Most successful cyberattacks targeting Windows networks don’t start with malware — they start with misconfigured Active Directory environments. Attackers don’t need to break down the door if it’s already unlocked.
Active Directory (AD) is the backbone of most Windows-based enterprise networks. It manages users, computers, permissions, and policies across an organization — which also makes it one of the most targeted systems by attackers. A single misconfigured account or legacy protocol left enabled can hand an attacker the keys to your entire domain.
If you are studying for CompTIA Security+, working toward a cybersecurity diploma, or just getting started in IT, understanding how to secure Active Directory is an essential skill. In this guide, you will learn the key steps to harden a Windows Active Directory environment, with practical commands and Group Policy settings you can apply in a virtual lab or real-world deployment.
- What is Active Directory and Why Does It Need to Be Secured?
- Step 1 — Secure the Administrator Account
- Step 2 — Implement the Principle of Least Privilege
- Step 3 — Enforce a Strong Password Policy via Group Policy
- Step 4 — Enable and Configure Account Lockout Policy
- Step 5 — Audit and Monitor AD Events
- Step 6 — Secure Privileged Accounts with Tiered Access
- Step 7 — Disable Legacy Protocols
- Step 8 — Keep Domain Controllers Patched and Hardened
- Step 9 — Use the Microsoft Security Compliance Toolkit
- Quick Reference Checklist
- Common Mistakes Beginners Make
- 🧪 Hands-On Practice Lab
- Conclusion
1. What is Active Directory and Why Does It Need to Be Secured?
Active Directory Domain Services (AD DS) is a Microsoft directory service that authenticates and authorizes users and computers in a Windows domain network. It stores information about network objects — users, groups, computers, and printers — and provides a centralized way to manage them through Group Policy.
Why attackers target Active Directory
- It controls access to virtually everything on the network
- Compromising a Domain Admin account means full control of the domain
- Legacy misconfigurations are extremely common in real environments
- Specialized attack techniques are built specifically to exploit AD weaknesses
Common real-world attacks that target Active Directory:
Securing AD is not optional — it is a foundational requirement for any organization running Windows infrastructure.
New to Active Directory? Start with the basics first: What is Active Directory — then come back to this hardening guide. Also useful: What is Group Policy and our Beginner PowerShell Guide.
Secure the Administrator Account
The built-in Administrator account is a well-known target. Because its name is predictable, attackers often target it directly in brute-force and credential-stuffing attacks.
Rename the built-in Administrator account
Open Group Policy Management Console (GPMC) and navigate to:
→ Local Policies → Security Options
→ Accounts: Rename administrator account → Set a non-obvious name
Disable the built-in Administrator account
Disable-LocalUser -Name "Administrator"Create a dedicated admin account with a unique name
New-ADUser -Name "corp-admin01" -AccountPassword (Read-Host -AsSecureString "Password") `
-Enabled $true -PasswordNeverExpires $false
Add-ADGroupMember -Identity "Domain Admins" -Members "corp-admin01"Add privileged accounts to the Protected Users group
Members of this group are automatically protected against Pass-the-Hash, Pass-the-Ticket, and other credential theft techniques:
Add-ADGroupMember -Identity "Protected Users" -Members "corp-admin01"Implement the Principle of Least Privilege
Every user and service account should only have the permissions they need to do their job — nothing more. Over-privileged accounts are one of the most common ways attackers move laterally after an initial compromise.
- Never assign Domain Admin rights to regular user accounts
- Create separate accounts for administrative tasks vs daily use
- Review group memberships on a scheduled, regular basis
Audit privileged group memberships
# Check Domain Admins
Get-ADGroupMember -Identity "Domain Admins" | Select-Object Name, SamAccountName
# Check Enterprise Admins
Get-ADGroupMember -Identity "Enterprise Admins" | Select-Object Name, SamAccountName
# Check Schema Admins
Get-ADGroupMember -Identity "Schema Admins" | Select-Object Name, SamAccountNameAny account that does not need to be in these groups should be removed immediately.
Audit delegated permissions in AD
# Show all objects with non-inherited ACLs
Get-ADObject -Filter * -Properties nTSecurityDescriptor |
Where-Object { $_.nTSecurityDescriptor.AreAccessRulesProtected -eq $true }Enforce a Strong Password Policy via Group Policy
Weak passwords are one of the most common entry points for attackers. Group Policy allows you to enforce password complexity requirements across your entire domain from a single location.
Open Group Policy Management
Computer Configuration → Windows Settings → Security Settings
→ Account Policies → Password Policy
Recommended password policy settings
| Setting | Recommended Value |
|---|---|
| Minimum password length | 14 characters or more |
| Password complexity | Enabled |
| Maximum password age | 60–90 days |
| Minimum password age | 1 day |
| Enforce password history | 24 passwords remembered |
| Store passwords using reversible encryption | Disabled |
Apply via PowerShell
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" `
-MinPasswordLength 14 `
-ComplexityEnabled $true `
-MaxPasswordAge (New-TimeSpan -Days 90) `
-MinPasswordAge (New-TimeSpan -Days 1) `
-PasswordHistoryCount 24Fine-Grained Password Policies for privileged accounts
Fine-Grained Password Policies (FGPP) let you apply stricter rules to specific groups like Domain Admins, without affecting regular users:
New-ADFineGrainedPasswordPolicy -Name "AdminPasswordPolicy" `
-Precedence 1 `
-MinPasswordLength 20 `
-ComplexityEnabled $true `
-MaxPasswordAge (New-TimeSpan -Days 60) `
-PasswordHistoryCount 24 `
-LockoutThreshold 3 `
-LockoutDuration (New-TimeSpan -Minutes 30) `
-LockoutObservationWindow (New-TimeSpan -Minutes 30)
Add-ADFineGrainedPasswordPolicySubject -Identity "AdminPasswordPolicy" `
-Subjects "Domain Admins"Enable and Configure Account Lockout Policy
Account lockout prevents brute-force attacks by disabling an account after a set number of failed login attempts. Without this, an attacker can try unlimited password combinations.
Configure via Group Policy
→ Account Policies → Account Lockout Policy
Recommended lockout settings
| Setting | Recommended Value |
|---|---|
| Account lockout threshold | 5 invalid attempts |
| Account lockout duration | 30 minutes |
| Reset account lockout counter after | 30 minutes |
Apply via PowerShell
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" `
-LockoutThreshold 5 `
-LockoutDuration (New-TimeSpan -Minutes 30) `
-LockoutObservationWindow (New-TimeSpan -Minutes 30)Audit and Monitor AD Events
If you are not logging what happens in your AD environment, you will not know when an attack occurs. Windows Event Log is your first line of visibility into what is happening on your domain.
Enable Advanced Audit Policy
→ Advanced Audit Policy Configuration → Audit Policies
Critical audit categories to enable
| Audit Category | Setting |
|---|---|
| Account Logon | Success and Failure |
| Account Management | Success and Failure |
| Logon/Logoff | Success and Failure |
| Object Access | Failure |
| Privilege Use | Failure |
| Policy Change | Success and Failure |
| Directory Service Access | Success and Failure |
Enable via command line
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Account Management" /success:enable /failure:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /category:"Directory Service Access" /success:enable /failure:enableKey Windows Event IDs to monitor
| Event ID | Description |
|---|---|
| 4625 | Failed logon attempt |
| 4648 | Logon with explicit credentials |
| 4672 | Special privileges assigned to new logon |
| 4720 | A user account was created |
| 4728 | A member was added to a security-enabled global group |
| 4756 | A member was added to a universal security group |
| 4771 | Kerberos pre-authentication failed |
| 4776 | DC attempted to validate credentials (NTLM) |
Query failed logon events with PowerShell
# Find all failed logon attempts in the last 24 hours
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4625
StartTime = (Get-Date).AddHours(-24)
} | Select-Object TimeCreated, MessageSecure Privileged Accounts with Tiered Access
Microsoft recommends a Tiered Administration Model to limit how far privileged credentials can spread across your environment. The model has three tiers:
Domain Controllers, Active Directory, PKI infrastructure. Only Tier 0 admins touch these.
Application servers, databases, and enterprise services.
End-user desktops, laptops, and standard devices.
Restrict admin logon rights via GPO
→ Local Policies → User Rights Assignment
→ Deny log on locally → Add Domain Admins (apply on non-DC systems)
Use Privileged Access Workstations (PAWs): Dedicated, hardened machines used only for administrative tasks. Never browse the internet or check email from a PAW.
Disable Legacy Protocols
Legacy protocols were designed before modern security requirements existed. They remain enabled by default in many environments and are frequently exploited.
Disable NTLMv1
→ Local Policies → Security Options
→ Network security: LAN Manager authentication level
→ Set to: Send NTLMv2 response only. Refuse LM & NTLM
Disable SMBv1
SMBv1 was exploited in the WannaCry and NotPetya ransomware attacks. There is no reason to have it enabled:
# Check current status
Get-SmbServerConfiguration | Select EnableSMB1Protocol
# Disable SMBv1 on the server
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
# Disable via Windows Features on workstations
Disable-WindowsOptionalFeature -Online -FeatureName SMB1ProtocolDisable LLMNR
LLMNR (Link-Local Multicast Name Resolution) is used by tools like Responder to capture credentials on the network:
→ DNS Client → Turn off multicast name resolution → Enabled
Disable NetBIOS over TCP/IP
# Disable NetBIOS on all network adapters
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration
foreach ($adapter in $adapters) {
$adapter.SetTcpipNetbios(2) # 2 = Disable NetBIOS
}Keep Domain Controllers Patched and Hardened
Domain Controllers are the most critical servers in your environment. Unpatched DCs are a top target for attackers looking to exploit known vulnerabilities.
- Apply Windows security updates monthly on Patch Tuesday
- Do not install unnecessary software or roles on DCs
- Restrict physical and remote access — only Tier 0 admins should have DC access
- Do not allow DCs to browse the internet
- Enable Windows Firewall on all Domain Controllers
Check recent patches via PowerShell
# View the 10 most recently installed hotfixes
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
# Using PSWindowsUpdate module for full update management
Install-Module PSWindowsUpdate
Get-WindowsUpdateRestrict RDP access to Domain Controllers
→ Local Policies → User Rights Assignment
→ Allow log on through Remote Desktop Services
→ Remove all groups → Add only: DC-Admins (your Tier 0 group)
Use the Microsoft Security Compliance Toolkit
Microsoft provides free hardening baselines for Windows Server and Active Directory through the Security Compliance Toolkit (SCT). These baselines are aligned with CIS and NIST standards and give you a tested starting point rather than building policy from scratch.
Download: microsoft.com — Security Compliance Toolkit
The toolkit includes:
- Pre-built GPO baselines aligned to CIS and NIST standards
- Policy Analyzer tool to compare your current settings against the baseline
- LGPO.exe for importing and exporting local policy settings
Basic workflow
- Download the baseline for your Windows Server version
- Import the GPO into your domain using GPMC
- Use Policy Analyzer to identify gaps between your current policy and the baseline
- Remediate differences incrementally — do not apply everything at once in production
11. Quick Reference Checklist
Use this checklist when hardening a Windows Active Directory environment:
- Rename and/or disable the built-in Administrator account
- Add privileged accounts to the Protected Users security group
- Enforce minimum 14-character passwords with complexity requirements
- Apply Fine-Grained Password Policies (FGPP) to admin accounts (20+ characters)
- Configure account lockout — 5 attempts, 30-minute lockout duration
- Enable Advanced Audit Policy for all critical event categories
- Monitor key Event IDs: 4625, 4672, 4720, 4728, 4771, 4776
- Implement the Tiered Administration Model (Tier 0 / 1 / 2)
- Disable SMBv1, NTLMv1, LLMNR, and NetBIOS over TCP/IP
- Restrict Domain Admin logon rights to Tier 0 systems only
- Patch Domain Controllers monthly — no exceptions
- Apply Microsoft Security Compliance Toolkit baseline GPOs
- Review Domain Admin and Enterprise Admin memberships on a regular schedule
12. Conclusion
Securing Active Directory is an ongoing process, not a one-time task. Attackers continuously probe for misconfigurations, stale accounts, overprivileged users, and legacy protocols. By following the steps in this guide — strong password policies, least privilege, auditing, disabling legacy protocols, and keeping systems patched — you significantly reduce the attack surface of your AD environment.
As you grow in your cybersecurity career, tools like BloodHound (for AD attack path analysis), Microsoft Defender for Identity, and SIEM platforms will extend your ability to detect and respond to AD-based threats in real time. But the fundamentals covered here are where every IT student and analyst must start.