# Active Directory Security
Active Directory (AD) is Microsoft's directory service for Windows domain networks. It provides centralized authentication, authorization, group policy management, and directory services for the majority of enterprise Windows environments worldwide. When a user logs into a Windows domain-joined computer, Active Directory validates their credentials. When a system administrator pushes a security configuration to 5,000 endpoints, Active Directory's Group Policy distributes it. When an application checks whether a user is authorized to access a resource, Active Directory provides the answer.
Active Directory is the identity infrastructure that underpins most enterprise environments, which makes it the single highest-value target for any attacker who seeks control of the environment rather than just access to a single system. Compromising Active Directory means compromising authentication for every domain-joined system, authorization for every domain-managed resource, and the ability to push configuration changes (including malicious ones) to every endpoint in the domain.
Every major ransomware incident involves Active Directory compromise. The attacker's objective is domain administrator credentials, because domain admin controls AD, and AD controls everything. This is not an exaggeration. An attacker with domain admin can create accounts, modify group memberships, push group policies that disable security controls, access any file share, and deploy ransomware to every domain-joined system simultaneously. AD compromise is the event that transforms a single compromised endpoint into a full environment compromise.
Active Directory organizes network resources into a hierarchical structure:
Forest. The top-level security boundary. A forest contains one or more domains that share a common schema, configuration, and global catalog. Trust relationships between domains within a forest are automatic and transitive. Most organizations operate a single forest (a multi-forest architecture introduces significant complexity).
Domain. A logical grouping of objects (users, computers, groups, policies) that share a common directory database and security policies. The domain is the primary authentication boundary: a user authenticates against their domain's domain controllers.
Domain Controller (DC). A server that hosts the AD database (NTDS.dit) and handles authentication requests, directory queries, and policy distribution. Every domain has at least two domain controllers for redundancy. The domain controllers collectively maintain the authoritative copy of every identity, credential, group membership, and policy in the domain.
Organizational Units (OUs). Containers within a domain that organize objects (users, computers, groups) for administrative purposes. Group Policy Objects (GPOs) are linked to OUs to push configurations to the objects within them.
Kerberos authentication. AD uses the Kerberos protocol for authentication. When a user logs in, they authenticate to the Key Distribution Center (KDC, running on a domain controller) and receive a Ticket Granting Ticket (TGT). The TGT is used to request service tickets for specific resources. Service tickets are presented to resource servers to gain access. The Kerberos protocol is the foundation of AD authentication and the target of multiple attack techniques.
Microsoft recommends organizing AD administration into three tiers to limit the blast radius of a credential compromise:
Tier 0 (Control Plane). Domain controllers, AD database, PKI, identity federation services (ADFS/Entra Connect). Compromise of Tier 0 means compromise of the entire AD environment. Tier 0 systems should be managed only from Tier 0 Privileged Access Workstations (PAWs), never from standard user workstations.
Tier 1 (Server Administration). Application servers, file servers, database servers, management tools. Compromise of Tier 1 provides access to business-critical applications and data but does not directly compromise the identity infrastructure. Tier 1 admin credentials should not be used on Tier 0 systems or Tier 2 endpoints.
Tier 2 (Workstation Administration). User workstations, help desk tools, user support. Compromise of Tier 2 affects individual users but should not provide a path to Tier 1 or Tier 0 if the tier model is enforced.
The tier model's purpose is to prevent credential theft at a lower tier from enabling access to a higher tier. If a Tier 0 admin (domain admin) logs into a Tier 2 workstation, their credential material is cached on that workstation. An attacker who compromises the workstation can extract the cached domain admin credential (using Mimikatz, LSASS memory dumping, or similar techniques) and use it to access Tier 0. The tier model prevents this by ensuring that Tier 0 credentials are only used on Tier 0 systems.
Most organizations do not enforce the tier model. Domain admins log into user workstations for troubleshooting. Help desk staff use their personal workstations to manage servers. Credential material is scattered across systems at every tier. The attacker's lateral movement from Tier 2 (phishing compromise of a user workstation) to Tier 0 (domain admin) is a straight line instead of the fortified boundary the tier model is designed to create.
The standard ransomware attack progression: phish a user (Tier 2 compromise), extract cached credentials from the workstation (credential dumping), use those credentials to move laterally to systems where higher-privilege credentials are cached, escalate to domain admin, disable security controls via Group Policy, delete shadow copies and backup agent configurations, and deploy the ransomware payload to every domain-joined system simultaneously via Group Policy or PsExec.
Every step from lateral movement through encryption deployment depends on AD. The attacker uses AD authentication to move between systems. The attacker uses AD group memberships to identify high-value targets. The attacker uses AD Group Policy to deploy the payload at scale. AD is not a peripheral target. It is the central infrastructure that makes the attack possible.
Adversaries have developed a mature toolkit for extracting credentials from AD environments:
LSASS memory dumping. The Local Security Authority Subsystem Service (LSASS) process caches credential material in memory on every Windows system. Tools like Mimikatz extract this material (NTLM hashes, Kerberos tickets) from LSASS memory, enabling the attacker to impersonate any user whose credential is cached on that system. Defenses: Credential Guard (hardware-isolated LSASS), LSA protection (PPL), restricting administrative logons to appropriate tiers.
Kerberoasting. Service accounts in AD have Service Principal Names (SPNs) registered. Any domain user can request a Kerberos service ticket for any SPN. The service ticket is encrypted with the service account's password hash. The attacker requests service tickets offline and cracks the password hashes. If the service account's password is weak, the attacker obtains the cleartext password and the service account's access (which is often excessive). Defenses: strong, random, rotated service account passwords (managed through PAM), Group Managed Service Accounts (gMSAs), monitoring for anomalous service ticket requests.
DCSync. An attacker with Domain Admins, Enterprise Admins, or specific replication permissions can simulate the behavior of a domain controller and request password hash replication from a real domain controller. This extracts every password hash in the domain without touching the NTDS.dit file directly. Defenses: restrict replication permissions to actual domain controllers, monitor for non-DC replication requests.
Golden Ticket. If the attacker obtains the KRBTGT account's password hash (the Kerberos KDC service account), they can forge Kerberos TGTs for any user, including non-existent users with any group membership. A Golden Ticket provides persistent, unrestricted access to the domain until the KRBTGT hash is rotated (which requires two consecutive rotations because AD retains the previous hash). Defenses: rotate the KRBTGT password regularly (at minimum semi-annually, immediately after any suspected compromise).
NTDS.dit extraction. The NTDS.dit file is the AD database stored on every domain controller. It contains every user's password hash. If the attacker can copy this file (through shadow copy, ntdsutil, or volume snapshot), they can extract every credential in the domain offline. Defenses: protect domain controller access (Tier 0 isolation), monitor for NTDS.dit access attempts, encrypt domain controller backups.
Most organizations now operate hybrid identity environments: on-premises Active Directory synchronized to cloud identity providers (Microsoft Entra ID, formerly Azure AD) through tools like Entra Connect (formerly Azure AD Connect). This hybrid architecture extends AD's attack surface to the cloud:
A compromised Entra Connect server provides access to both on-premises and cloud credentials. An attacker who compromises on-premises AD can forge SAML tokens (Golden SAML attack, as demonstrated in the SolarWinds compromise) to access cloud resources without touching the cloud identity provider directly. Password hash synchronization between on-premises AD and Entra ID means that a compromised on-premises credential may also be valid in the cloud.
Hybrid identity security requires securing both environments and the synchronization layer between them. An organization that hardens on-premises AD but leaves Entra Connect on a standard member server with Tier 2 admin access has created a bridge that bypasses the on-premises hardening.
Active Directory security sits at the intersection of IAT (Identity Access and Trust) and SPH (Security Posture and Hygiene) in the Planetary Defense Model. IAT owns the identity and access architecture: who can authenticate, what they can access, and how trust is established. SPH owns the operational hygiene: are domain controllers hardened, is the tier model enforced, are configurations compliant with baseline, and are credential protections (Credential Guard, LSA protection) deployed?
CDA's Zero Possession Architecture (ZPA) methodology applies directly to AD security. "Trust nothing. Possess nothing. Verify everything." The tier model is a ZPA implementation: Tier 0 credentials are never exposed to Tier 2 systems (possess nothing outside the appropriate tier). Every authentication is verified through Kerberos with the strictest available protections. Standing domain admin accounts are eliminated through PAM and just-in-time access (trust nothing by default).
The civilizational analogy: Active Directory is the city's citizenship registry, gate control system, and law enforcement infrastructure combined. Compromising AD is not breaking into a house. It is seizing the government. Every identity, every access right, every policy is under the attacker's control. The Roman parallel: when the Praetorian Guard turned against the emperor (compromised the highest-privilege identity), the entire empire was at risk. AD compromise is the Praetorian betrayal at digital scale.
Five TOP missions connect to AD security:
The interaction with TID is critical. TID detects AD-specific attacks: LSASS access by non-system processes, anomalous Kerberos ticket requests (Kerberoasting indicators), DCSync replication from non-DC sources, Golden Ticket usage (tickets with impossibly long lifetimes or non-existent user names), and abnormal Group Policy modifications. Without TID detection rules tuned to AD attack techniques, the attacker operates within AD undetected.
CDA approaches AD security differently from conventional consultancies in one way: we treat AD as critical infrastructure, not as an IT management tool. AD is the identity infrastructure that every other system depends on. Its security posture determines the security ceiling for the entire environment. An organization with a SOC 2 report, EDR on every endpoint, and encrypted databases, but with unhardened domain controllers, no tier model, and standing domain admin accounts, has a ceiling defined by the AD weakness. CDA hardens the ceiling first.
Word count: 2,123