Skip to content
PAVEL GLUKHIKH
Menu

Engineering Note

Active Directory hardening: the first 10 moves

Ten AD hardening quick wins in priority order: admin tiering, Windows LAPS, killing NTLMv1 and SMBv1, krbtgt rotation, and audit policy that catches abuse.

2 min read

TL;DR

Most Active Directory compromises walk the same handful of paths: domain admin credentials cached on workstations, one shared local admin password everywhere, legacy authentication protocols, and a krbtgt key unchanged since the domain was built. These ten moves — tiering, Windows LAPS, killing NTLMv1 and SMBv1, double krbtgt rotation, Protected Users, real audit policy — close the paths ransomware operators actually use, in priority order, and none of them require buying anything.

The list, in the order I do it

Every AD assessment I’ve been near finds the same weaknesses, so the fix list is nearly universal. These ten are ordered by blast-radius-reduced per hour of effort.

1. Tier your admin accounts. Separate Tier 0 accounts (domain controllers, AD CS, anything that can mint identity) from server and workstation admin accounts, and enforce that Tier 0 credentials never touch lower tiers. Deny logon rights by GPO. This one control breaks the workstation-to-Domain-Admin escalation that powers most ransomware playbooks — the same logic as identity-first security applied to your own admins.

2. Deploy Windows LAPS. Built into supported Windows since the April 2023 update — unique, rotated local admin passwords, no more one-password-owns- every-workstation lateral movement:

Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=corp,DC=example"
# then enable via GPO/Intune policy: backup to AD, 30-day rotation
Get-LapsADPassword -Identity WS-0142 -AsPlainText   # retrieval, audited

3. Kill NTLMv1. Audit first (Network security: Restrict NTLM: Audit Incoming traffic), then GPO Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM (level 5). NTLMv1 responses are crackable at commodity-GPU speed.

4. Remove SMBv1. Not disable — remove:

Uninstall-WindowsFeature FS-SMB1                       # servers
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol  # clients
Get-SmbServerConfiguration | Select EnableSMB1Protocol # verify

5. Rotate krbtgt — twice. If it’s never been done, golden tickets from any historical compromise still work. Reset once, wait for replication plus the 10-hour ticket lifetime, reset again. Microsoft’s New-KrbtgtKeys.ps1 script handles the sequencing and replication checks.

6. Advanced audit policy + log shipping. Enable Advanced Audit Policy for credential validation, Kerberos service ticket operations, and directory service access, and ship DC logs off-box. Events 4769 (Kerberoasting patterns), 4625, 4662, and 5136 are the ones your IR team will beg for.

7. Protected Users group. Put Tier 0 humans in it: no NTLM, no delegation, no long-lived tickets, no cached credentials. Test with one account first — it’s strict by design.

8. Disable the Print Spooler on DCs. Stop-Service Spooler; Set-Service Spooler -StartupType Disabled. PrintNightmare made this permanent policy; no domain controller prints.

9. Enforce LDAP signing and channel binding. GPO on DCs: Domain controller: LDAP server signing requirementsRequire signing, plus LDAPS channel binding. Kills LDAP relay paths. Audit events 2886/2887 show who’s still binding insecurely.

10. Hunt Kerberoastable and delegated accounts.

Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName, PasswordLastSet
Get-ADComputer -Filter {TrustedForDelegation -eq $true}

Human accounts with SPNs and 2014 passwords are pre-cracked domain admin. Move services to gMSAs; eliminate unconstrained delegation.

What this list doesn’t do

These are quick wins, not a program.

They don’t segment the network that lets every workstation reach the DCs on every port — that’s segmentation work — and they don’t make backups survivable, which is its own architecture problem. Write down the date each control landed and the exceptions you granted; the exceptions are next quarter’s list.

Frequently asked questions

What is admin tiering in one paragraph?
Tiering splits administrative accounts by what they can control: Tier 0 for domain controllers and identity infrastructure, Tier 1 for servers, Tier 2 for workstations — with separate accounts per tier and hard rules that higher-tier credentials never log on to lower-tier systems. It exists because credentials are cached where they log on, and a Domain Admin logon to a compromised workstation hands over the domain.
Why does krbtgt need rotating twice?
Kerberos keeps the current and previous krbtgt key valid so existing tickets survive one rotation. A single reset therefore doesn't invalidate golden tickets forged with the old key — only the second reset does. Rotate once, wait for full replication plus at least the 10-hour ticket lifetime, then rotate again.
Will disabling NTLMv1 break anything?
Occasionally — very old appliances, NAS devices, and multifunction printers are the usual casualties. That's why you audit first: enable NTLM auditing, watch for LmCompatibilityLevel failures for a few weeks, fix or fence the stragglers, then enforce 'Send NTLMv2 response only. Refuse LM & NTLM' by GPO.

References

Related reading