Full Report
A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.The landmark report Detecting and Mitigating Active Directory Compromises — released in September by cybersecurity agencies in Australia, Canada, New Zealand, U.K. and U.S. — shines a bright light on the risks organizations face if their identity and access management (IAM) system is targeted by cyberattackers.In the first of our two-part series, we discussed five steps organizations can take to operationalize the report findings and develop a cybersecurity strategy for protecting their Microsoft Active Directory (AD) infrastructure. While these steps are important, stopping there misses crucial considerations that can further enhance security strategies.Here, in part two, we look beyond the basics to provide three key areas cybersecurity leaders can consider in order to achieve full coverage, address modern attack techniques and secure Active Directory and its cloud-based counterpart Entra ID (formerly Azure AD) as part of a holistic identity security approach.1. Implement full coverage for Active Directory in hybrid environmentsWhile basic AD assessment tools provide valuable insights, they fall short in today's hybrid environments, where on-premises AD and cloud identities intersect. Point-in-time scans risk missing active threats like Kerberoasting, DCSync and password spraying — techniques that cyberattackers can execute repeatedly to evade periodic checks.Why full coverage mattersClassic AD threats persist: Traditional attacks targeting AD authentication and replication remain powerful weapons for attackers, requiring constant vigilance.Unified identity monitoring: Modern environments sync on-premises AD with cloud services. Changes in either domain can create vulnerabilities in the other, demanding unified visibility.Cross-environment risks: Attackers combine classic AD exploitation with cloud service attacks. Monitoring must track permissions and configurations across this expanded attack surface.Real-time response: Effective security requires immediate visibility into hybrid threats — from password spraying against synced accounts to privileged credential theft.What to doEnable unified monitoring: Use tools that offer continuous visibility across both AD and Entra ID to catch threats wherever they arise, maintaining seamless oversight.Set up key threat alerts: Configure automated alerts for threats like Kerberoasting and DCSync, particularly for synced accounts, to react immediately to suspicious activity.Map and review permissions: Regularly audit permissions across AD and Entra ID to spot gaps or misconfigurations that attackers might exploit.Enforce multi-factor authentication (MFA) and conditional access: Strengthen high-privilege accounts with MFA and adaptive policies, aligning access controls to risk signals across both environments.2. Address modern attack techniquesWhile the report from the five cybersecurity agencies — known collectively as the Five Eyes Alliance — highlights 17 AD compromise methods, these cover only the most common tactics. If attackers were only so simple! Their approaches are also exploiting AD's connections with Entra ID, software as a service (SaaS) applications and hybrid clouds. To stay secure, organizations must look beyond static techniques and adapt to today's dynamic threat landscape.Why modernizing mattersFocusing only on known techniques can leave a lot on the table for today’s attackers, who leverage AD's complex integrations, developing methods that fall outside standard tactics yet pose serious risks. A comprehensive, adaptive security approach prepares teams to counter both established and evolving threats.What to doUpdate your threat model: Adapt threat assessments to include new, advanced techniques relevant to your network.Foster a proactive culture: Encourage education on evolving threats and a flexible response approach.Use real-time threat intelligence: Integrate real-time insights to detect and respond to emerging techniques.3. Don't Overlook Entra IDWhile the Five Eyes report highlights compromises in on-premises Active Directory, protecting cloud-based directory services, like Entra ID, is equally important as organizations expand into the cloud. Attackers are increasingly pivoting between on-premises AD and cloud-based directories to maximize impact, as demonstrated by recent breaches. In hybrid environments, attackers exploit the gaps between AD and Entra ID, often bypassing defenses that cover only one system. Think of your directory infrastructure as a house with two front doors: securing only one leaves the other exposed. For modern enterprises, unified security monitoring across AD and Entra ID is essential to prevent attackers from exploiting inconsistencies between on-premises and cloud defenses. Your identity security strategy is only as strong as its most vulnerable directory.Why securing both AD and Entra ID mattersConsistent coverage across environments: As organizations adopt hybrid environments, the separation between on-premises and cloud-based IAM systems creates potential gaps. Unified security across both prevents attackers from finding weak points in transitioning from on-premises to cloud.Strengthening your identity security strategy: Attackers target identity as a primary entry point. Treating AD and Entra ID as interdependent systems ensures that your entire identity framework is resilient, regardless of where the threat originates.What to doSet adaptive access controls: Use conditional access policies to assess user risk in real time, blocking high-risk login attempts automatically.Monitor third-party access: Regularly review and control permissions granted to third-party apps, catching unsanctioned apps and shadow IT early.Enforce least-privilege and OAuth limits: Restrict OAuth permissions to essentials, and identify over-permissioned accounts to maintain least-privilege across cloud and AD environments.Enable real-time identity threat detection: Set identity protection policies to respond instantly to risky logins, such as by triggering MFA or blocking access on suspicious activity.Continuously audit and adjust policies: Regularly assess conditional access and third-party permissions to keep your identity security strategy aligned with evolving threats.Conclusion: Embrace continuous, identity-first securityActive Directory compromises remain a focal point for attackers. The Five Eyes report underscores its continued relevance and clarifies why identity is the modern control plane in exposure management. As you review the guidance, refrain from letting this become another checklist. Rethink how your organization is approaching its AD security. Do you have continuous monitoring, risk-based prioritization, least-privilege access and unified operations? Are you employing an identity-first security approach that naturally achieves compliance? Are you unifying protection across on-premises AD and Entra ID to close gaps attackers exploit?Learn moreRead part one in this series, Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security GapsView the on-demand webinar Detect and Mitigate 16 Commonly Deployed AD CompromisesRead the data sheet Tenable ThreatMap for AD
Analysis Summary
# Best Practices: Active Directory Security
## Overview
These practices summarize critical security recommendations, jointly issued by five cyber agencies, focusing on hardening Active Directory (AD) environments against sophisticated attacks. AD is a prime target due to its role in managing identities, credentials, and infrastructure access.
## Key Recommendations
### Immediate Actions
1. **Implement Robust Monitoring:** Immediately deploy comprehensive monitoring solutions capable of detecting anomalous activity within the AD environment (e.g., Kerberoasting attempts, unusual replication traffic, or unauthorized privilege use).
2. **Audit and Restrict Unconstrained Delegation:** Review all Service Principal Names (SPNs) configurations to identify and disable (or strictly control) unconstrained delegation where it is not explicitly required, as this is a common escalation vector.
3. **Patch Critical Vulnerabilities:** Prioritize and immediately apply patches for known vulnerabilities affecting Domain Controllers (DCs) and related management tools, especially those that allow for credential theft or remote code execution.
### Short-term Improvements (1-3 months)
1. **Strengthen Password Policies:** Enforce complex, sufficiently long unique passwords for all AD service accounts and administrative users, and mandate regular rotation through automated processes.
2. **Implement Tiered Administration Model:** Establish a strict administrative access model (Tier 0 for Domain Controllers, Tier 1 for privileged servers, Tier 2 for workstations) and ensure administrative credentials are *never* used on non-Tier 0 assets.
3. **Reduce Kerberos Default Trust:** Review and restrict the use of older, less secure Kerberos encryption types (e.g., RC4) on Domain Controllers and upgrade protocols where possible.
### Long-term Strategy (3+ months)
1. **Adopt Privileged Access Workstations (PAWs):** Procure, harden, and mandate the use of dedicated, secured PAWs for all administrative tasks related to AD management, ensuring these workstations are never used for general internet browsing or email.
2. **Implement Enhanced Credential Protection:** Deploy technologies like Protected Process Light (PPL) or Credential Guard on Domain Controllers to protect LSASS memory and prevent credential dumping tools from extracting plaintext credentials or hashes.
3. **Decommission Legacy Protocols:** Systematically phase out and disable legacy authentication protocols (like NTLM where feasible) in favor of modern, secure alternatives like Kerberos or modern certificate-based authentication.
## Implementation Guidance
### For Small Organizations
- **Focus on Basics First:** Immediately implement strong, unique passwords for all service accounts. Utilize built-in Windows security logs and centralize them if possible, even if using a free/low-cost log forwarding solution.
- **Limit Privileges:** Strictly limit who has write access to the Domain Controllers Organizational Unit (OU) and the built-in "Enterprise Admins" and "Domain Admins" groups to the fewest individuals possible.
### For Medium Organizations
- **Formalize Tiering:** Begin the formal implementation of a tiered administration model. Start by isolating Tier 0 management access onto dedicated, hardened jump boxes that are distinct from standard administrative workstations.
- **Regular Auditing:** Schedule quarterly audits of all service principal names (SPNs) and group memberships for high-privilege accounts.
### For Large Enterprises
- **Automated Credential Management:** Deploy automated Privileged Access Management (PAM) solutions to manage, automatically rotate, and vault the credentials of all high-privilege accounts, reducing reliance on standing access.
- **Baseline Harden Your DCs:** Develop and enforce a hardened baseline configuration for all Domain Controllers that adheres to hardening benchmarks (e.g., CIS Benchmarks), including disabling unnecessary services and restricting USB access.
- **Monitor Replication Traffic:** Implement advanced network monitoring to inspect and alert on unusual replication activities between Domain Controllers, which can signal lateral movement or compromise.
## Configuration Examples
*Note: Specific command syntax varies, but the objective is configuration enforcement.*
| Objective | Recommended Action/Configuration Focus |
| :--- | :--- |
| **Disabling Unconstrained Delegation** | Review and apply appropriate Constrained Delegation settings (e.g., using Service for User [S4U]) or utilize Kerberos Resource-Based Constrained Delegation (RBCD) instead of unconstrained delegation for service accounts requiring delegation. |
| **Enforcing Protected Processes** | Configure Group Policy Objects (GPOs) to enable **Credential Guard and Device Guard technologies** on Domain Controllers to protect the Local Security Authority Subsystem Service (LSASS) process memory. |
| **Restricting RC4 Use** | Within Domain Controller GPOs, configure settings to **"Do not allow the use of older Kerberos encryption types"** or explicitly configure supported encryption types via the `SupportedEncryptionTypes` attribute for high-value accounts. |
## Compliance Alignment
These recommendations strongly align with controls detailed in:
* **NIST Cybersecurity Framework (CSF):** Especially Identify (ID.AM, ID.SC) and Protect (PR.AC, PR.DS).
* **CIS Critical Security Controls (CIS Controls):** Controls 4 (Account Management), 5 (Access Control Management), and 17 (Incident Response Management).
* **ISO/IEC 27001/27002:** Specifically clauses related to access control (A.9) and system acquisition, development, and maintenance (A.14).
## Common Pitfalls to Avoid
1. **Treating AD as "Set and Forget":** Assuming AD setup securely suffices without continuous monitoring, auditing, and patching.
2. **Using Admin Accounts for Daily Tasks:** Allowing administrators to use domain admin credentials for non-administrative tasks (e.g., checking email, browsing the web), which is the primary conduit for phishing and credential harvesting.
3. **Inconsistent Patching:** Failing to apply security updates to Domain Controllers promptly, leaving known exploitation paths open.
4. **Over-reliance on Legacy Security:** Trusting legacy domain-level settings or relying solely on password complexity without implementing modern credential protection mechanisms like Credential Guard.
## Resources
- **CIS Benchmarks for Microsoft Active Directory:** Use these documents to establish hardening baselines for Domain Controllers.
- **Microsoft Security Documentation on Credential Guard/PAWs:** Detailed implementation guides for implementing zero-trust principles within identity infrastructure.
- **Identity-Focused Security Auditing Tools:** Tools capable of rapidly analyzing SPN configuration, delegation settings, and current Kerberos encryption methods across the domain.