Audit privileged groups (Domain Admins, Enterprise Admins, Schema Admins). Remove unnecessary members.
Centralize logs from all Domain Controllers (Security, Directory Service, Sysmon, DNS). Keep at least 30 days.
Patch domain controllers and authentication servers regularly.
Require MFA for all privileged and remote logons.
Secure and test system-state backups, including at least one offline copy.
Privileged Access Workstations (PAWs): use dedicated, locked-down systems for domain administration.
Just-In-Time access (JIT): use short-lived, approved privilege elevation instead of permanent admin rights.
Tiered Administration Model:
Tier 0: Domain Controllers, PKI, AD FS
Tier 1: Servers
Tier 2: Workstations
Prevent credential crossover between tiers.
Harden service accounts: use Group Managed Service Accounts (gMSAs), rotate passwords automatically, avoid domain admin usage.
Disable legacy protocols: NTLMv1, LM, RC4, and weak Kerberos ciphers.
Place DCs on isolated management VLANs with minimal inbound traffic.
Remove unnecessary software or roles.
Use BitLocker, Secure Boot, and TPM on physical or virtual DCs.
Enable LAPS to manage local admin passwords on domain-joined systems.
Use read-only DCs (RODCs) for remote or branch offices.
Prevent Kerberoasting:
Use long, complex service account passwords or gMSAs.
Disable unconstrained delegation.
Detect forged tickets: monitor abnormal ticket issuance (long lifetimes, cross-host reuse).
Restrict DCSync rights: only Domain Admins, Enterprise Admins, and Domain Controllers should have “Replicating Directory Changes” permissions.
Collect and alert on:
Group membership changes (Event IDs 4728–4732)
Privilege escalation or new admin accounts
Replication activity (Event IDs 4662, 4928, 4929)
Kerberos events (4768, 4769, 4776 anomalies)
Deploy EDR on DCs and PAWs to catch credential-theft tools (e.g., pass-the-hash).
Baseline normal admin activity and alert on deviations (time, source, machine).
Perform monthly AD security reviews with tools like PingCastle, Purple Knight, or Microsoft’s AD Assessment scripts.
Prioritize findings based on exploitability (unconstrained delegation, stale admin accounts, weak service passwords).
Conduct phishing and credential-reuse training for admins.
Maintain an AD compromise response playbook: isolate DCs, reset privileged credentials, and verify integrity.
Keep clean, offline backups of system state and forest metadata.
Test authoritative restore or forest recovery regularly.
Rotate all sensitive passwords and keys after suspected compromise.
Enforce password complexity and ban known breached passwords.
Require MFA for all administrative access.
Limit or disable PowerShell Remoting where not needed.
Apply change-control reviews for GPO edits and privileged group membership.
Regularly review delegations and ACLs on OUs and GPOs.
Centralize and retain DC logs (≥30 days).
Enforce MFA on all admin accounts.
Enable LAPS and gMSA for service accounts.
Reduce Domain Admin membership and enable JIT elevation.
Disable NTLMv1 and weak encryption.
Test offline AD restore monthly.