Windows

Windows Server, Active Directory, PowerShell and enterprise Windows troubleshooting.

Active Directory Hardening: 8 Controls Every Windows Admin Needs

by

TL;DR: Active Directory is still the identity backbone of most enterprises — and most AD environments are quietly insecure. This guide covers the high-impact controls every Windows admin should apply: tier model, LAPS, protected groups, KRBTGT rotation, GPO hardening, and audit logging. Apply them in order in a lab first.

1. Implement a tiered admin model

Microsoft’s tier model splits administration into three zones: Tier 0 (domain controllers, ADFS, PKI), Tier 1 (servers, applications), Tier 2 (workstations). Admins in each tier may only sign in to systems in that tier. This single change blocks most credential-theft attacks like Pass-the-Hash and Mimikatz lateral movement.

Implement with separate admin accounts per tier (e.g., jdoe-t0, jdoe-t1, jdoe-t2) and “Deny logon” GPOs that block cross-tier authentication.

2. Deploy Windows LAPS

Local administrator accounts often share the same password across an entire fleet — a single compromised workstation hands the attacker the keys to every machine. Windows LAPS (built into modern Windows) randomizes local-admin passwords per machine and stores them encrypted in AD or Entra ID.

Update-LapsADSchema
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=corp,DC=local"

Then deploy a GPO under Computer Configuration → Policies → Administrative Templates → System → LAPS.

3. Protect privileged groups

  • Keep Domain Admins, Enterprise Admins, and Schema Admins as small as possible — ideally zero standing members.
  • Use Privileged Access Workstations (PAWs) for any Tier 0 activity.
  • Audit membership of Protected Users group; add Tier 0 admins to it.
  • Implement Just-In-Time (JIT) elevation via Microsoft PIM or open-source equivalents.

4. Rotate the KRBTGT account password — twice

The KRBTGT account signs every Kerberos ticket in your domain. If an attacker ever got Domain Admin, they could mint Golden Tickets valid for years. Resetting KRBTGT invalidates those forever — and you must reset twice (waiting at least 12 hours between resets) to invalidate both the current and previous password hashes.

Use Microsoft’s official script: New-KrbtgtKeys.ps1. Schedule it twice a year minimum.

5. Disable legacy protocols

  • Disable SMBv1 everywhere — it’s the WannaCry vector.
  • Disable LLMNR and NetBIOS-NS via GPO — they enable trivial credential-relay attacks (Responder).
  • Disable NTLMv1; require NTLMv2 or Kerberos only.
  • Disable WDigest; it leaks plaintext passwords in memory.

6. Audit logging — actually useful events

Most environments either log nothing or everything (and miss the signal). Enable these high-value audit policies via GPO:

  • Account Logon → Credential Validation: Success/Failure
  • Account Management → User/Computer/Group changes: Success
  • Logon/Logoff → Logon, Logoff, Special Logon: Success/Failure
  • Privilege Use → Sensitive Privilege Use: Success
  • Object Access → File Share, Removable Storage: Success
  • Detailed Tracking → Process Creation (with command line): Success

Ship logs to a SIEM (Wazuh free, Microsoft Sentinel, Splunk). Without centralized logs, an attacker just deletes local logs after compromise.

7. Microsoft Defender + ASR rules

Modern Defender (with Microsoft 365 E3/E5 or standalone Defender for Endpoint) is competitive with any commercial EDR. Enable Attack Surface Reduction (ASR) rules: block Office child processes, block credential stealing from LSASS, block executable content from email — these alone stop most commodity ransomware.

8. Patch tier-0 first, fast

Patch domain controllers and management systems within 72 hours of a critical Microsoft update. Use a maintenance window — but don’t skip cycles. Most ransomware groups exploit n-day vulnerabilities, not zero-days.

Quick audit checklist

  • Tier 0/1/2 admin model documented and enforced
  • Windows LAPS deployed on all workstations and member servers
  • Domain Admins group ≤ 5 members, all in Protected Users
  • KRBTGT password rotated within last 6 months (twice)
  • SMBv1, LLMNR, NetBIOS-NS, WDigest disabled
  • Audit policies above enabled and shipped to SIEM
  • Defender ASR rules in Block mode
  • All DCs patched within last 30 days

FAQ

Should I move to Azure AD / Entra ID and abandon on-prem AD?

For most organizations, hybrid (sync via Entra Connect) is the right answer for years to come. Pure cloud is fine for greenfield, but legacy apps still rely on Kerberos and NTLM.

Is Microsoft Defender enough?

With ASR rules, EDR features (Defender for Endpoint P2), and a real SIEM — yes, for most SMBs. Larger environments may add CrowdStrike or SentinelOne for advanced hunting features.

How often should we run AD security assessments?

Annually at minimum. Use Microsoft’s free PingCastle or Purple Knight scans quarterly to catch drift.

Need an AD assessment?

We provide remote Active Directory security reviews with prioritized remediation roadmaps. Get in touch to schedule one.