Active Directory security: what we check first
Active Directory is the top target once inside a network. We cover common attack paths — Kerberoasting, excessive privileges — and how to close them.
In most companies running Windows, Active Directory (AD) is the heart of the network — and that’s exactly why it’s the attacker’s main target after gaining initial access. The goal is almost always the same: take over a domain administrator account, because it’s the key to everything. In penetration tests, the path from a regular user to “Domain Admin” is often surprisingly short. Here’s what usually shortens it.
Common attack paths
- Kerberoasting. The attacker requests Kerberos tickets for service accounts and cracks their passwords offline. Service accounts with a weak password and high privileges are a gift.
- AS-REP Roasting. Accounts with Kerberos pre-authentication disabled allow crackable material to be extracted without interaction.
- Excessive privileges and misconfigured delegation. Badly set ACLs, permission delegation or overly broad groups create invisible escalation paths.
- Credential theft from memory. After compromising a workstation, the attacker collects hashes and tickets to move further (pass-the-hash, pass-the-ticket).
Tools like BloodHound map these relationships and show the shortest route to a domain admin — exactly as an attacker does.
What we check and recommend
- A tiering model. Separate domain admin accounts from everyday work. An admin should never log in with a privileged account on a regular workstation.
- Service-account hygiene. Long, random passwords (or gMSA), minimal privileges, regular review. This defuses Kerberoasting.
- Permission and group review. Remove unused accounts, limit membership of privileged groups, audit dangerous ACLs.
- LAPS for local administrator passwords — no more one password across all workstations.
- Credential protection (Credential Guard, restricting privileged logons) makes hash theft harder.
Why it matters so much
Hardening AD is one of the most effective ways to break the ransomware attack chain — because it’s domain escalation that turns a single infection into a company-wide paralysis. We cover this in more depth in our piece on defending against ransomware. If you’d like to see how far an attacker could get in your domain, book a penetration test — we’ll show the real paths and how to close them.
Sources and further reading: MITRE ATT&CK, Microsoft — Securing Active Directory.