Active Directory Security
Learn about the essential best practices for securing Active Directory to protect against sophisticated cyber threats, like Pass-the-Hash and Golden Ticket attacks, through secure configuration, monitoring, and industry-standard administrative practices.
Table of Contents
Stop AD Threats As They Happen
Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Learn about the essential best practices for securing Active Directory to protect against sophisticated cyber threats, like Pass-the-Hash and Golden Ticket attacks, through secure configuration, monitoring, and industry-standard administrative practices.
What is Active Directory security?
Active Directory security is not about hardening checklists or compliance scores. It is about preventing identity-driven attack paths that allow a single compromised credential to become full domain control, ransomware deployment, or a complete business outage.
Modern Active Directory (AD) attacks do not rely on zero-days. They rely on misconfigurations, excessive privileges, legacy protocols, and identity persistence techniques that survive traditional cleanup. The techniques in this guide are documented in MITRE ATT&CK and repeatedly observed in real-world intrusions.
Key Insight: 95 million Active Directory accounts face attack attempts each day. More than 90% of Fortune 1000 companies depend on AD for identity management. Most compromises chain together misconfigurations that have existed for years not novel exploits.
Active Directory security is the combination of policies, configurations, access controls, hardening techniques, and continuous monitoring designed to protect Windows Server Active Directory Domain Services (AD DS) and hybrid identity environments integrated with Microsoft Entra ID from unauthorized access, credential theft, privilege escalation, and domain compromise.
Its core purpose is to safeguard the identity backbone of an organization by reducing attack surface, detecting malicious activity early, preventing lateral movement, and ensuring rapid, verifiable recovery of critical identity services after an incident. This includes enforcing secure authentication (such as Kerberos and LDAP signing), governing privileged access, securing domain controllers, hardening service accounts, and implementing modern identity protections across on-premises and cloud environments.
This guide covers:
- How Active Directory is compromised in real attacks
- Which identity signals expose attackers early
- What actually stops identity-based attack paths
- The latest Active Directory security best practices and controls
- Why recovery integrity is part of security, not an afterthought
What Active Directory security guidance Has recently Changed?
NTLM is moving from deprecation toward being disabled by default
Microsoft has published a phased roadmap toward disabling NTLM by default in future Windows releases and emphasize enhanced auditing and migration preparation so organizations can identify dependencies before enforcement changes occur.
LDAP signing and channel binding expectations are rising, especially for Windows Server 2025
Microsoft’s current AD DS guidance explains LDAP signing and LDAP channel binding, describes default security behavior, and explicitly applies to Windows Server 2025.
Microsoft has also highlighted mitigations against NTLM relay by default across services including LDAP and AD CS as part of broader platform hardening.
Kerberos RC4 is being phased out due to CVE-2026-20833
Microsoft Support documents Kerberos KDC changes tied to CVE-2026-20833, beginning with updates released on and after January 13, 2026, and moving toward stronger encryption behavior that reduces reliance on weak or legacy encryption types such as RC4.
Manage, Monitor & Recover AD, Azure AD, Office 365
Unified Console
Use a single tool to administer and secure AD, Azure AD, and Office 365
Track Threats
Monitor AD for unwanted changes – detect for security or critical functions
Instant Recovery
Recover global enterprise-wide Active Directory forests in minutes, not days
The Most common Active Directory security risks
PILLAR 1: HOW ACTIVE DIRECTORY IS COMPROMISED
Real attack chains, techniques, and what makes them possible
Threat reality: Most AD compromises rely on identity misconfigurations that exist for years and are abused silently
Attackers compromise Active Directory by chaining identity weaknesses into reliable attack paths. Understanding these chains, not just individual techniques, is what separates environments that detect attacks early from those that discover them months later.
Individually, many of these misconfigurations appear to be low risk. When combined, they form reliable attack paths that allow attackers to escalate privileges without exploiting software vulnerabilities.
Initial Access and Credential Theft T1078 / T1557
Credential harvesting is almost always the first step. Attackers collect credentials through phishing, malware, keylogging, or exploiting insecure authentication flows. Once credentials are obtained, attackers authenticate legitimately and avoid many traditional security controls, compromising Active Directory security to cause data breaches, install malware, or perpetuate fraud.
The ubiquity of credential harvesting is partly due to its effectiveness: People are often the weakest link in cybersecurity. Phishing remains one of the most common methods, where attackers fool users into providing login details through fake websites or deceptive emails. Malware such as keyloggers can covertly capture keystrokes, allowing attackers to gather credentials as users log into various systems.
Legacy authentication protocols dramatically amplify this risk:
1. NTLM Relay and Pass-the-Hash (T1550.002)
NTLM authentication does not require the plaintext password only the hash. Attackers capture hashes via relay attacks on unsigned SMB/LDAP or by dumping LSASS memory, then authenticate anywhere that accepts NTLM. Microsoft has begun deprecating NTLM specifically because of these weaknesses.
What is a Pass-the-Hash Attack?
Pass-the-hash (PtH) attacks pose a threat to Active Directory due to their ability to exploit the authentication mechanism of Windows networks. By stealing NT LAN Manager (NTLM) hash values—which are stored hash functions rather than plaintext passwords—attackers can impersonate legitimate users without the need to decrypt or know the actual password. This form of credential theft enables attackers to gain unauthorized access and, potentially, escalate privileges within a network, often without triggering detection systems.
How does a pass-the-hash attack work?
A PtH attack takes advantage of the fact that user credentials are typically cached as hash values within a system. When a user logs into a Windows account, the password is hashed, and the hash is stored in memory, allowing the user to access other network resources without re-entering the password. An attacker who successfully obtains these hash values can effectively “pass” them for authentication, traversing a network under the guise of a valid user account. This method bypasses the need for password cracking, making the attack more efficient.
2. Unsigned LDAP Interception (T1557.001)
When LDAP signing and channel binding are not enforced, attackers on the network can intercept directory queries, capture credentials, and manipulate directory responses. LDAP relay is a reliable escalation path from a low-privilege foothold.
NTLM Deprecation Status: Microsoft is in a phased rollout of NTLM deprecation. Organizations that have not audited and restricted NTLM usage remain exposed to pass-the-hash and relay attacks regardless of other controls. If NTLM is enabled, assume credential theft is possible.
Kerberos Abuse and Domain Escalation T1558 / T1649
Kerberos is the primary authentication protocol in Active Directory environments and is secure when configured correctly. Decades of security research have uncovered a set of misconfigurations that convert Kerberos from a defense into an attack path.
1. Kerberoasting (T1558.003)
Any authenticated domain user can request a Kerberos service ticket (TGS) for any account with a Service Principal Name (SPN). The ticket is encrypted with the account’s password hash and can be cracked offline, no interaction with the target required.
2. AS-REP Roasting (T1558.004)
Accounts with Kerberos pre-authentication disabled respond to unauthenticated AS-REQ messages with an encrypted AS-REP containing the account’s password hash. Attackers enumerate these accounts and crack the responses offline.
3. Golden Ticket (T1558.001)
Once the KRBTGT account’s password hash is compromised via DCSync, attackers can forge Kerberos TGTs that impersonate any user indefinitely. A Golden Ticket represents complete, long-term domain compromise and persists through password resets of other accounts.
How does a Golden Ticket Attack work?
A golden ticket is a forged Kerberos Ticket Granting Ticket (TGT) that allows attackers to impersonate any AD user, bypassing Active Directory security to access resources across the network, and often maintain persistence within the system. The attack begins when an adversary gains sufficient privileges to compromise a domain controller, thus breaching Active Directory security by accessing the AD database. The attacker can extract from the database the Kerberos key, known as the KRBTGT account hash, which is used to create golden tickets. These tickets can be repeatedly used for access until the KRBTGT account password is changed, and because they are trusted internally, they often go undetected for long periods.
4. Silver Ticket (T1558.002)
Silver Tickets forge service tickets (TGS) using the password hash of a specific service account rather than KRBTGT. They bypass the KDC entirely, allowing access to specific services without the KDC’s involvement or logging.
5. DCSync (T1003.006 )
DCSync abuses the MS-DRSR replication protocol to request credential data from a DC including the NTLM hash and Kerberos keys of any account, including KRBTGT. Any account with Replicating Directory Changes All permission can perform DCSync without accessing a DC physically.
6. DCShadow (T1207)
DCShadow registers a rogue domain controller in the AD schema and uses replication to push arbitrary changes – including modified ACLs and group memberships – that bypass most audit logs. Unlike DCSync, DCShadow pushes changes rather than reading them.
Manage, Monitor & Recover AD, Azure AD, M365, Teams
| Platform | Admin Features | Single Console for Hybrid (On-prem AD, Azure AD, M365, Teams) | Change Monitoring & Auditing | User Governance (Roles, Rules, Automation) | Forest Recovery in Minutes |
| Microsoft AD Native Tools | ✓ | ||||
| Microsoft AD + Cayosoft | ✓ | ✓ | ✓ | ✓ | ✓ |
AD CS Abuse and Certificate-Based Persistence T1649 / T1550.001
Active Directory Certificate Services (AD CS) is now one of the most targeted identity components. Misconfigurations known as ESC1–ESC8/ESC13 allow attackers to request or forge authentication certificates for privileged accounts. Vulnerable certificate templates may allow low privileged users to obtain certificates that can authenticate as domain admins or other high privilege principals. AD CS exploitation bypasses password resets, MFA, and many monitoring solutions and provides long term stealthy persistence. Security researchers (SpecterOps, CrowdStrike, others) have repeatedly shown AD CS to be “privilege escalation as a service” when misconfigured.
- ESC1: Misconfigured certificate templates allow any authenticated user to request a certificate for a privileged account, including domain admins. This is the most exploited AD CS misconfiguration.
- ESC2-ESC4: Dangerous template configurations allow template modification, approval bypass, or enrollment agent abuse to obtain arbitrary certificates.
- ESC6: The EDITF_ATTRIBUTESUBJECTALTNAME2 flag on a CA allows any certificate request to specify a Subject Alternative Name, enabling impersonation of privileged accounts.
- ESC8: HTTP-based certificate enrollment endpoints are vulnerable to NTLM relay attacks. An attacker relaying a domain controller’s authentication can obtain a DC certificate, enabling full compromise.
- ESC13: Issuance policy-based OID linking allows certificate holders to inherit group memberships, potentially including privileged groups, on authentication.
Why AD CS Abuse Is Uniquely Dangerous: Certificates can remain valid for 1-10 years. Password resets, account disables, and KRBTGT rotation do not invalidate issued certificates. An attacker with a certificate for a domain admin account retains that access until the certificate expires or is explicitly revoked – and until the underlying template misconfiguration is remediated.
Privilege Escalation Through ACLs and Delegation T1222 / T1134
Overly permissive Access Control Lists (ACLs) and delegation settings are the most common form of accumulated identity debt and the most exploited. They enable silent privilege escalation without triggering authentication alerts.
- WriteDACL abuse: Accounts with WriteDACL on a high-value object can grant themselves any permission – including the ability to add members to Domain Admins.
- WriteOwner abuse: Taking ownership of an object allows the attacker to then set whatever DACL they choose, achieving full control without being a domain admin.
- AdminSDHolder inheritance gaps: Misconfigured AdminSDHolder propagation can leave protection gaps or introduce attacker-controlled ACEs.
Once an attacker controls ACLs on sensitive objects, they can add themselves to privileged groups, manipulate service principals, alter GPOs, or create long-term persistence without triggering traditional authentication alerts. Microsoft lists misconfigured ACLs among the most common AD vulnerabilities.
- Unconstrained delegation: Computers and accounts with unconstrained Kerberos delegation receive and cache TGTs from connecting users. An attacker who compromises such a system can extract and reuse those TGTs.
- Resource-based constrained delegation (RBCD): RBCD misconfigurations can be exploited by attackers who can write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute, enabling impersonation attacks without local privileges on the target.
Kerberos delegation allows services to act on behalf of users, but unconstrained delegation allows attackers to capture and reuse Kerberos tickets from any authenticating account, including domain admins. Even resource based constrained delegation (RBCD) can be abused if misconfigured, enabling attackers to impersonate privileged users by manipulating computer accounts or ACLs. Delegation misconfigurations remain a leading cause of full domain compromise in Microsoft and CISA documented investigations
Shadow Admin Paths and Stale Objects T1098 / T1484
Most AD environments contain years of accumulated technical debt—unused accounts, abandoned servers, overnested groups, and forgotten ACL entries. These create hidden “attack paths” that allow attackers with low privileges to chain small misconfigurations into domain admin rights. Research shows that 90%+ of AD attacks rely on these paths rather than zerodays. Tools like BloodHound routinely reveal hundreds or thousands of privilege escalation pathways in typical enterprises many involving stale objects, nested groups, or outdated delegation. CISA and global partners identify complex relationships and hidden permissions as major contributors to AD’s susceptibility to compromise. Inactive user and computer accounts that retain group memberships and privileges.
- Stale accounts: Often the first target in a phishing attack because nobody monitors them.
- Over-nested groups: Deep group nesting obscures the effective membership of privileged groups. A user may be a Domain Admin through a chain of six nested groups, invisible to standard group reports.
- Forgotten ACLs: ACL entries added for temporary projects or contractor access that were never removed. Each one is a potential attack path.
- Abandoned trusts and servers: Legacy domain trusts with elevated permissions and orphaned computer accounts running outdated software. Both are common initial access vectors. Lateral Movement and Local Administrator Abuse T1550.002 / T1021
Entra ID integration, making it a critical control to eliminate password reuse and stop lateral movement.
Domain Controller Exposure T1190 / T1068
Domain controllers are Tier 0 assets their compromise means complete domain compromise. Yet DCs are frequently found running unnecessary services, exposed to unnecessary network access, and running software that expands their attack surface beyond the core DC role.
PrintNightmare (CVE-2021-34527) demonstrated how a single enabled service on a domain controller could allow any authenticated domain user to execute code as SYSTEM, instantly achieving full domain compromise. Every unnecessary service running on a DC is a potential full-domain compromise vector.
- Run DCs on Windows Server Core to minimize the attack surface no GUI, fewer services, fewer patches required.
- Domain controllers should run only the DC role plus essential infrastructure services like DNS if required.
- Enforce strict network segmentation so DCs are not reachable using RDP (Remote Desktop Protocol) from workstation segments.
- Maintain at least two DCs per domain to avoid single points of failure during incident response.
Watch a 12-minute product demo video of Cayosoft’s hybrid user provisioning
Risks of Neglecting Active Directory Security
- Enterprise-wide outage and rapid ransomware spread.
Weak AD controls allow attackers to escalate privileges, disable security mechanisms, and deploy ransomware or malware across the domain—causing extended downtime and costly response efforts.
- Regulatory, legal, and contractual consequences.
Compromised privileged access can expose regulated data, triggering breach notifications, fines, audits, and loss of customer or partner confidence.
- Inability to investigate or contain attacks effectively.
Without proper logging and identity telemetry, organizations lose visibility into attacker actions, making it difficult to determine the scope of compromise, identify persistence, or prevent reinfection.
How do you detect Active Directory attacks?
PILLAR 02 | IDENTITY THREAT DETECTION SIGNALS
The signals that matter and why real-time monitoring is the only approach that works
Threat reality: Most AD compromises rely on identity misconfigurations that exist for years and are abused silently
AD attacks leave identity signals at every stage of the kill chain. The difference between early detection and breach impact is whether those signals are monitored continuously – not whether a scan happened to run at the right time.
Privileged Group Membership Changes TIER 0 ALERT
Any modification to Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, or Administrators should trigger an immediate alert. These changes are rare in healthy environments – any unexpected addition is a high-confidence indicator of privilege escalation or attacker persistence.
Event 4728 Event 4732 Event 4756 Event 4769
Kerberos Authentication Anomalies HIGH CONFIDENCE
Key Kerberos anomalies to monitor: unusual RC4 encryption in TGS requests (Kerberoasting indicator), high-volume TGS requests from a single account, AS-REP responses for accounts that should have pre-auth enabled, and tickets with anomalous lifetimes or PAC structure (Golden/Silver Ticket indicators).
Event 4768 Event 4769 Event 4770 Event 4771
Directory Object and ACL Modifications ESCALATION INDICATOR
Changes to sensitive AD object attributes – particularly security descriptors, SIDHistory, adminCount, msDS-AllowedToActOnBehalfOfOtherIdentity, and delegation flags – indicate active ACL manipulation or delegation abuse. AdminSDHolder modifications and changes to the domain object’s ACL are critical indicators.
Event 4662 Event 4670 Event 5136 Event 5137
Detecting Insecure Authentication Behavior
- LDAP diagnostic events reveal unsafe authentication patterns that often precede credential interception and relay attacks.
- Event 2887 logged on domain controllers indicates applications authenticating with cleartext LDAP. These credentials can be captured by anyone with network access. LDAP simple binds over plaintext:
- Event 2889 indicates clients connecting without LDAP signing – a prerequisite for LDAP relay attacks. Each occurrence is a potential relay attack waiting to happen. LDAP unsigned bind attempts:
- Failures in LDAP channel binding negotiation indicate clients that cannot enforce secure LDAP and may be exploitable via relay. Channel binding failures:
Monitoring AD CS for Abuse Indicators
Certificate-based attacks are particularly stealthy because certificate issuance looks like normal PKI activity. Without specific AD CS monitoring, attackers can obtain persistence certificates and maintain access indefinitely.
Certificate Issuance Anomalies PERSISTENCE INDICATOR
Monitor for: certificates issued with Subject Alternative Names that do not match the requesting account, certificates requested for privileged accounts by non-privileged users, unusually high certificate issuance volume, and web enrollment requests (indicative of ESC8/relay attacks). The NTAuth store should be monitored for unauthorized CA additions.
CA Event 4886 CA Event 4887 CA Event 4888 CA Event 4899
Replication Abuse Detection
Unauthorized replication behavior is among the highest-confidence indicators of active compromise. DCSync and DCShadow both abuse the AD replication protocol.
- The MS-DRSR protocol should only be used between domain controllers. A workstation or member server initiating a replication request is a near-certain indicator of DCSync activity. Monitor Event 4662 with the Replicating Directory Changes GUID. Replication requests from non-DC systems:
- DCShadow registers a temporary DC in the Configuration partition. Monitor for new nTDSDSA object creation and unexpected changes to the domain controller OU. New domain controller registrations:
- Any modification to the Replicating Directory Changes or Replicating Directory Changes All rights on the domain object should be treated as a critical alert. Replication permission changes:
Correlation Across Identity, Endpoint, and Network
Individual identity signals can appear ambiguous in isolation. Multi-stage attacks become unambiguous when correlated with endpoint and network telemetry.
- High-volume TGS requests (Event 4769) with RC4 encryption from a single account + subsequent logon from unusual location = cracked service account credential in use Kerberoasting:
A common PtH attack pattern: compromise one workstation, extract the local admin NTLM hash, use pass-the-hash to authenticate to every other machine sharing that password. In environments without LAPS, a single compromised endpoint can translate to full lateral movement across hundreds of systems within minutes.
- NTLM logons (Event 4624 Type 3) with no prior interactive logon on that system + new process creation = active lateral movement Pass-the-Hash lateral movement:
Without Windows LAPS, local Administrator passwords are often identical across machines. Once attackers compromise any endpoint, they can steal the NTLM hash of the local admin account and authenticate to every other system using pass-the-hash, achieving lateral movement and eventually domain dominance. Microsoft’s modern Windows LAPS introduces encryption, password rotation, DSRM password backup, and recovery.
Windows LAPS (2023+): Microsoft released Windows LAPS as a built-in Windows feature in April 2023, replacing the legacy LAPS solution. It integrates directly with Active Directory and Entra ID, rotating local administrator passwords automatically. Deployment is no longer optional it should be treated as a baseline control in every domain-joined environment.
- Kerberos TGT with no corresponding AS-REQ in DC logs + anomalous PAC or lifetime + access to high-value targets = forged ticket in use Golden Ticket use:
- MS-DRSR traffic from non-DC source IP + Event 4662 with replication GUIDs + no scheduled replication window = active credential extraction DCSync in progress:
Active Directory Security Best Practices
PILLAR 03 | WHAT ACTUALLY SECURES ACTIVE DIRECTORY
Controls that break attack paths and the ones that only look good on paper
Threat reality: Most AD compromises rely on identity misconfigurations that exist for years and are abused silently.
Controls only matter if they break real attack paths. The most common mistake in AD security programs is implementing controls that generate compliance checkboxes without changing the actual attack surface.
Controls That Stop Attacks
| Control | Attack Path Disrupted | Impact |
|---|---|---|
| Enforce a tiered admin model and require PAWs for all privileged access | Credential theft from admin sessions, lateral movement into Tier 0 | Prevents attacker reuse of admin credentials |
| Replace standing privileges with Just-in-Time access using Entra PIM | Persistent admin access, Golden Ticket abuse, privilege creep | Eliminates always on attacker value |
| Deploy Windows LAPS on all servers and workstations | Pass-the-hash using shared local admin passwords | Stops lateral movement at the endpoint layer |
| Audit NTLM usage, then block NTLMv1 and restrict NTLMv2 | NTLM relay, credential capture, pass-the-hash | Removes legacy authentication attack paths |
| Enforce LDAP signing and channel binding everywhere | LDAP relay, directory manipulation, credential interception | Stops directory-level relays and tampering |
| Disable RC4-HMAC and require AES-128/256 for Kerberos | Fast Kerberoasting, offline ticket cracking | Raises attacker cost and time to failure |
| Convert all supported service accounts to gMSA | Kerberoasting and service credential reuse | Eliminates offline password cracking |
| Audit and remediate all AD CS ESC vulnerabilities | Certificate-based persistence and privilege escalation | Closes high impact, low visibility attack paths |
| Monitor identity activity continuously with real-time alerts | All identity driven attack paths | Enables early detection before escalation |
| Enumerate and remediate identity attack paths on a recurring basis | Shadow admins, ACL abuse, delegation misconfigurations | Reduces accumulated exposure over time |
| Harden domain controllers using current security baselines | DC exploitation, system-level persistence | Reduces Tier 0 exploit surface |
| Enforce secure Group Policy defaults and monitor changes | GPO abuse, mass privilege assignment | Prevents infrastructure wide compromise |
| Require MFA for all privileged and administrative access | Credential theft and token replay | Blocks common initial access techniques |
| Restrict RDP, browsing, and email on admin systems | Credential harvesting on administrative endpoints | Protects privileged credentials before Tier 0 |
| Identify and remove stale identities and unused privileges | Dormant account takeover, privilege creep | Shrinks the identity attack surface |
| Secure all forest trusts with SID filtering and scope review | Cross-forest privilege escalation | Prevents trust-based attack pivots |
| Rotate KRBTGT keys and critical secrets after incidents | Post compromise persistence | Removes attacker footholds |
| Maintain offline DC backups and rehearse forest recovery | Ransomware and destructive identity attacks | Enables clean, controlled recovery |
| Implement unified, agentless visibility across AD and Entra ID | Hybrid identity blind spots | Preserves investigation context across environments |
Controls That Only Look Good on Paper
These controls appear in security checklists and compliance frameworks but do not meaningfully change the attack surface without the supporting controls that make them effective:
- Annual audits without continuous monitoring: A point-in-time scan tells you what AD looked like on the day it ran. Attackers work on days between scans. Annual audits are compliance theater, not security.
- Password policies without identity telemetry: Forcing password complexity does not prevent pass-the-hash. Forcing password rotation does not invalidate Kerberos tickets. Password policy without behavior monitoring does not address the attacks that compromise AD.
- Backup plans without tested recovery: A backup that has never been used in a test recovery is an untested assumption. After a ransomware event, assumptions fail. The only valid recovery capability is one with documented, recent test results in an isolated environment.
- MFA without legacy protocol enforcement: MFA on a user portal does not protect NTLM authentication, Kerberos service tickets, or legacy application binds. If NTLM is enabled, MFA does not prevent pass-the-hash attacks.
Three Rules That Govern AD Security Posture: If NTLM is enabled, assume credential theft is possible. If AD CS is unmanaged, assume persistent, stealthy access exists. If recovery is untested, assume ransomware wins when it arrives.
How do you respond and recover after an Active Directory breach?
PILLAR 0 | RECOVERY IS PART OF SECURITY
Active Directory recovery is not optional and not an afterthought
Threat reality: Most AD compromises rely on identity misconfigurations that exist for years and are abused silently
Recovery from an Active Directory compromise is not the same as recovery from a server failure. Standard backup and restore processes often preserve attacker persistence mechanisms – restoring an environment to a compromised state that passes basic checks but continues to provide attacker access.
Recovery Reality: What Standard Cleanup Misses
1. KRBTGT Rotation
- Must be rotated twice with a replication wait between rotations
- Single rotation leaves existing forged Golden Tickets valid
- KRBTGT rotation invalidates all outstanding Kerberos tickets – plan for service disruption
- Monitor for Kerberos errors post-rotation to confirm propagation
2. Certificate Cleanup
- Certificates issued during compromise must be explicitly revoked – password resets do not invalidate them
- ESC vulnerabilities must be remediated before reissuance
- Audit the NTAuth store for unauthorized CA additions
- Review certificate templates for backdoored configurations
3. Forest Integrity
- SYSVOL integrity – GPO tampering survives account remediation
- Replication health – compromised DCs may have divergent partitions
- Trust relationships may have been modified to enable persistence
- Verify AdminSDHolder ACL propagation has no attacker-controlled entries
Persistence Survives Cleanup: Attackers routinely retain access after standard incident response because persistence mechanisms embedded in certificates, delegation settings, and ACLs are not addressed by account password resets. Without a validated identity restoration process, identity compromise often continues silently after remediation.
Response Sequence After an Active Directory Breach
Effective response follows an identity-first sequence. Each step must be completed and validated before proceeding.
1. Contain compromised accounts and endpoints
Disable identified compromised accounts. Isolate systems confirmed to be under attacker control. Do not delete accounts yet – preserve forensic evidence. Document all identified attacker activity before proceeding.
2. Remove persistence: delegation, certificates, SPNs, ACLs
Enumerate and remove: backdoor accounts, attacker-added group memberships, delegation configurations, rogue SPNs, certificates issued to unauthorized accounts or with unauthorized SANs, and ACL entries that provide attacker control paths. Partial removal guarantees re-compromise.
3. Rotate KRBTGT and privileged credentials correctly
Rotate KRBTGT password twice with a minimum of 10 hours between rotations (matching the maximum Kerberos ticket lifetime). Reset passwords for all privileged accounts – Domain Admins, Enterprise Admins, Schema Admins, service accounts with SPNs, and any account in the compromise scope.
4. Validate SYSVOL, replication, trusts, and AdminSDHolder
Check GPO integrity in SYSVOL for tampered policies. Confirm healthy replication across all domain controllers. Review all domain trust configurations for unauthorized modifications. Verify AdminSDHolder ACL propagation has not introduced attacker-controlled entries.
5. Execute tested forest recovery procedures if required
If the compromise scope extends to forest-level objects or domain controllers are confirmed compromised at the OS level, a full forest recovery may be required. This process takes days with traditional tools and minutes with instant forest recovery solutions.
6. Verify identity integrity before returning to production
Use continuous monitoring tools to validate that no residual attacker-controlled changes are detected in the restored environment. Confirm all detection signals from Pillar 2 are covered before lifting containment. Return to production only when identity integrity can be demonstrated – not assumed.
FREE ACTIVE DIRECTORY SECURITY TOOLS
Many organizations looking for free Active Directory security tools find two categories: point-in-time assessment scanners that produce a report when you run them, and continuous monitoring solutions that watch your environment in real time. Both serve different purposes.
Assessment scanners identify risk at a moment in time. They tell you what your AD looks like when you run them. They do not alert. They do not have memory between runs. They cannot tell you what changed three hours ago.
There are several important features to consider when exploring free Active Directory security tools.
Continuous Monitoring vs. Point-in-Time Scanning
The attack signals in Pillar 2 of this guide are only detectable in real time. By the time a scanner runs again, an attacker has already operated. Continuous monitoring is integral to exposing attackers as they move – assessment tools identify risk at a point in time.
Real-Time Threat Detection
Real-time detection is essential because identity attacks move fast. Automatic alerts for privilege escalation, DCSync behavior, GPO tampering, kerberoasting indicators, dormant account reactivation, and other attack patterns should fire as they happen, not hours later. This gives teams the time advantage they need to stop threats before damage spreads.
Continuous Change History
Continuous change history provides the context real investigations depend on. Every identity change across Active Directory and Entra ID should be captured with full detail, including who made the change, what changed, when it occurred, and where it originated. This turns investigations that once took days into clear, confident analysis completed in minutes.
Hybrid Identity Coverage
Hybrid environments require unified visibility. A single change stream should span the entire Microsoft environment, including on-premises Active Directory, Microsoft Entra ID, Microsoft 365, Teams, Exchange Online, and Intune. This eliminates blind spots and tool sprawl and gives teams consistent insight across the entire identity surface.
Check GPO integrity in SYSVOL for tampered policies. Confirm healthy replication across all domain controllers. Review all domain trust configurations for unauthorized modifications. Verify AdminSDHolder ACL propagation has not introduced attacker-controlled entries.
AGENTLESS, ZERO-COST DEPLOYMENT
Effective protection should not add complexity. Agentless deployment is important because it means there is no software to install, no infrastructure to maintain, and no impact on production systems. Teams can gain immediate identity visibility quickly, safely, and without additional cost.
Free Active Directory Security with Guardian Protector
Cayosoft Guardian Protector is a free Active Directory security tool that delivers real-time threat detection, continuous identity monitoring, and complete change history across the entire Microsoft identity landscape, including on-premises Active Directory, Microsoft Entra ID, Microsoft 365, Intune, Teams, and Exchange Online.
It provides immediate visibility into identity and configuration changes across hybrid environments, enabling security teams to detect suspicious activity as it happens and investigate incidents with full context across every connected platform.
Guardian Protector is agentless, requires no installation on domain controllers or endpoints, and connects using least privileged, read-only access. Organizations can start protecting their identity infrastructure within minutes without added complexity or operational risk.
- No object limits.
- No time-boxed trials.
- No hidden paywalls.
Just always-on Active Directory and hybrid identity security, free forever.
How Cayosoft Secures Active Directory
Active Directory is the foundation of enterprise identity and one of the most targeted systems by attackers. Cayosoft secures Active Directory by combining prevention, visibility, control, and instant recovery into a single, unified approach that works across on premises, hybrid, and Entra ID environments.
Least Privilege Built Into Daily Operations
Cayosoft reduces identity risk by enforcing least privilege as part of everyday administration. Excess permissions are continuously identified and removed, standing admin rights are replaced with just-in-time access, and tasks are safely delegated through role-based controls. Admins and users have only the access they need, only when they need it.
Real-Time Insight Into Identity Changes
Cayosoft delivers immediate visibility into critical identity activity. Changes to users, groups, privileges, and policies are captured in real time with full context showing who made the change, what changed, and when it occurred. This enables teams to quickly detect risky, unintended, or unauthorized behavior before it becomes an incident.
Instant Recovery From Identity Attacks
When malicious or unauthorized changes occur, Cayosoft enables instant recovery of Active Directory objects and configurations. Security and IT teams can quickly restore users, groups, memberships, OUs, and GPOs without lengthy downtime, minimizing operational impact and preventing identity incidents from escalating into business outages.
Consistent, Governed Administration
Cayosoft standardizes Active Directory management using role-based access and policy-driven workflows. Every change follows approved processes, reducing human error and ensuring consistent enforcement of security and governance controls over time.
The result:
Active Directory that is continuously protected, fully visible, and instantly recoverable. Identity attacks are detected early, contained quickly, and resolved without disrupting the business.
Learn more and get a demo here.
Learn why U.S. State’s Department of Information Technology (DOIT) chose Cayosoft
Frequently Asked Questions About Active Directory Security
What are the most common Active Directory vulnerabilities?
The most common Active Directory vulnerabilities are legacy authentication protocols (particularly NTLM), excessive privileges and overly permissive ACLs, Active Directory Certificate Services misconfigurations (ESC1-ESC13), weak Kerberos delegation settings, stale accounts and accumulated identity technical debt, and lack of continuous identity monitoring. Most AD compromises chain these weaknesses into reliable attack paths rather than exploiting zero-days.
How do I know if Active Directory has been compromised?
Indicators include: unusual Kerberos authentication activity (anomalous TGS volume, RC4 encryption in unexpected contexts, tickets with abnormal lifetimes), replication requests from non-DC systems indicating DCSync activity, anomalous certificate issuance with unexpected Subject Alternative Names, unauthorized changes to privileged group memberships, delegation configuration changes, and persistence that survives standard remediation. Most of these indicators are only detectable in real time – continuous monitoring is required to detect compromise as it unfolds.
What happens if an attacker gains domain admin access?
When an attacker achieves domain admin access, they gain complete control over authentication, authorization, Group Policy, and persistence across the entire domain. They can create backdoor accounts, forge Kerberos tickets (Golden Ticket) that persist independently of account passwords, extract all domain credentials via DCSync, deploy ransomware across the domain via GPO, and establish certificate-based persistence that survives password resets. Recovery requires validated identity restoration – not just account remediation.
What is Kerberoasting and how do you prevent it?
Kerberoasting is an attack where any authenticated domain user requests a Kerberos service ticket (TGS) for any account with a Service Principal Name (SPN). The ticket is encrypted with the account’s password hash and can be cracked offline. Prevention requires: migrating service accounts to Group Managed Service Accounts (gMSA), which use 240-character automatically-rotating passwords that cannot be practically cracked; auditing and removing unnecessary SPNs; enforcing AES encryption for Kerberos (disabling RC4-HMAC); and detecting unusual TGS request patterns via Event ID 4769 monitoring.
What is a DCSync attack and how is it detected?
A DCSync attack abuses the legitimate Active Directory Directory Replication Service (MS-DRSR) protocol to extract password hashes directly from a domain controller without logging onto it. Any account holding the Replicating Directory Changes All extended right can perform DCSync. Detection requires monitoring for replication requests (Event 4662 with Directory Replication GUIDs: 1131f6aa, 1131f6ad, 89e95b76) originating from systems that are not domain controllers. Prevention requires strict control over who holds DCSync-capable permissions on the domain object.
How do you detect a Golden Ticket attack?
Golden Ticket attacks are difficult to detect because forged TGTs appear syntactically valid to domain controllers. Detection signals include: Kerberos tickets with lifetimes exceeding domain policy maximums, tickets that use RC4 encryption when the domain enforces AES, and authentication events that reference accounts that do not exist. KRBTGT rotation is the primary remediation, and it must be performed twice with a wait equal to the maximum Kerberos ticket lifetime (typically 10 hours) to ensure all outstanding forged tickets expire.
What is AD CS abuse and why is it particularly dangerous?
Active Directory Certificate Services abuse exploits misconfigurations in enterprise certificate authorities to obtain authentication certificates for privileged accounts. The ESC1-ESC13 vulnerability class documents the primary misconfiguration patterns. AD CS abuse is particularly dangerous because certificates can remain valid for 1-10 years, password resets and account disables do not invalidate issued certificates, and certificate-based persistence is invisible to most monitoring tools. An attacker with an AD CS-obtained certificate for a domain admin account retains that access until the certificate is explicitly revoked and the underlying template misconfiguration is remediated.
What free Active Directory security tools are available in 2026?
Free Active Directory security tools fall into two categories. Point-in-time assessment scanners identify misconfigurations when you run them and produce a scored report – they do not provide continuous monitoring, real-time alerts, or change history. Cayosoft Guardian Protector is the only free tool that provides always-on, continuous real-time threat detection and change monitoring across Active Directory, Entra ID, Microsoft 365, Teams, Exchange Online, and Intune with no object caps, no trial expiration, and no agents on domain controllers. For comprehensive AD security, both categories serve different purposes.