Active Directory Security Guide: Hardening AD Against Modern Attacks | BestPentestingCompanies.com
guideIdentity Security56 pages

Active Directory Security Guide: Hardening AD Against Modern Attacks

February 5, 2025
~28 min read

Comprehensive technical guide to securing Active Directory against Kerberoasting, pass-the-hash, Golden Ticket attacks, and other AD-specific attack techniques used by threat actors in 2025.

Why Active Directory Remains a Prime Target

Active Directory controls authentication and authorization for the vast majority of enterprise environments. Compromise of AD typically means compromise of everything — email, file servers, cloud resources connected via hybrid identity, and often backup systems. Attackers prioritize AD for this reason.

Kerberoasting

Kerberoasting extracts service account ticket-granting tickets (TGTs) from AD without privilege and cracks them offline. Service accounts with weak passwords running services with registered SPNs are vulnerable. Mitigations include: managed service accounts, Group Managed Service Accounts (gMSA), regular password rotation for service accounts, and monitoring for unusual TGT requests.

Pass-the-Hash and Pass-the-Ticket

Credential material — NTLM hashes and Kerberos tickets — can be stolen from memory and reused without knowing the plaintext password. LSASS process protection, Credential Guard, and Protected Users security group membership reduce exposure. Privileged Access Workstations (PAWs) limit where privileged credentials are ever exposed.

Golden and Silver Tickets

KRBTGT account compromise enables Golden Ticket attacks — forging any Kerberos ticket with arbitrary claims. Mitigation requires rotating the KRBTGT password twice (due to replication) and monitoring for tickets with anomalous lifetimes or attributes. Silver Tickets compromise service accounts to forge service tickets — managed service accounts and regular rotation limit this risk.

Tiering Model

The Tier 0 / Tier 1 / Tier 2 administrative tiering model is the most effective structural defense against AD privilege escalation. Tier 0 encompasses AD itself and its dependencies; Tier 1 covers servers; Tier 2 covers workstations. No credential should ever flow from lower to higher tiers. Administrative jump servers enforce tier boundaries.

Monitoring and Detection

Critical AD events to monitor: KRBTGT password changes, creation of privileged group memberships, unusual replication requests (DCSync), and modifications to AdminSDHolder. Microsoft Defender for Identity and similar tools provide behavioral detection for common AD attacks including pass-the-hash, Kerberoasting, and lateral movement.

Quick Summary

Key Facts

  • Type: Guide
  • Category: Identity Security
  • Length: 56 pages
  • Published: February 2025

Use Cases

  • Security teams building or maturing security programs
  • CISOs benchmarking against peers
  • Organizations evaluating security investments

Benefits

  • Data-driven insights from real-world assessments
  • Actionable recommendations from certified practitioners
  • Current threat intelligence and trend analysis

Recommended For

CISOsSecurity EngineersRisk & Compliance Teams
Last reviewed: February 2025
Active DirectoryIdentity SecurityKerberoastingAD Hardening
Powered by BugFoe

Stop Waiting for a Breach. Start with BugFoe.

Get a free security assessment from our certified penetration testing and managed security experts.