Active Directory tier-0 hardening — protected accounts, no SPNs on privileged users, monitored sensitive groups
AD remains the highest-blast-radius identity tier in most enterprises. A small set of hardening configurations turns the most reliable lateral-movement playbooks into observable, blockable failures.
- Quadrant
- Strategic move
- Ease
- 3 / 5
- Impact
- 4 / 5
- Control family
- Identity
- Cost band
- low
- Catalogued incidents
- 9
What the control is
Active Directory tier-0 hardening is a set of configurations applied to the directory service and the privileged-account population that closes the most reliable lateral-movement and credential-theft playbooks against AD. The configurations are individually small and well-documented; the control is the discipline of applying them consistently across the tier-0 surface and monitoring the configurations for drift.
The core configurations are:
The Protected Users group, applied to every privileged human account. Members of Protected Users are subject to additional restrictions on credential delegation, NTLM authentication, default cached-credential behaviour and Kerberos pre-authentication. The cumulative effect is to break or constrain several of the canonical credential-theft primitives — pass-the-hash, pass-the-ticket, certain Kerberos abuses.
Removal of service principal names from privileged-user accounts. SPNs on user accounts are what makes the Kerberoasting attack — request a Kerberos service ticket for the SPN, harvest the ticket’s encrypted blob, crack the password offline — possible against that account. Privileged users with SPNs are the highest-value Kerberoasting targets in most environments. The fix is to ensure no privileged user has a SPN attached.
Local Administrator Password Solution (LAPS) for every domain-joined endpoint. LAPS rotates the local administrator password per host and stores it in AD with restricted access, eliminating the “one local admin password fits all” pattern that drives lateral movement after credential dumping.
Sensitive-group monitoring with real-time alerting on membership change for Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Server Operators, and any sensitive privileged groups. Group membership change is one of the most reliable indicators of privilege escalation and rarely benign at tier 0.
Restricted Admin Mode for RDP, Credential Guard enabled where the platform supports it, current domain functional level, and disabled NTLM where business-process compatibility allows. Each individual configuration closes a specific attack primitive; the cumulative posture is meaningfully different from the default.
Why it matters
The catalogue’s lateral-movement chapters are a clinic on AD compromise techniques. The OPM breach (2015), Sony Pictures’ Guardians of Peace (2014), Operation Aurora at Google (2010), Microsoft Exchange Hafnium’s post-exploitation phase (2021), the SolarWinds Sunburst follow-on activity, the HSE Ireland Conti spread, and the NotPetya / Maersk lateral propagation all involved some combination of credential dumping, Kerberoasting, pass-the-hash, NTLM relay or Golden Ticket forgery. In each, the techniques worked because the configurations they exploited were the AD defaults rather than the hardened state.
Maersk’s NotPetya recovery story names a single domain controller in Ghana as the survivor of the worm’s lateral propagation. The reason the worm was able to propagate so fast across the global Maersk estate was that the credential-theft and lateral-movement primitives were unimpeded — Mimikatz against unhardened LSASS, NTLM relay across unsigned-SMB-tolerant connections, pass-the-hash against unconstrained delegation. The same configuration choices that constrain those primitives — Credential Guard, Protected Users, Restricted Admin Mode, NTLM disablement — were available before NotPetya. They were not deployed.
The Okta 2022 Lapsus$ incident illustrated the same dynamic in a hybrid environment: contractor laptop compromise into the directory tier, against an AD posture that still permitted the canonical Kerberos and NTLM credential-theft primitives. The Microsoft Exchange Hafnium event of March 2021 saw post-exploitation attackers pivot from the on-prem Exchange compromise into the AD tier with familiar tradecraft against familiar weaknesses.
The control is the hardening that turns the most-rehearsed adversary playbooks into observable, often-blockable failures.
Where the regulators sit
Microsoft’s “Best practices for securing Active Directory” is the canonical vendor-neutral-in-fact technical reference and is the document the standards bodies cite. NCSC’s “Active Directory hardening” guidance is the UK government articulation and covers the same configurations with British-English framing. The NSA and CISA joint advisories on AD compromise — issued repeatedly across the last five years — specify the same configurations with explicit prioritisation. MITRE ATT&CK lists the techniques each configuration counters: T1558.003 (Kerberoasting), T1003 (OS Credential Dumping), T1550 (Use Alternate Authentication Material), T1207 (Rogue Domain Controller), T1555 (Credentials from Password Stores) and T1078.002 (Domain Accounts).
The framework view is unanimous. The configurations are documented, free, and well-tested. The implementation gap is operational discipline, not technical complexity.
Where it usually breaks
Two failure modes recur. The first is the inventory and group-hygiene problem. Most AD estates have accumulated decades of nested group memberships, dormant privileged accounts, service accounts with excessive rights, and SPNs attached to user accounts that should have been service accounts. The hardening configurations only bite cleanly on a tidy AD estate. The fix is the unromantic group-cleanup work — inventory every privileged group’s nested membership, review every account, retire the dormant ones — before the hardening configurations are pushed.
The second is application-compatibility resistance to disabling NTLM and constraining Kerberos delegation. Some legitimate applications still authenticate over NTLM; some service-to-service patterns rely on unconstrained delegation. The fix is the same monitor-mode rollout pattern as anywhere else: surface the dependencies via NTLM auditing, work through them application-by-application, and only enforce when the audit is clean.
What good looks like
Every privileged human account in the Protected Users group. No service principal names attached to user accounts. LAPS deployed on every domain-joined endpoint. Real-time alerting on membership change for every tier-0 sensitive group. Restricted Admin Mode required for RDP to tier-0 hosts. Credential Guard enabled across the supported endpoint estate. Domain functional level current. NTLM disabled or constrained across application populations where business-process compatibility allows. Quarterly review of privileged group membership and account hygiene. Regular tabletop or red-team exercises against the AD tier-0 surface to confirm the hardening configurations are bite.
The cost is the operational discipline; the technical configurations are free. The benefit is that the most-rehearsed adversary playbooks against AD stop working reliably.
Where this control would have changed the outcome
- US Office of Personnel Management — federal records breach Chinese state-sponsored actors exfiltrated 21.5 million federal personnel records from the Office of Personnel Management, including security-clearance files with detailed background investigation data.
- Sony Pictures Entertainment — Guardians of Peace wiper North Korean Lazarus operators wiped Sony Pictures' IT estate, leaked unreleased films and executive emails, and threatened cinema chains — the first nation-state attack on a media company.
- Operation Aurora — Google + 30 US technology firms Chinese state-sponsored attackers exploited an Internet Explorer zero-day to breach Google, Adobe and at least 30 other companies, targeting source code and human-rights activists' accounts.
- NotPetya — Ukrainian-targeted destructive wiper A destructive wiper disguised as ransomware spread via a poisoned Ukrainian M.E.Doc tax software update, propagated through EternalBlue and credential theft, causing $10B+ globally.
- A.P. Moller-Maersk — NotPetya collateral damage NotPetya, deployed by Russian military intelligence through Ukrainian tax software, destroyed Maersk's global IT estate in hours; the shipping giant reported $300M in losses and rebuilt 45,000 PCs.
- Ireland's HSE — Conti ransomware Conti ransomware entered Ireland's Health Service Executive via a phishing email, encrypted core clinical systems, and forced hospitals to cancel tens of thousands of appointments.
- Microsoft Exchange — Hafnium ProxyLogon Chinese state-sponsored Hafnium exploited four chained Exchange zero-days (ProxyLogon) before patches were available; over 250,000 servers were compromised by multiple actors within days of disclosure.
- SolarWinds — Sunburst supply-chain compromise Russian SVR operators compromised SolarWinds' Orion build server and pushed the Sunburst backdoor via a signed software update to 18,000 customers including nine federal agencies.
- Okta — Lapsus$ support-engineer breach Lapsus$ compromised a Sitel support engineer with Okta customer-tooling access and sat inside the environment for months; Okta's delayed public response compounded the reputational damage.
Sources
- Microsoft — Best practices for securing Active Directory // primary
- NCSC — Active Directory hardening guidance // primary
- NSA / CISA — Detecting and mitigating Active Directory compromises (joint advisory) // primary
- MITRE ATT&CK — T1558.003: Steal or Forge Kerberos Tickets: Kerberoasting // analysis
- MITRE ATT&CK — T1003: OS Credential Dumping // analysis