequently misconfigured in ways that create privilege escalation pathways. Attackers specifically hunt for delegation weaknesses because they provide direct routes to domain admin compromise.

Constrained Delegation Configuration

Constrained delegation should be used instead of unconstrained delegation whenever possible:

• Audit all unconstrained delegation: Search for user and computer accounts with “Trusted for Delegation” set to unconstrained. These are high-value targets
• Convert to constrained delegation: When delegation is necessary, configure specific services that an account can delegate to
• Use Resource-Based Constrained Delegation: This modern approach is more secure and allows resource owners (rather than the delegated account) to control who can delegate to them
• Monitor delegation changes: Any modification to delegation settings should trigger alerts

Privilege Account Management

Domain admins and enterprise admins are high-value targets. Protecting these accounts is non-negotiable:

• Implement Privileged Access Workstations (PAW) for all administrative activity. These dedicated, hardened devices prevent credential theft from compromised workstations
• Enforce multi-factor authentication on all privileged accounts without exception
• Limit domain admin group membership—most environments have far more admins than necessary
• Use tiered administrative models: Tier 0 (domain controllers), Tier 1 (servers), Tier 2 (workstations). Admins at higher tiers use dedicated accounts for lower-tier administration
• Implement Just-In-Time (JIT) access for administrative roles—grant elevated permissions only when needed, for limited duration
• Monitor and alert on sensitive group membership changes (Domain Admins, Enterprise Admins, Schema Admins)

Service Account Hardening

Service accounts are frequently overlooked but represent significant risk:

• Never use domain admin accounts as service accounts
• Implement Managed Service Accounts (MSA) or Group Managed Service Accounts (gMSA) instead of traditional accounts with static passwords
• Enforce strong, complex passwords for any remaining traditional service accounts
• Disable interactive logon for service accounts
• Monitor service account usage for anomalies

Monitoring and Detection Strategies

Detection is critical because prevention alone is insufficient. Even well-hardened environments experience compromise attempts. The ability to detect attacks quickly determines whether incidents become breaches.

Active Directory Auditing Configuration

Enable comprehensive auditing across your AD environment:

• Audit Account Management: Track creation, modification, and deletion of user and computer accounts
• Audit Logon Events: Monitor successful and failed logon attempts, especially for sensitive accounts
• Audit Directory Service Changes: Alert on modifications to AD objects, permissions, and schema changes
• Audit Sensitive Privilege Use: Track when sensitive privileges are exercised
• Audit Group Policy Changes: Any GPO modification should be logged and reviewed

Configure audit policies through Group Policy (Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration) rather than relying on basic auditing.

Security Event Log Monitoring

Critical events requiring immediate investigation include:

• Event ID 4624: Successful logon (watch for unusual logon types, times, and source IPs)
• Event ID 4625: Failed logon attempts (excessive failures indicate brute-force attempts)
• Event ID 4720: User account created
• Event ID 4722: User account enabled
• Event ID 4728: Member added to security group
• Event ID 5136: Directory Service object modified
• Event ID 5137: Directory Service object deleted

Implementing Advanced Threat Detection

Modern detection requires correlation and behavioral analysis beyond simple log monitoring. Implement these detection capabilities:

• Kerberoasting Detection: Monitor for multiple Kerberos TGS requests from unusual sources. Use Microsoft’s AD monitoring guidance to establish baselines
• Pass-the-Hash Detection: Alert on NTLM authentication from unusual source IPs or using extracted credentials
• Lateral Movement Detection: Track administrative tool usage (PsExec, WMI, RDP) on systems outside administrative networks
• Privilege Escalation Detection: Monitor for unexpected privilege additions or token impersonation
• Golden Ticket Detection: Alert on forged Kerberos tickets by monitoring for unusual TGT patterns

Organizations using Security Information and Event Management (SIEM) systems should correlate AD events with endpoint detection and response (EDR) data for comprehensive visibility. Many attacks span multiple systems—correlation reveals patterns that isolated logging cannot.

Backup and Recovery Protocols

Ransomware targeting Active Directory is increasingly common. Organizations must prepare for the possibility of AD compromise or corruption:

• Backup Active Directory regularly: Perform system state backups of domain controllers at least daily
• Test recovery procedures: Actually restore from backups in test environments to verify recoverability
• Maintain offline backups: Keep at least one backup that’s not connected to the network to prevent ransomware encryption
• Document recovery procedures: Detailed documentation of AD recovery steps should be maintained and regularly reviewed
• Consider Azure AD backup: Organizations using hybrid AD should ensure Azure AD can function independently if on-premises AD is compromised

The Complete Active Directory Admin Security Checklist

Use this comprehensive checklist to audit your current AD security posture:

Authentication & Protocol Security

• ☐ Verify AES-256 encryption is enforced for Kerberos
• ☐ Confirm pre-authentication is required for all user accounts
• ☐ Audit and restrict NTLM usage
• ☐ Enforce 14+ character passwords
• ☐ Implement account lockout policies (5 attempts in 30 minutes)
• ☐ Enable multi-factor authentication for all administrative accounts
• ☐ Implement password-less authentication for sensitive accounts
• ☐ Configure password history to prevent recycling

Delegation & Privilege Management

• ☐ Audit all accounts with unconstrained delegation enabled
• ☐ Migrate to constrained or resource-based constrained delegation
• ☐ Review and minimize domain admin group membership
• ☐ Implement Privileged Access Workstations for all admins
• ☐ Deploy Managed Service Accounts for all service accounts
• ☐ Configure Just-In-Time access for privileged roles
• ☐ Alert on sensitive group membership changes
• ☐ Implement tiered administrative models (Tier 0, 1, 2)

Monitoring & Detection

• ☐ Enable advanced audit policy configuration on all domain controllers
• ☐ Configure centralized event log collection
• ☐ Implement SIEM correlation for AD events
• ☐ Deploy EDR solutions on all critical systems
• ☐ Create alerts for Kerberoasting and lateral movement attempts
• ☐ Monitor for privilege escalation patterns
• ☐ Track all Group Policy modifications
• ☐ Alert on sensitive directory service object changes

Backup & Recovery

• ☐ Configure daily system state backups of domain controllers
• ☐ Test AD recovery procedures quarterly
• ☐ Maintain offline backups disconnected from the network
• ☐ Document and validate recovery procedures
• ☐ Plan for hybrid AD recovery (on-premises and Azure AD)

Ongoing Maintenance

• ☐ Review and update Group Policy objects quarterly
• ☐ Audit service account usage and permissions
• ☐ Verify domain controller patch levels monthly
• ☐ Conduct annual security assessments of AD environment
• ☐ Review domain trust relationships and their necessity
• ☐ Audit schema modifications and forest-wide changes
• ☐ Train administrators on AD security best practices
• ☐ Conduct tabletop exercises for AD compromise scenarios

FAQ

What’s the most critical Active Directory security control?

While all controls matter, enforcing multi-factor authentication on administrative accounts is arguably the highest-impact single control. MFA prevents the vast majority of compromise attempts by making stolen credentials alone insufficient for attackers to gain access. This should be your first priority if not already implemented.

How often should I audit Active Directory security?

Critical audits should occur quarterly, with continuous monitoring through SIEM and EDR systems. Annual comprehensive security assessments should examine the entire AD environment including trust relationships, delegation configurations, and policy effectiveness. After any major incident, immediate re-auditing is necessary.

Is it safe to disable NTLM completely?

Complete NTLM disablement should only be done after extensive testing. Many legacy applications and systems rely on NTLM authentication. Disabling it prematurely causes significant operational disruption. Instead, restrict NTLM usage through Group Policy, audit remaining NTLM traffic, and methodically migrate applications to Kerberos or modern authentication protocols.

What’s the difference between constrained and unconstrained delegation?

Unconstrained delegation allows an account to delegate credentials to any service on any system. This is extremely dangerous because attackers can use these accounts to compromise any system. Constrained delegation limits delegation to specific services on specific systems. Resource-based constrained delegation is even better because the resource (not the account) controls who can delegate to it.

How do Managed Service Accounts improve security?

Managed Service Accounts automatically rotate their passwords regularly without administrator intervention. This prevents attackers from using static service account credentials extracted months or years prior. Additionally, MSAs are more difficult to compromise through credential theft attacks since the passwords are complex and frequently rotated.

What should I do if I suspect my Active Directory is compromised?

Immediately engage your incident response team and consider engaging external cybersecurity professionals. Isolate affected domain controllers, preserve forensic evidence, and begin credential reset procedures for all accounts. Check CISA’s incident response resources and consider consulting frameworks from established security firms. Do not attempt remediation without expert guidance—Active Directory compromise requires sophisticated recovery procedures.