Engineering Note
Active Directory hardening: the first 10 moves
Ten AD hardening quick wins in priority order: admin tiering, Windows LAPS, killing NTLMv1 and SMBv1, krbtgt rotation, and audit policy that catches abuse.
TL;DR
Most Active Directory compromises walk the same handful of paths: domain admin credentials cached on workstations, one shared local admin password everywhere, legacy authentication protocols, and a krbtgt key unchanged since the domain was built. These ten moves — tiering, Windows LAPS, killing NTLMv1 and SMBv1, double krbtgt rotation, Protected Users, real audit policy — close the paths ransomware operators actually use, in priority order, and none of them require buying anything.
The list, in the order I do it
Every AD assessment I’ve been near finds the same weaknesses, so the fix list is nearly universal. These ten are ordered by blast-radius-reduced per hour of effort.
1. Tier your admin accounts. Separate Tier 0 accounts (domain controllers, AD CS, anything that can mint identity) from server and workstation admin accounts, and enforce that Tier 0 credentials never touch lower tiers. Deny logon rights by GPO. This one control breaks the workstation-to-Domain-Admin escalation that powers most ransomware playbooks — the same logic as identity-first security applied to your own admins.
2. Deploy Windows LAPS. Built into supported Windows since the April 2023 update — unique, rotated local admin passwords, no more one-password-owns- every-workstation lateral movement:
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=corp,DC=example"
# then enable via GPO/Intune policy: backup to AD, 30-day rotation
Get-LapsADPassword -Identity WS-0142 -AsPlainText # retrieval, audited
3. Kill NTLMv1. Audit first (Network security: Restrict NTLM: Audit Incoming traffic), then GPO Network security: LAN Manager authentication level → Send NTLMv2 response only. Refuse LM & NTLM (level 5). NTLMv1
responses are crackable at commodity-GPU speed.
4. Remove SMBv1. Not disable — remove:
Uninstall-WindowsFeature FS-SMB1 # servers
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol # clients
Get-SmbServerConfiguration | Select EnableSMB1Protocol # verify
5. Rotate krbtgt — twice. If it’s never been done, golden tickets from any
historical compromise still work. Reset once, wait for replication plus the
10-hour ticket lifetime, reset again. Microsoft’s New-KrbtgtKeys.ps1 script
handles the sequencing and replication checks.
6. Advanced audit policy + log shipping. Enable Advanced Audit Policy for credential validation, Kerberos service ticket operations, and directory service access, and ship DC logs off-box. Events 4769 (Kerberoasting patterns), 4625, 4662, and 5136 are the ones your IR team will beg for.
7. Protected Users group. Put Tier 0 humans in it: no NTLM, no delegation, no long-lived tickets, no cached credentials. Test with one account first — it’s strict by design.
8. Disable the Print Spooler on DCs. Stop-Service Spooler; Set-Service Spooler -StartupType Disabled. PrintNightmare made this
permanent policy; no domain controller prints.
9. Enforce LDAP signing and channel binding. GPO on DCs: Domain controller: LDAP server signing requirements → Require signing, plus LDAPS
channel binding. Kills LDAP relay paths. Audit events 2886/2887 show who’s
still binding insecurely.
10. Hunt Kerberoastable and delegated accounts.
Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName, PasswordLastSet
Get-ADComputer -Filter {TrustedForDelegation -eq $true}
Human accounts with SPNs and 2014 passwords are pre-cracked domain admin. Move services to gMSAs; eliminate unconstrained delegation.
What this list doesn’t do
These are quick wins, not a program.
They don’t segment the network that lets every workstation reach the DCs on every port — that’s segmentation work — and they don’t make backups survivable, which is its own architecture problem. Write down the date each control landed and the exceptions you granted; the exceptions are next quarter’s list.
Frequently asked questions
- What is admin tiering in one paragraph?
- Tiering splits administrative accounts by what they can control: Tier 0 for domain controllers and identity infrastructure, Tier 1 for servers, Tier 2 for workstations — with separate accounts per tier and hard rules that higher-tier credentials never log on to lower-tier systems. It exists because credentials are cached where they log on, and a Domain Admin logon to a compromised workstation hands over the domain.
- Why does krbtgt need rotating twice?
- Kerberos keeps the current and previous krbtgt key valid so existing tickets survive one rotation. A single reset therefore doesn't invalidate golden tickets forged with the old key — only the second reset does. Rotate once, wait for full replication plus at least the 10-hour ticket lifetime, then rotate again.
- Will disabling NTLMv1 break anything?
- Occasionally — very old appliances, NAS devices, and multifunction printers are the usual casualties. That's why you audit first: enable NTLM auditing, watch for LmCompatibilityLevel failures for a few weeks, fix or fence the stragglers, then enforce 'Send NTLMv2 response only. Refuse LM & NTLM' by GPO.