Active Directory hardening checklist & (actionable) best practices

This post is based on the Hack The Box (HTB) Academy module (or course) on Introduction to Active Directory. The module demystifies AD and provides hands-on exercises to practice each of the tactics and techniques we cover (including concepts used to enumerate and attack AD environments). 

You can learn more by browsing the catalog of free or advanced cybersecurity courses on the HTB Academy! 

Active Directory is the central hub for the management of an organization's resources. If cybercriminals were to breach it, they’d have almost complete control over your network.

With AD being so vast and central to your organization’s security, protecting it against attacks is critical. 

However, safeguarding such a comprehensive environment is no easy feat. AD’s extensive attack surface can make it difficult to keep track of defensive measures. This is where an expertly crafted checklist can save time and offer you the reassurance of covering common weak spots. 

💡There's no one-size-fits-all solution to Active Directory hardening and defense. The tips in this checklist act as a starting point and are sourced from our team of expert attackers and defenders.

Active directory hardening checklist

The goal of this Active Directory hardening checklist is to help you reduce the overall attack surface. By working through these best practices, your network will be less vulnerable to AD attacks, and you’ll have a starting point for potential hardening measures to take.

 

1. Account lockout policies

Implement account lockout policies to lock accounts after a certain number of failed login attempts, thus slowing down or stopping enumeration attempts.

2. Limiting LDAP access

Restrict access to Lightweight Directory Access Protocol (LDAP) by implementing network segmentation and access controls to reduce exposure.

You can learn more about Active Directory LDAP with our Academy module, which focuses on working with LDAP and AD search filters.

3. Strong password policies

Enforce complex password policies, including minimum length, character diversity, and password age. Using a password management solution is a good idea, as users can save their complex passwords without the risk of losing or forgetting them.

4. Multi-factor authentication (MFA)

Implement MFA to provide an extra layer of security, making it significantly more challenging for attackers to gain unauthorized access.

5. Regular user training

Educate users on the importance of strong passwords and identifying suspicious activity, such as phishing attempts. You can also regularly audit password policies and settings to ensure rules are being followed.

6. Enable LDAP Signing and LDAP Channel Binding 

These processes can help protect against man-in-the-middle attacks that could lead to unauthorized access to service accounts.

7. Use Group Managed Service Accounts (gMSAs)

These accounts provide automatic password management and help mitigate the risk of password hash exposure.

You should also audit service account permissions regularly to ensure they are appropriate for each account’s role. 

8. Implement Privileged Access Management (PAM)

This helps limit the exposure of privileged credentials and reduce the attack surface for Kerberoasting. It’ll also enable you to monitor all changes to security group permissions.

9. Secure AD CS configurations

Ensure that your AD Certificate Services (CS) setup follows best practices, such as restricting certificate templates to the necessary permissions and limiting the types of certificates users can request.

10. Implement the Principle of Least Privilege

If you have many overprivileged accounts, attackers can use these accounts to gain a greater foothold in your environment.

Grant users, computers, and services only the minimum necessary privileges to perform their tasks, reducing the risk of unauthorized certificate requests. This also reduces the risk of attackers exploiting overprivileged accounts to perform DCSync or Golden Ticket attacks.

11. Regularly audit AD CS

Periodically review your AD CS setup, checking for misconfigurations or potential vulnerabilities that could be exploited by attackers.

12. Monitor issued certificates

Keep track of issued certificates and their associated permissions. Revoke any suspicious or unnecessary certificates to limit attackers' abilities to exploit them.

13. Restrict sensitive permissions

Limit the number of accounts with permissions to perform replication activities. Ideally, only domain controllers and necessary administrative accounts should have these permissions.

It’s important to also restrict the number of accounts with high privileges, such as Domain Admins, to minimize the risk of attackers gaining unauthorized access through Golden Tickets.

14. Regularly audit AD permissions

Periodically review permissions in your AD environment to identify and remediate any unnecessary or excessive privileges that could be exploited by attackers.

15. Implement security monitoring and alerting

Set up alerts for suspicious activities, such as:

• Unauthorized replication requests.

• The use of known DCSync-related tools.

• Unusual Kerberos ticket requests.

• The use of known Golden Ticket-related tools like Mimikatz.

16. Secure the krbtgt account

Regularly change the password for the krbtgt account to limit the attacker's ability to create valid Golden Tickets. Ensure that the account's password is complex and not reused across other accounts.

Fortify your networks by understanding both defensive and offensive strategies

To truly defend a network, you need to gain an understanding of both blue and red techniques. 

Exploring how pentesters might exploit AD is a great way to understand how they gain a foothold. Our Active Directory 101 Track also contains a selection of Machines for pentesters to exploit using AD vulnerabilities. (Exposing blue teams to these Machines is a great way to excel in their roles and “see the other side of the coin.”) 

But what about the defense and aftermath of an AD exploit? 

Our Sherlocks Labs empower both blue and red teams to elevate defensive skills, with many of the Machines having offensive counterparts. 

A purple team approach is vital for defending against today’s advanced threat actors. This checklist can benefit both blue and red teams, demonstrating how either side may attack or defend corporate networks.

Author Bio: Sabastian Hague (sebh24), Defensive Content Lead, Hack The Box Sabastian Hague is a seasoned cybersecurity professional with over eight years of experience in the field. After serving in the Royal Air Force as a specialist in all things SOC, he went on to work for Vodafone's global CERT team before taking on a role as a senior security consultant with SpiderLabs and working on numerous high-profile incidents. He is now the Defensive Content Lead at Hack The Box. Seb has numerous industry certifications, including GIAC Certified Detection Analyst (GCDA), GIAC Continuous Monitoring Certification (GMON), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst, Offensive Security Certified Professional (OSCP), Blue Team Level 1 (BTL1), Blue Team Level 2 (BTL2), Cybereason Threat Hunter (CCTH).  You can connect with him on LinkedIn or Twitter.