Active Directory Security Guide: Hardening AD Against Modern Attacks
Comprehensive technical guide to securing Active Directory against Kerberoasting, pass-the-hash, Golden Ticket attacks, and other AD-specific attack techniques used by threat actors in 2025.
Why Active Directory Remains a Prime Target
Active Directory controls authentication and authorization for the vast majority of enterprise environments. Compromise of AD typically means compromise of everything — email, file servers, cloud resources connected via hybrid identity, and often backup systems. Attackers prioritize AD for this reason.
Kerberoasting
Kerberoasting extracts service account ticket-granting tickets (TGTs) from AD without privilege and cracks them offline. Service accounts with weak passwords running services with registered SPNs are vulnerable. Mitigations include: managed service accounts, Group Managed Service Accounts (gMSA), regular password rotation for service accounts, and monitoring for unusual TGT requests.
Pass-the-Hash and Pass-the-Ticket
Credential material — NTLM hashes and Kerberos tickets — can be stolen from memory and reused without knowing the plaintext password. LSASS process protection, Credential Guard, and Protected Users security group membership reduce exposure. Privileged Access Workstations (PAWs) limit where privileged credentials are ever exposed.
Golden and Silver Tickets
KRBTGT account compromise enables Golden Ticket attacks — forging any Kerberos ticket with arbitrary claims. Mitigation requires rotating the KRBTGT password twice (due to replication) and monitoring for tickets with anomalous lifetimes or attributes. Silver Tickets compromise service accounts to forge service tickets — managed service accounts and regular rotation limit this risk.
Tiering Model
The Tier 0 / Tier 1 / Tier 2 administrative tiering model is the most effective structural defense against AD privilege escalation. Tier 0 encompasses AD itself and its dependencies; Tier 1 covers servers; Tier 2 covers workstations. No credential should ever flow from lower to higher tiers. Administrative jump servers enforce tier boundaries.
Monitoring and Detection
Critical AD events to monitor: KRBTGT password changes, creation of privileged group memberships, unusual replication requests (DCSync), and modifications to AdminSDHolder. Microsoft Defender for Identity and similar tools provide behavioral detection for common AD attacks including pass-the-hash, Kerberoasting, and lateral movement.
Quick Summary
Key Facts
- —Type: Guide
- —Category: Identity Security
- —Length: 56 pages
- —Published: February 2025
Use Cases
- —Security teams building or maturing security programs
- —CISOs benchmarking against peers
- —Organizations evaluating security investments
Benefits
- —Data-driven insights from real-world assessments
- —Actionable recommendations from certified practitioners
- —Current threat intelligence and trend analysis
Recommended For
Stop Waiting for a Breach. Start with BugFoe.
Get a free security assessment from our certified penetration testing and managed security experts.