๐ก๏ธ Active Directory Defense & Hardening
Comprehensive Active Directory security hardening, detection, and defense strategies
๐งช Validate Defenses in GOAD
Deploy controls in the GOAD lab and validate detection/response.
๐๏ธ Tier Architecture Implementation
- Implement Microsoft's Enhanced Security Administrative Environment (ESAE) / Red Forest
- Deploy Tier 0, Tier 1, and Tier 2 administrative boundaries
- Enforce one-way trust relationships between tiers
- Implement Privileged Access Workstations (PAW) for Tier 0 admins
- Use separate admin accounts for each tier
- Deploy JIT (Just-In-Time) and JEA (Just Enough Administration)
๐ Authentication Hardening
- Disable NTLM authentication where possible, enforce Kerberos
- Enable SMB signing on all systems (clients and servers)
- Configure LDAP channel binding and LDAP signing
- Implement Extended Protection for Authentication (EPA)
- Enforce strong password policies (length, complexity, history)
- Deploy password filter DLLs to block common passwords
- Implement account lockout policies
- Enable MFA for all privileged accounts
- Use FIDO2/Windows Hello for Business
- Disable RC4 encryption for Kerberos
๐ Privileged Account Management
- Minimize membership in Domain Admins, Enterprise Admins, Schema Admins
- Remove service accounts from privileged groups
- Use Group Managed Service Accounts (gMSA) for services
- Implement time-bound privileged group membership
- Deploy Privileged Access Management (PAM) solutions
- Use separate admin accounts for privileged tasks
- Enforce strong password policies for service accounts
- Regularly audit privileged group memberships
- Implement 'AdminSDHolder' protection properly
- Use Protected Users security group for high-value accounts
๐ซ Kerberos Hardening
- Enable AES encryption for Kerberos (disable RC4)
- Implement Kerberos Armoring (FAST)
- Configure reasonable ticket lifetimes (TGT: 10 hours, TGS: 10 hours)
- Enable PAC validation
- Monitor for Kerberos encryption downgrade attacks
- Implement SPN ACL restrictions
- Regularly rotate KRBTGT password (twice)
- Audit Kerberos pre-authentication failures
- Disable Kerberos DES encryption types
๐ ADCS Security
- Audit all certificate templates for security misconfigurations
- Remove EDITF_ATTRIBUTESUBJECTALTNAME2 flag from CAs
- Implement template security baselines
- Enable certificate template ACL auditing
- Implement Extended Protection for ADCS web enrollment
- Use HTTPS with proper certificates for web enrollment
- Regularly audit CA permissions
- Implement certificate enrollment monitoring
- Enable certificate transparency logging
- Use short-lived certificates where possible
๐ Delegation Controls
- Minimize unconstrained delegation usage
- Implement constrained delegation with protocol transition carefully
- Use resource-based constrained delegation when possible
- Mark sensitive accounts as 'Account is sensitive and cannot be delegated'
- Add privileged accounts to Protected Users group
- Regularly audit delegation settings
- Monitor for delegation-related security events
๐ซ Lateral Movement Prevention
- Implement Local Administrator Password Solution (LAPS)
- Enable Windows Defender Credential Guard
- Configure Windows Defender Remote Credential Guard
- Disable WDigest authentication
- Restrict RDP access and use Network Level Authentication (NLA)
- Implement PowerShell Constrained Language Mode
- Deploy AppLocker or Windows Defender Application Control
- Disable LLMNR and NetBIOS Name Service
- Enable PowerShell logging (Script Block, Module, Transcription)
- Implement network segmentation and micro-segmentation
๐๏ธ Monitoring & Detection
- Deploy centralized logging (SIEM) for AD events
- Enable Advanced Audit Policy Configuration
- Monitor critical security events (4768, 4769, 4770, 4771, 4776, 4624, 4625)
- Implement threat hunting for AD anomalies
- Deploy endpoint detection and response (EDR)
- Use Microsoft Defender for Identity (MDI) or similar
- Monitor for Bloodhound collectors and suspicious LDAP queries
- Implement honeypot accounts and deception techniques
- Alert on suspicious service creation and scheduled tasks
- Monitor for DCSync, DCShadow, and Golden Ticket indicators
๐ GPO Security
- Restrict GPO modification permissions
- Audit all GPO changes
- Implement GPO backup and recovery procedures
- Use security filtering to limit GPO scope
- Deploy security configuration baselines via GPO
- Monitor for unauthorized GPO links
- Implement GPO integrity checks
- Use Restricted Groups for privileged group management