Active Directory Security
Active Directory (AD) is Microsoft's directory service for Windows domain networks. It provides centralized authentication, authorization, group policy management, and directory services for the majority of enterprise Windows environments worldwide.
# Active Directory Security
Definition
Active Directory (AD) is Microsoft's directory service for Windows domain networks. It provides centralized authentication, authorization, group policy management, and directory services for the majority of enterprise Windows environments worldwide. When a user logs into a Windows domain-joined computer, Active Directory validates their credentials. When a system administrator pushes a security configuration to 5,000 endpoints, Active Directory's Group Policy distributes it. When an application checks whether a user is authorized to access a resource, Active Directory provides the answer.
Active Directory is the identity infrastructure that underpins most enterprise environments, which makes it the single highest-value target for any attacker who seeks control of the environment rather than just access to a single system. Compromising Active Directory means compromising authentication for every domain-joined system, authorization for every domain-managed resource, and the ability to push configuration changes (including malicious ones) to every endpoint in the domain.
Every major ransomware incident involves Active Directory compromise. The attacker's objective is domain administrator credentials, because domain admin controls AD, and AD controls everything. This is not an exaggeration. An attacker with domain admin can create accounts, modify group memberships, push group policies that disable security controls, access any file share, and deploy ransomware to every domain-joined system simultaneously. AD compromise is the event that transforms a single compromised endpoint into a full environment compromise.
How It Works
AD Architecture
Active Directory organizes network resources into a hierarchical structure:
Forest. The top-level security boundary. A forest contains one or more domains that share a common schema, configuration, and global catalog. Trust relationships between domains within a forest are automatic and transitive. Most organizations operate a single forest (a multi-forest architecture introduces significant complexity).
Domain. A logical grouping of objects (users, computers, groups, policies) that share a common directory database and security policies. The domain is the primary authentication boundary: a user authenticates against their domain's domain controllers.
Domain Controller (DC). A server that hosts the AD database (NTDS.dit) and handles authentication requests, directory queries, and policy distribution. Every domain has at least two domain controllers for redundancy. The domain controllers collectively maintain the authoritative copy of every identity, credential, group membership, and policy in the domain.
Organizational Units (OUs). Containers within a domain that organize objects (users, computers, groups) for administrative purposes. Group Policy Objects (GPOs) are linked to OUs to push configurations to the objects within them.
Kerberos authentication. AD uses the Kerberos protocol for authentication. When a user logs in, they authenticate to the Key Distribution Center (KDC, running on a domain controller) and receive a Ticket Granting Ticket (TGT). The TGT is used to request service tickets for specific resources. Service tickets are presented to resource servers to gain access. The Kerberos protocol is the foundation of AD authentication and the target of multiple attack techniques.
Tier Model
Microsoft recommends organizing AD administration into three tiers to limit the blast radius of a credential compromise:
Tier 0 (Control Plane). Domain controllers, AD database, PKI, identity federation services (ADFS/Entra Connect). Compromise of Tier 0 means compromise of the entire AD environment. Tier 0 systems should be managed only from Tier 0 Privileged Access Workstations (PAWs), never from standard user workstations.
Tier 1 (Server Administration). Application servers, file servers, database servers, management tools. Compromise of Tier 1 provides access to business-critical applications and data but does not directly compromise the identity infrastructure. Tier 1 admin credentials should not be used on Tier 0 systems or Tier 2 endpoints.
Tier 2 (Workstation Administration). User workstations, help desk tools, user support. Compromise of Tier 2 affects individual users but should not provide a path to Tier 1 or Tier 0 if the tier model is enforced.
The tier model's purpose is to prevent credential theft at a lower tier from enabling access to a higher tier. If a Tier 0 admin (domain admin) logs into a Tier 2 workstation, their credential material is cached on that workstation. An attacker who compromises the workstation can extract the cached domain admin credential (using Mimikatz, LSASS memory dumping, or similar techniques) and use it to access Tier 0. The tier model prevents this by ensuring that Tier 0 credentials are only used on Tier 0 systems.
Most organizations do not enforce the tier model. Domain admins log into user workstations for troubleshooting. Help desk staff use their personal workstations to manage servers. Credential material is scattered across systems at every tier. The attacker's lateral movement from Tier 2 (phishing compromise of a user workstation) to Tier 0 (domain admin) is a straight line instead of the fortified boundary the tier model is designed to create.
Why It Matters
The Ransomware Kill Chain Runs Through AD
The standard ransomware attack progression: phish a user (Tier 2 compromise), extract cached credentials from the workstation (credential dumping), use those credentials to move laterally to systems where higher-privilege credentials are cached, escalate to domain admin, disable security controls via Group Policy, delete shadow copies and backup agent configurations, and deploy the ransomware payload to every domain-joined system simultaneously via Group Policy or PsExec.
Every step from lateral movement through encryption deployment depends on AD. The attacker uses AD authentication to move between systems. The attacker uses AD group memberships to identify high-value targets. The attacker uses AD Group Policy to deploy the payload at scale. AD is not a peripheral target. It is the central infrastructure that makes the attack possible.
Credential Theft Techniques
Adversaries have developed a mature toolkit for extracting credentials from AD environments:
LSASS memory dumping. The Local Security Authority Subsystem Service (LSASS) process caches credential material in memory on every Windows system. Tools like Mimikatz extract this material (NTLM hashes, Kerberos tickets) from LSASS memory, enabling the attacker to impersonate any user whose credential is cached on that system. Defenses: Credential Guard (hardware-isolated LSASS), LSA protection (PPL), restricting administrative logons to appropriate tiers.
Kerberoasting. Service accounts in AD have Service Principal Names (SPNs) registered. Any domain user can request a Kerberos service ticket for any SPN. The service ticket is encrypted with the service account's password hash. The attacker requests service tickets offline and cracks the password hashes. If the service account's password is weak, the attacker obtains the cleartext password and the service account's access (which is often excessive). Defenses: strong, random, rotated service account passwords (managed through PAM), Group Managed Service Accounts (gMSAs), monitoring for anomalous service ticket requests.
DCSync. An attacker with Domain Admins, Enterprise Admins, or specific replication permissions can simulate the behavior of a domain controller and request password hash replication from a real domain controller. This extracts every password hash in the domain without touching the NTDS.dit file directly. Defenses: restrict replication permissions to actual domain controllers, monitor for non-DC replication requests.
Golden Ticket. If the attacker obtains the KRBTGT account's password hash (the Kerberos KDC service account), they can forge Kerberos TGTs for any user, including non-existent users with any group membership. A Golden Ticket provides persistent, unrestricted access to the domain until the KRBTGT hash is rotated (which requires two consecutive rotations because AD retains the previous hash). Defenses: rotate the KRBTGT password regularly (at minimum semi-annually, immediately after any suspected compromise).
NTDS.dit extraction. The NTDS.dit file is the AD database stored on every domain controller. It contains every user's password hash. If the attacker can copy this file (through shadow copy, ntdsutil, or volume snapshot), they can extract every credential in the domain offline. Defenses: protect domain controller access (Tier 0 isolation), monitor for NTDS.dit access attempts, encrypt domain controller backups.
Cloud Hybrid Considerations
Most organizations now operate hybrid identity environments: on-premises Active Directory synchronized to cloud identity providers (Microsoft Entra ID, formerly Azure AD) through tools like Entra Connect (formerly Azure AD Connect). This hybrid architecture extends AD's attack surface to the cloud:
A compromised Entra Connect server provides access to both on-premises and cloud credentials. An attacker who compromises on-premises AD can forge SAML tokens (Golden SAML attack, as demonstrated in the SolarWinds compromise) to access cloud resources without touching the cloud identity provider directly. Password hash synchronization between on-premises AD and Entra ID means that a compromised on-premises credential may also be valid in the cloud.
Hybrid identity security requires securing both environments and the synchronization layer between them. An organization that hardens on-premises AD but leaves Entra Connect on a standard member server with Tier 2 admin access has created a bridge that bypasses the on-premises hardening.
CDA Perspective
Active Directory security sits at the intersection of IAT (Identity Access and Trust) and SPH (Security Posture and Hygiene) in the Planetary Defense Model. IAT owns the identity and access architecture: who can authenticate, what they can access, and how trust is established. SPH owns the operational hygiene: are domain controllers hardened, is the tier model enforced, are configurations compliant with baseline, and are credential protections (Credential Guard, LSA protection) deployed?
CDA's Zero Possession Architecture (ZPA) methodology applies directly to AD security. "Trust nothing. Possess nothing. Verify everything." The tier model is a ZPA implementation: Tier 0 credentials are never exposed to Tier 2 systems (possess nothing outside the appropriate tier). Every authentication is verified through Kerberos with the strictest available protections. Standing domain admin accounts are eliminated through PAM and just-in-time access (trust nothing by default).
The civilizational analogy: Active Directory is the city's citizenship registry, gate control system, and law enforcement infrastructure combined. Compromising AD is not breaking into a house. It is seizing the government. Every identity, every access right, every policy is under the attacker's control. The Roman parallel: when the Praetorian Guard turned against the emperor (compromised the highest-privilege identity), the entire empire was at risk. AD compromise is the Praetorian betrayal at digital scale.
Five TOP missions connect to AD security:
- IAT-R01 (Identity Infrastructure Assessment): Assess the AD environment. Forest and domain architecture, domain controller health, tier model compliance, Entra Connect security, trust relationships, stale accounts, privileged group membership. 16 estimated hours.
- IAT-B02 (Privileged Access Management): Deploy PAM for AD administrative accounts. Vault domain admin credentials. Implement JIT access for Tier 0 administration. Eliminate standing privileged accounts. 40 estimated hours.
- IAT-H02 (Service Account Governance): Discover and govern AD service accounts. Inventory SPNs. Identify Kerberoasting risk. Migrate to gMSAs where possible. Implement password rotation for accounts that cannot migrate. 16 estimated hours.
- IAT-D01 (Credential Compromise Drill): Simulate credential theft attacks against the AD environment. Can the red team extract credentials from LSASS? Can they Kerberoast a service account? Can they escalate from Tier 2 to Tier 0? The drill reveals whether the hardening holds. 16 estimated hours.
- IAT-D02 (Privilege Escalation Test): Specifically test AD privilege escalation paths. From standard user to domain admin: how many steps? How many detections trigger? How long does it take? 20 estimated hours.
The interaction with TID is critical. TID detects AD-specific attacks: LSASS access by non-system processes, anomalous Kerberos ticket requests (Kerberoasting indicators), DCSync replication from non-DC sources, Golden Ticket usage (tickets with impossibly long lifetimes or non-existent user names), and abnormal Group Policy modifications. Without TID detection rules tuned to AD attack techniques, the attacker operates within AD undetected.
CDA approaches AD security differently from conventional consultancies in one way: we treat AD as critical infrastructure, not as an IT management tool. AD is the identity infrastructure that every other system depends on. Its security posture determines the security ceiling for the entire environment. An organization with a SOC 2 report, EDR on every endpoint, and encrypted databases, but with unhardened domain controllers, no tier model, and standing domain admin accounts, has a ceiling defined by the AD weakness. CDA hardens the ceiling first.
Key Takeaways
- Active Directory is the identity infrastructure underpinning most enterprise Windows environments. Compromising AD means compromising authentication, authorization, and configuration for every domain-joined system.
- Every major ransomware incident runs through AD. The attacker's path from initial compromise to domain-wide encryption depends on AD credential theft and privilege escalation.
- The tier model (Tier 0 control plane, Tier 1 servers, Tier 2 workstations) prevents credential theft at a lower tier from enabling access to a higher tier. Most organizations do not enforce it.
- Credential theft techniques (LSASS dumping, Kerberoasting, DCSync, Golden Ticket, NTDS.dit extraction) are well-documented and widely used. Defenses exist for each but require deliberate implementation.
- Hybrid identity environments (AD + Entra ID) extend the attack surface. Securing on-premises AD without securing the synchronization layer leaves a bridge that bypasses the hardening.
Related Articles
- Identity Access and Trust (IAT): Civilization
- Privileged Access Management (PAM)
- Zero Trust Architecture
- Ransomware
- Multi-Factor Authentication (MFA)
- Incident Response Lifecycle
Sources
- Microsoft. "Active Directory Security Best Practices." Microsoft Learn, updated continuously.
- Microsoft. "Securing Privileged Access: Enterprise Access Model." Microsoft Learn, 2024. (Tier model / Enterprise Access Model documentation.)
- MITRE Corporation. "ATT&CK Techniques: T1003 (OS Credential Dumping), T1558 (Steal or Forge Kerberos Tickets), T1003.006 (DCSync)." attack.mitre.org, updated continuously.
- Metcalf, Sean. "Active Directory Security." adsecurity.org, updated continuously. (Definitive community resource for AD attack and defense techniques.)
- Mandiant (Google Cloud). "M-Trends 2024: Special Report." Mandiant, April 2024. (AD compromise as a common component of significant breaches.)
Word count: 2,123
Related CDA Missions
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.