Active Directory Hardening: A Practical Guide

Overview

Active Directory remains one of the most targeted components in enterprise environments. This guide covers the essential hardening steps every organisation should implement.

Tiered Admin Model

Separate administrative accounts into three tiers: Tier 0 (Domain Controllers and AD), Tier 1 (Servers), Tier 2 (Workstations). Never use a Tier 0 account on a lower-tier asset.

Protected Users Group

Add privileged accounts to the Protected Users security group to disable NTLM authentication, prevent credential caching, and enforce Kerberos-only auth.

LAPS

Deploy Microsoft LAPS (Local Administrator Password Solution) to randomise and rotate local admin passwords on every workstation and server.

Audit Policy

Enable advanced audit policies — in particular: Account Logon, Account Management, DS Access, Logon/Logoff, and Privilege Use.