Cybersecurity

Ethical hacking, penetration testing, malware analysis, SOC tools, and incident response.

Active Directory Hardening: 8 Controls Every Windows Admin Needs

by

TL;DR: Active Directory is still the identity backbone of most enterprises — and most AD environments are quietly insecure. This guide covers the high-impact controls every Windows admin should apply: tier model, LAPS, protected groups, KRBTGT rotation, GPO hardening, and audit logging. Apply them in order in a lab first.

1. Implement a tiered admin model

Microsoft’s tier model splits administration into three zones: Tier 0 (domain controllers, ADFS, PKI), Tier 1 (servers, applications), Tier 2 (workstations). Admins in each tier may only sign in to systems in that tier. This single change blocks most credential-theft attacks like Pass-the-Hash and Mimikatz lateral movement.

Implement with separate admin accounts per tier (e.g., jdoe-t0, jdoe-t1, jdoe-t2) and “Deny logon” GPOs that block cross-tier authentication.

2. Deploy Windows LAPS

Local administrator accounts often share the same password across an entire fleet — a single compromised workstation hands the attacker the keys to every machine. Windows LAPS (built into modern Windows) randomizes local-admin passwords per machine and stores them encrypted in AD or Entra ID.

Update-LapsADSchema
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=corp,DC=local"

Then deploy a GPO under Computer Configuration → Policies → Administrative Templates → System → LAPS.

3. Protect privileged groups

  • Keep Domain Admins, Enterprise Admins, and Schema Admins as small as possible — ideally zero standing members.
  • Use Privileged Access Workstations (PAWs) for any Tier 0 activity.
  • Audit membership of Protected Users group; add Tier 0 admins to it.
  • Implement Just-In-Time (JIT) elevation via Microsoft PIM or open-source equivalents.

4. Rotate the KRBTGT account password — twice

The KRBTGT account signs every Kerberos ticket in your domain. If an attacker ever got Domain Admin, they could mint Golden Tickets valid for years. Resetting KRBTGT invalidates those forever — and you must reset twice (waiting at least 12 hours between resets) to invalidate both the current and previous password hashes.

Use Microsoft’s official script: New-KrbtgtKeys.ps1. Schedule it twice a year minimum.

5. Disable legacy protocols

  • Disable SMBv1 everywhere — it’s the WannaCry vector.
  • Disable LLMNR and NetBIOS-NS via GPO — they enable trivial credential-relay attacks (Responder).
  • Disable NTLMv1; require NTLMv2 or Kerberos only.
  • Disable WDigest; it leaks plaintext passwords in memory.

6. Audit logging — actually useful events

Most environments either log nothing or everything (and miss the signal). Enable these high-value audit policies via GPO:

  • Account Logon → Credential Validation: Success/Failure
  • Account Management → User/Computer/Group changes: Success
  • Logon/Logoff → Logon, Logoff, Special Logon: Success/Failure
  • Privilege Use → Sensitive Privilege Use: Success
  • Object Access → File Share, Removable Storage: Success
  • Detailed Tracking → Process Creation (with command line): Success

Ship logs to a SIEM (Wazuh free, Microsoft Sentinel, Splunk). Without centralized logs, an attacker just deletes local logs after compromise.

7. Microsoft Defender + ASR rules

Modern Defender (with Microsoft 365 E3/E5 or standalone Defender for Endpoint) is competitive with any commercial EDR. Enable Attack Surface Reduction (ASR) rules: block Office child processes, block credential stealing from LSASS, block executable content from email — these alone stop most commodity ransomware.

8. Patch tier-0 first, fast

Patch domain controllers and management systems within 72 hours of a critical Microsoft update. Use a maintenance window — but don’t skip cycles. Most ransomware groups exploit n-day vulnerabilities, not zero-days.

Quick audit checklist

  • Tier 0/1/2 admin model documented and enforced
  • Windows LAPS deployed on all workstations and member servers
  • Domain Admins group ≤ 5 members, all in Protected Users
  • KRBTGT password rotated within last 6 months (twice)
  • SMBv1, LLMNR, NetBIOS-NS, WDigest disabled
  • Audit policies above enabled and shipped to SIEM
  • Defender ASR rules in Block mode
  • All DCs patched within last 30 days

FAQ

Should I move to Azure AD / Entra ID and abandon on-prem AD?

For most organizations, hybrid (sync via Entra Connect) is the right answer for years to come. Pure cloud is fine for greenfield, but legacy apps still rely on Kerberos and NTLM.

Is Microsoft Defender enough?

With ASR rules, EDR features (Defender for Endpoint P2), and a real SIEM — yes, for most SMBs. Larger environments may add CrowdStrike or SentinelOne for advanced hunting features.

How often should we run AD security assessments?

Annually at minimum. Use Microsoft’s free PingCastle or Purple Knight scans quarterly to catch drift.

Need an AD assessment?

We provide remote Active Directory security reviews with prioritized remediation roadmaps. Get in touch to schedule one.

Ransomware Protection in 2026: A 7-Layer Defense Playbook

by

TL;DR: Ransomware now hits more than 60% of mid-sized organizations every year, and the average recovery cost crossed $1.8M in 2025. This guide walks through the seven defensive layers every business should have — from endpoint hardening to immutable backups — so a single click on a malicious email doesn’t become a multi-week outage.

What ransomware actually does

Modern ransomware no longer just encrypts files — it does three things at once: encrypts data, exfiltrates a copy for extortion, and disables your backups before you notice. The “triple-extortion” model means even if you have backups, the attackers threaten to publish or sell your data unless you pay.

The seven defensive layers

1. Email and identity hardening

Around 90% of ransomware enters through phishing. Enable DMARC, DKIM, and SPF on your domain. Require MFA on every account — especially email, VPN, and remote management tools. Disable legacy authentication protocols (POP, IMAP, basic auth) that bypass MFA.

2. Endpoint Detection & Response (EDR)

Traditional antivirus catches known signatures. EDR products like Bitdefender GravityZone, SentinelOne, or CrowdStrike watch behavior — encrypting many files in seconds, lateral movement, suspicious PowerShell — and can roll back the damage automatically.

3. Network segmentation

Flat networks let ransomware travel everywhere. Segment finance, HR, production, and IT management into separate VLANs with firewall rules between them. Disable SMBv1 entirely. Block lateral SMB and RDP traffic unless explicitly required.

4. Patch management

CISA’s known-exploited-vulnerabilities list is published weekly. Patch critical CVEs within 72 hours on internet-facing systems, 14 days on internal systems. Automate where possible (WSUS, Ansible, Intune).

5. Immutable, offline backups (3-2-1-1-0)

The new 3-2-1-1-0 rule: 3 copies, 2 different media, 1 offsite, 1 offline or immutable, 0 errors verified. Test restores monthly. Most ransomware-hit companies discover their “backups” don’t actually restore when the moment comes.

6. Privileged access management

Domain admins should be rare and audited. Use tiered admin models. Just-in-time access via tools like Microsoft PIM eliminates standing privileges that attackers love to abuse.

7. Security awareness training

Phishing simulations once a quarter measurably reduce click rates. KnowBe4, Hoxhunt, and Microsoft Attack Simulator all have free trials. The goal isn’t to shame employees — it’s to build muscle memory.

Quick comparison: free vs paid endpoint tools

ToolTypeFree TierBest For
Microsoft DefenderEDR (built-in Windows)YesSmall Windows shops
Bitdefender GravityZoneEDR + EPPTrialSMB/Mid-market
CrowdStrike FalconEDR/XDRTrialEnterprise
WazuhOpen-source SIEM/HIDSFully freeTech-capable teams

Incident response in the first 60 minutes

  1. Isolate — disconnect infected machines from the network (don’t power off; you lose memory evidence).
  2. Identify scope — which accounts, which servers, which data.
  3. Preserve logs — copy firewall, EDR, and Windows Event logs to immutable storage.
  4. Notify — your legal team, cyber-insurance carrier, and if applicable regulators.
  5. Do not pay yet — most ransom payments don’t result in clean decryption keys, and they fund future attacks.

FAQ

Is paying the ransom illegal?

Not generally, but paying sanctioned groups (Conti, Lockbit affiliates linked to OFAC-listed entities) can carry legal liability. Always consult counsel.

How often should we run tabletop exercises?

At least twice a year, with IT, legal, communications, and one executive in the room.

Does cyber-insurance cover ransomware?

Most policies do, but premiums and exclusions have tightened sharply. Carriers now require MFA, EDR, and tested backups as preconditions.

Conclusion

Ransomware defense isn’t one product — it’s an assembly of small, boring, well-maintained controls. The organizations that recover fastest are the ones that practiced. If you’d like a free 30-minute assessment of your current posture, get in touch.