Full Report
A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.Microsoft’s Active Directory (AD) is at the heart of identity and access management (IAM) for organizations worldwide, making it an attractive target for cyberattackers. Concerns over the risks of AD compromise prompted cybersecurity agencies from Australia, Canada, New Zealand, U.K. and U.S. to issue a landmark report, Detecting and Mitigating Active Directory Compromises. The report, released in September, details 17 attack techniques, from Kerberoasting to Golden Ticket attacks, which, left unchecked, can enable attackers to take total control over systems.In the first of our two-part series, we look beyond the report’s guidance for detecting and mitigating AD compromises to explore how organizations can institute a dynamic, proactive AD cybersecurity strategy. We discuss how continuous monitoring, adaptive defenses and risk-based prioritization can help security leaders protect their AD infrastructure. We provide five action items you can use to operationalize your identity security strategy.In part two, we go beyond the basics to provide insight and guidance about additional areas of AD exposure worth addressing.Attackers see AD as a gatewayAs the backbone of authentication and authorization in most organizations, AD controls access to sensitive data and critical systems. Identity has become the modern control plane for enterprises, and attackers know that compromising AD can be their gateway to a treasure trove of information and control. High-profile attacks, such as those by Storm-0501 and Conti ransomware, demonstrate the devastating financial and operational impact that can result when AD security is breached.It’s important to note that the report issued by the cyberagencies — known collectively as the Five Eyes Alliance — is much more than a compliance checklist. Too often, we see organizations approach such cybersecurity guidance by taking a series of one-off actions, assuming that ticking a few boxes ensures lasting security.In reality, attackers exploit vulnerabilities as soon as they arise. Point-in-time compliance efforts can't keep up with the adaptive nature of today's cyberthreats. To stay ahead, organizations must go beyond compliance, adopting a continuous, adaptive approach that anticipates and mitigates risks in real-time, ensuring that AD remains secure against evolving threats.From insight to action: Operationalizing the report's recommendationsThe guidance from the cybersecurity agencies makes it clear: Active Directory isn't a "set-it-and-forget-it" system.As AD environments continuously evolve — whether through new users, permission updates or expanded cloud integrations — cybersecurity strategies must evolve in tandem. Misconfigurations and identity-based vulnerabilities open new doorways to risk because they don't stay put. This is precisely why organizations must adopt a structured, real-time approach to managing AD, including continuous monitoring, risk-based prioritization and adaptive security practices responsive to the shifting threat landscape.Operationalizing the report’s guidance requires more than static point-in-time tech fixes. It calls for a series of game-changing steps to keep your AD secure.Below, we break down five key areas to focus on as you turn the report's guidance into actionable steps.1. Continuously monitor with real-time visibilityOrganizations often behave as though AD is a static system, a thing to be configured once and then assumed to be secure. However, as the Five Eyes report illustrates, AD is in constant flux, with each change potentially opening new vulnerabilities. From new hires and permission updates to expanding cloud connections, any shift in AD can create an unseen entry point for attackers. Real-time visibility and continuous monitoring are behavioral steps to stay ahead of evolving risks.Why it mattersAttackers thrive on hidden weaknesses, like subtle misconfigurations and creeping permission drift, exploiting tactics like DCSync and Kerberoasting to infiltrate your systems silently. Without real-time oversight, these tactics can remain undetected. That's why it’s essential to identify and prioritize identity weaknesses as soon as they surface — catching risks early stops attackers in their tracks.What to doAutomate monitoring: Implement tools that trigger real-time alerts on AD changes — flagging unexpected privilege escalations, risky permission shifts and service account modifications that could indicate an active breach attempt.Detect toxic combinations: Continuous monitoring allows security teams to spot dangerous combinations of permissions and misconfigurations — such as high privileges combined with weak passwords or accounts with overlapping permissions — before they're exploited.Implement immediate remediation: Establish processes for immediate response when high-risk changes are detected. The ability to revoke excessive permissions or adjust configurations in real-time significantly limits opportunities for attackers to escalate their actions.2. Automate risk-based prioritizationNot every weakness in Active Directory carries the same level of risk Treating each issue with equal priority can drain resources while leaving critical exposures unattended. A risk-based model automatically prioritizes AD weaknesses and allows security teams to focus on the exposures that matter most, rather than getting bogged down in low-risk issues.Why it mattersAmong the 17 attack tactics highlighted in the Five Eyes report, some — like DCSync — might be more critical in traditional infrastructures, while others, such as password spraying, may pose a higher risk in cloud-heavy environments. Automated risk scoring tailors prioritization to your organization's unique setup, ensuring that high-impact threats are addressed promptly.What to doFocus on dynamic risk scoring: Leverage tools that continuously evaluate and rank vulnerabilities, prioritizing them by exposure level, privilege escalation risks and known attack vectors. Start pinpointing the most exploitable risks so teams can zero in, ensuring critical exposures don't go unnoticed.Map potential attack paths: Visualizing attack paths to critical assets helps pinpoint which weaknesses are likely to be targeted and enables teams to allocate resources effectively.Prioritize for your environment: Tailor prioritization to fit your specific infrastructure — whether it's primarily on-premises, cloud-based or hybrid — so that the highest-risk exposures in your unique environment are addressed first.3. Build operational resilience through least-privilege accessA resilient Active Directory environment relies on enforcing least-privilege access, granting users only the permissions they need to perform their roles. However, over time, privileges can expand unintentionally — through changes in group memberships, role adjustments or emergency access that is not promptly revoked. This "privilege creep" broadens the attack surface attackers can exploit, as excessive permissions make lateral movement and privilege escalation easier.Why it mattersExcessive permissions in Active Directory enable various attack techniques, including Silver Ticket compromises where adversaries forge Kerberos tickets for unauthorized access. Without least-privilege enforcement, attackers can exploit over-permissioned accounts to move laterally and access sensitive resources undetected. Proper privilege management is essential to prevent these and other AD-based cyberattacks.What to doImplement automated monthly scans: These can identify accounts with excessive privileges or permissions, flagging them for immediate review.Use role-based permission templates: These can standardize access across accounts, ensuring only the necessary privileges are granted.Enforce a 24-hour revoke policy: This limits temporary or emergency access, quickly closing off potential attack paths.Regularly audit service accounts: Giving service providers a regular "check-up" ensures their privileges align with their job description and that they aren't offering attackers any uninvited perks.4. Set the stage for success with a preventive mindsetYour security mindset sets the stage for securing AD. We all know that responding to incidents after they occur is painful, especially when there is a chance to preemptively identify and address potential threats. The nature of the Five Eyes guidance is proactive. Understanding Indicators of Exposure (IoE) and looking for those early warning signs can help teams address vulnerabilities before they become an attacker's foothold in the network.Why it mattersA reactive approach leaves security teams in constant catch-up mode, dealing with incidents as they happen instead of eliminating root causes. Focusing on IoE systematically closes off pathways that adversaries exploit to infiltrate environments. It also allows security teams to expand their protective reach without adding to their alert fatigue. This equates to a broader security strategy prioritizing long-term resilience over short-term fixes.What to doAdopt an "assume breach" mindset: Treat every vulnerability as a potential entry point and monitor for exposure gaps around critical assets.Focus on IoE: Identify and track early signs of risk, such as misconfigurations or unusual permission changes. It is better to prevent breaches than to detect them after they happen.Battle-test defenses: Red team like you mean it. Don't just defend — pressure test. The best defenders aren't the ones who've never been hit — they're the ones who've learned from every attempted breach, actual or simulated.Continuously tune detection and response processes: Ensure your detection and response strategies are agile and adapt to the evolving threat landscape.5. Ensure scalable, unified security operations across the enterpriseEnterprise expansion pits cybersecurity teams against a sprawling landscape of domains, assets and identities — each adding layers of complexity. When security forms a phalanx, with a unified approach of shared insights and tools, efficiency emerges and gaps close. Scaling security demands a cohesive strategy that seamlessly integrates identity management, asset visibility and threat detection into a single, unified framework, ensuring consistent security practices.Why it mattersLack of unification is a recipe for disaster. Without a platform that normalizes data and promotes shared understanding, teams work in silos, widening gaps in coverage and leaving critical assets vulnerable. In complex, multi-domain environments, it’s essential to take a unified approach — fostered by integrated, scalable platforms — for fast, coordinated responses to cyberthreats. By closing these gaps, organizations can maintain comprehensive oversight, enabling teams to keep pace with growth while ensuring consistent security across the enterprise.What to doIntegrate AD monitoring with broader IT operations: Align AD security monitoring with other IT functions through a unified platform. This will ensure all domains, whether cloud-based or on-premises, are monitored under a single pane of glass.Streamline IAM: Implement centralized IAM solutions to consistently manage identities across all environments, reducing the risk of orphaned accounts or inconsistent permissions.Automate policy enforcement: Use automation to enforce security policies across all domains, ensuring real-time adjustments and adherence to best practices as infrastructure changes.Enable cross-functional collaboration: Break down silos by fostering collaboration between IT, security and operations teams, enabling quicker response times and better information sharing.What’s next: Additional considerations for comprehensive AD securityThe above five steps offer a solid foundation for operationalizing the Five Eyes guidance. But stopping there misses important considerations for enhancing and adapting security strategies. In part two of this series, we go beyond the basics, offering guidance on achieving full coverage, addressing modern attack techniques and securing Active Directory and Entra ID as part of a holistic identity security approach.Learn moreRead part two in this series, Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the BasicsView the on-demand webinar Detect and Mitigate 16 Commonly Deployed AD CompromisesRead the data sheet Tenable ThreatMap for AD
Analysis Summary
# Best Practices: Active Directory Security Based on Five Eyes Guidance
## Overview
These practices address critical security gaps identified in Active Directory (AD) environments, drawing upon guidance from international security agencies (Five Eyes). The focus is on hardening core identity services against common attack vectors like credential theft, lateral movement, and privileged access abuse.
## Key Recommendations
### Immediate Actions
1. **Audit and Restrict Domain Administrator Accounts:** Immediately review the membership of all Domain Admin groups (Domain Admins, Enterprise Admins, Schema Admins, etc.) and remove any unauthorized or unnecessary accounts.
2. **Implement Tier 0 Isolation:** Ensure that Tier 0 assets (Domain Controllers and supporting infrastructure) are strictly isolated from general user and workstation networks to prevent lateral movement from lower tiers.
3. **Enforce Multi-Factor Authentication (MFA) for Privileged Access:** Deploy MFA immediately for all accounts with administrative privileges over sensitive systems, especially on Domain Controllers and privileged access management (PAM) solutions.
4. **Inventory and Harden Service Accounts:** Create a comprehensive inventory of all AD service accounts and immediately enable MFA or use certificate-based authentication for high-risk accounts where possible.
### Short-term Improvements (1-3 months)
1. **Implement Privileged Access Workstations (PAWs):** Deploy dedicated, hardened workstations (PAWs) for all administrative tasks, enforcing the rule that administrators must *only* manage AD from these secured endpoints.
2. **Audit and Restrict LDAP/LDAPS Binding:** Review all applications and services using legacy LDAP bindings and migrate them to secure LDAP (LDAPS) or certificate-based authentication. Disable unauthenticated or anonymous bind access.
3. **Review and Reduce Group Policy Object (GPO) Scope:** Audit all GPOs to ensure they are only applying to the necessary OUs and check for GPOs that grant excessive permissions or deploy outdated software.
4. **Establish Baseline Configuration for Domain Controllers:** Implement a standard, secure baseline configuration for all Domain Controllers, focusing on removing unnecessary services and hardening operating system settings.
### Long-term Strategy (3+ months)
1. **Adopt Passwordless or Certificate-Based Authentication:** Begin planning and piloting the migration away from traditional passwords for administrative and high-value service accounts using modern authentication methods.
2. **Implement a Kerberos Hardening Strategy:** Conduct a full audit of the Kerberos environment, focusing on reducing reliance on legacy encryption types (e.g., DES) and implementing protections against Kerberoasting and Kerberos delegation attacks.
3. **Deploy Identity Threat Detection and Response (ITDR):** Integrate specialized tools capable of monitoring and analyzing AD behavior for anomalies indicative of credential theft or reconnaissance (e.g., excessive security event logging, unusual DC synchronization).
4. **Adopt a Tiering Model (Tier 0, Tier 1, Tier 2):** Formally document and enforce a robust administrative tiering model to strictly control credential usage and prevent attacks from compromising the entire forest via a single low-privilege breach.
## Implementation Guidance
### For Small Organizations
- **Focus on MFA and Patching:** Prioritize the immediate deployment of MFA on all admin accounts and ensure Domain Controllers are on the fastest possible patch release cycle.
- **Basic Segmentation:** Implement basic network segmentation to isolate Domain Controllers from the general user subnet, even if full PAW implementation is delayed.
- **Leverage Built-in Tools:** Utilize native tools like `dcdiag` and Security Event Log analysis to perform initial credential and configuration audits.
### For Medium Organizations
- **Formalize Tiering:** Begin the formal process of defining and enforcing a 3-tier administrative model, starting with granting Domain Admin rights only to a small pool of dedicated Tier 0 administrators.
- **Pilot PAWs:** Deploy 2-3 PAWs for senior IT staff to test operational workflows before a full rollout.
- **Inventory Public-Facing Services:** Dedicate effort to identifying all administrative accounts that have rights to infrastructure exposed to external networks (if any) and immediately quarantine those credentials.
### For Large Enterprises
- **Automate Credential Management:** Implement a robust Privileged Access Management (PAM) solution to automatically rotate, audit, and secure all high-value credentials, including service accounts.
- **Implement Advanced Monitoring:** Deploy ITDR solutions capable of real-time attack path analysis and behavioral anomaly detection specific to AD protocols (Kerberos, LDAP).
- **Formalized Cleanup Project:** Launch a dedicated project to systematically clean up stale objects, rogue ACLs, and deprecated GPOs across complex, multi-domain or multi-forest environments.
## Configuration Examples
*(The source material focuses more on policy and strategy than specific syntax; however, key configuration goals are derived):*
| Configuration Goal | Description/Guidance |
| :--- | :--- |
| **Service Account Security** | Migrate legacy service accounts using clear-text passwords in configuration files to use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) where supported. |
| **Secure LDAP (LDAPS)** | Ensure all required AD communication utilizes LDAPS (port 636) secured by valid, regularly renewed certificates from an internal PKI infrastructure. |
| **PowerShell Execution Policy** | Configure Domain Controllers to enforce a Restricted or AllSigned execution policy for PowerShell scripts to limit the execution of unauthorized binaries. |
| **Audit Logging** | At a minimum, configure auditing to capture: Logons (success/failure), Directory Service Access, Account Management (especially group changes), and Kerberos Ticket Operations. |
## Compliance Alignment
- **NIST SP 800-53/NIST CSF:** Strong alignment with **ID.AM** (Identity and Access Management) controls related to privileged access and **PR.AC** (Protection of Access Control) regarding authorization boundaries. The tiering model strongly supports access control boundaries.
- **ISO/IEC 27001:** Addresses controls related to Access Control (A.9) and Secure Authentication (A.10).
- **CIS Benchmarks for Microsoft Windows Server/Active Directory:** These recommendations align directly with hardening controls specified in the CIS benchmarks for hardening Domain Controllers and reducing the attack surface.
- **SLCGP (State Likely Cyber Guidelines Program):** Recommendations often map directly to enhancing identity and access controls required by state-level cybersecurity programs focused on reducing risk from ransomware and state-sponsored activity.
## Common Pitfalls to Avoid
1. **Treating Domain Admins as "Regular Admins":** Allowing Domain Administrator credentials to be used for routine tasks like reading emails, browsing the internet, or RDP access to non-Tier 0 systems.
2. **Neglecting Service Accounts:** Assuming service accounts are inherently secure because they are not interactive. Service accounts are often the most persistent and least monitored high-privilege targets.
3. **Ignoring Legacy Protocols:** Failure to disable or secure legacy authentication protocols (like plain LDAP or older Kerberos encryption types) that are easily compromised by modern tooling.
4. **Implementing Controls Without Monitoring:** Deploying security mechanisms (like PAWs) but failing to actively monitor usage logs, creating "security theater" instead of active defense.
## Resources
- **NIST SP 800-171/800-53:** For comprehensive hardening guidance across identity and access.
- **CIS Benchmarks:** Specific configuration guidance for Windows Server and Active Directory systems.
- **Official Five Eyes Guidance:** Consult current advisories released by CISA, NCSC (UK), ACSC (AU), etc., focusing on identity protection.