Active Directory Security Checklist

A complete Active Directory security audit checklist covering GPO hardening, privilege escalation prevention, Kerberos security, LDAP signing, AdminSDHolder protection, and domain controller lockdown. Use this guide to systematically secure your AD environment against modern attack techniques.

Table of Contents

• Why Active Directory Security Matters
• Pre-Audit Preparation
• Domain Controller Hardening
• Group Policy Object (GPO) Security
• Privilege Escalation Prevention
• Kerberos Security
• LDAP Security
• AdminSDHolder and Protected Groups
• Authentication and Password Policies
• Monitoring and Detection
• Audit Checklist Summary
• About Petronella Technology Group

Why Active Directory Security Matters

Active Directory is the backbone of identity management in over 90% of enterprise environments. A compromised AD environment gives attackers the keys to every system, application, and data store in the organization. Attacks like Kerberoasting, DCSync, Golden Ticket, and Pass-the-Hash specifically target AD misconfigurations that are present in the majority of deployments.

This checklist provides actionable steps organized by attack surface area. Each item includes the risk it mitigates and verification steps.

Pre-Audit Preparation

Before beginning the audit, gather the following:

• Forest and domain functional level -- Verify you are running at least Windows Server 2016 functional level
• Domain controller inventory -- List all DCs, their OS versions, and patch levels
• Privileged group membership -- Export members of Domain Admins, Enterprise Admins, Schema Admins, and Administrators
• Service account inventory -- Identify all service accounts, their SPNs, and password ages
• Trust relationships -- Document all forest and domain trusts, including trust direction and type
• Backup of current GPOs -- Export all GPOs before making changes

Recommended Tools

Tool	Purpose
PingCastle	AD security assessment and scoring
Purple Knight	Community AD security audit
BloodHound	Attack path visualization
ADRecon	AD data collection for offline analysis
Microsoft Security Compliance Toolkit	GPO baseline comparison

Domain Controller Hardening

• Patch management -- All DCs running latest cumulative updates within 30 days of release
• Minimize installed roles -- DCs should only run AD DS, DNS, and optionally DHCP. Remove all other roles
• Disable SMBv1 -- Set-SmbServerConfiguration -EnableSMB1Protocol $false
• Enable SMB signing -- Required on all DCs via GPO: Microsoft network server: Digitally sign communications (always) = Enabled
• Restrict local logon -- Only Domain Admins and Enterprise Admins should have local logon rights on DCs
• Disable Print Spooler -- Stop-Service -Name Spooler; Set-Service -Name Spooler -StartupType Disabled (mitigates PrintNightmare)
• Enable Windows Firewall -- Configure DC-specific firewall rules allowing only required AD ports
• Secure RDP access -- Restrict RDP to DCs from dedicated admin workstations only via GPO or firewall rules
• BitLocker on DC drives -- Encrypt all volumes on physical domain controllers
• Secure boot and TPM -- Enable on all physical DCs

Group Policy Object (GPO) Security

GPO Permissions

• Review GPO edit permissions -- Only Domain Admins and designated GPO administrators should have Edit rights
• Remove Authenticated Users from GPO edit -- Default permissions often grant excessive access
• Audit GPO link permissions -- Verify who can link GPOs to OUs
• Block inheritance review -- Document all OUs with blocked inheritance and verify business justification

Critical GPO Settings

• Restrict software installation -- Configure AppLocker or WDAC policies via GPO
• Disable LLMNR -- Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution = Enabled
• Disable NetBIOS over TCP/IP -- Configure via DHCP option 001 or network adapter settings
• Disable WPAD -- Remove WPAD DNS entries and disable auto-proxy detection
• Enable PowerShell logging -- Module logging, Script Block logging, and Transcription
• Restrict macro execution -- Block macros in files from the internet via GPO

Privilege Escalation Prevention

Tiered Administration Model

Implement Microsoft's tiered administration model to prevent credential theft from cascading:

Tier	Assets	Admin Scope
Tier 0	Domain controllers, AD, PKI	Domain Admins (never log into lower tiers)
Tier 1	Member servers, applications	Server Admins (never log into Tier 0 or workstations)
Tier 2	Workstations, end-user devices	Helpdesk, desktop admins

• Separate admin accounts per tier -- No single account should span tiers
• Privileged Access Workstations (PAWs) -- Tier 0 admins use dedicated, hardened workstations
• Deny logon restrictions -- Use GPO to prevent Tier 0 accounts from logging into Tier 1/2 systems
• Remove Domain Admins from local admin groups -- Use LAPS or dedicated local admin accounts
• Implement LAPS -- Local Administrator Password Solution for unique local admin passwords on every machine
• Disable delegation for admin accounts -- Mark all admin accounts as "Account is sensitive and cannot be delegated"
• Review nested group memberships -- Check for indirect privilege escalation via group nesting

Service Account Security

• Group Managed Service Accounts (gMSA) -- Migrate service accounts to gMSA where possible
• Reduce SPN exposure -- Remove unnecessary SPNs that enable Kerberoasting
• 25+ character passwords for service accounts -- Minimum 25 characters for accounts that cannot use gMSA
• Deny interactive logon for service accounts -- Use GPO to prevent interactive logon

Kerberos Security

• Disable RC4 encryption -- Force AES128/AES256 for Kerberos: Network security: Configure encryption types allowed for Kerberos
• Reduce TGT lifetime -- Set maximum ticket lifetime to 4 hours (default 10 hours)
• Enable Kerberos armoring (FAST) -- Protects pre-authentication exchange
• Monitor for Kerberoasting -- Alert on Event ID 4769 with RC4 encryption and service accounts
• Monitor for AS-REP Roasting -- Verify no accounts have "Do not require Kerberos preauthentication" enabled
• Protected Users group -- Add all Tier 0 admin accounts to the Protected Users security group
• Krbtgt password rotation -- Reset the krbtgt password twice (with 12-hour gap) at least annually
• Constrained delegation review -- Audit all accounts with constrained or unconstrained delegation

LDAP Security

• Require LDAP signing -- Domain controller: LDAP server signing requirements = Require signing
• Require LDAP channel binding -- Set to "Always" via registry: LdapEnforceChannelBinding = 2
• Disable anonymous LDAP binds -- Verify dsHeuristics attribute does not allow anonymous access
• Enable LDAPS (LDAP over TLS) -- Deploy certificates to all DCs for port 636
• Restrict LDAP query scope -- Limit anonymous and authenticated LDAP query permissions
• Monitor LDAP query volume -- Alert on excessive LDAP queries that may indicate reconnaissance

AdminSDHolder and Protected Groups

The AdminSDHolder object controls permissions for protected security groups. Every 60 minutes, the SDProp process resets permissions on protected objects to match AdminSDHolder.

• Audit AdminSDHolder ACL -- Review and minimize permissions on the AdminSDHolder object
• Identify orphaned AdminCount attributes -- Find accounts with adminCount=1 that are no longer in protected groups
• Clean orphaned AdminCount -- Reset adminCount and re-enable inheritance for accounts removed from protected groups
• Minimize protected group membership -- Domain Admins should have fewer than 5 members; Enterprise Admins should be empty during normal operations
• Monitor protected group changes -- Alert on Event IDs 4728, 4732, 4756 for protected group modifications

# Find orphaned adminCount accounts
Get-ADUser -Filter {adminCount -eq 1} -Properties adminCount, MemberOf | 
  Where-Object { 
    $protectedGroups = @("Domain Admins","Enterprise Admins","Schema Admins","Administrators","Account Operators","Backup Operators","Print Operators","Server Operators")
    $inProtected = $false
    foreach ($group in $_.MemberOf) {
      $groupName = (Get-ADGroup $group).Name
      if ($protectedGroups -contains $groupName) { $inProtected = $true; break }
    }
    -not $inProtected
  } | Select-Object SamAccountName, DistinguishedName

Authentication and Password Policies

• Fine-grained password policies -- Implement separate policies for admin accounts (20+ characters) and standard users (14+ characters)
• Ban common passwords -- Use Azure AD Password Protection or a custom banned password list
• Enable MFA for all admin access -- Use smartcard, FIDO2, or Windows Hello for Business
• Disable NTLM where possible -- Audit NTLM usage with Network security: Restrict NTLM: Audit NTLM authentication in this domain then restrict
• Disable LM hash storage -- Network security: Do not store LAN Manager hash value on next password change = Enabled
• Enforce NTLMv2 -- Network security: LAN Manager authentication level = Send NTLMv2 response only. Refuse LM & NTLM
• Account lockout policy -- 5 invalid attempts, 15-minute lockout duration, 15-minute reset counter

Monitoring and Detection

Critical Event IDs to Monitor

Event ID	Description	Alert Priority
4625	Failed logon	Medium (high if admin account)
4672	Special privileges assigned	High
4728/4732/4756	Member added to security group	Critical
4768	TGT requested	Low (correlate for anomalies)
4769	TGS requested	Medium (watch for RC4/service accounts)
4771	Kerberos pre-auth failed	Medium
5136	Directory object modified	High (for sensitive objects)
4662	Operation on AD object	Critical (DCSync detection)
1102	Audit log cleared	Critical

• Forward DC logs to SIEM -- All domain controllers sending logs to centralized SIEM
• Enable advanced audit policies -- Replace legacy audit with advanced audit policy configuration
• Monitor DCSync attempts -- Alert on Event ID 4662 with Replicating Directory Changes
• Monitor Golden Ticket indicators -- TGTs with anomalous lifetimes or encryption types
• Honey tokens -- Deploy decoy admin accounts and monitor for authentication attempts

Audit Checklist Summary

Category	Items	Priority
Domain Controller Hardening	10	Critical
GPO Security	10	High
Privilege Escalation Prevention	11	Critical
Kerberos Security	8	Critical
LDAP Security	6	High
AdminSDHolder	5	High
Authentication Policies	7	Critical
Monitoring	5	High
Total	62

Additional Resources

• Microsoft AD Security Best Practices
• MITRE ATT&CK: Active Directory Techniques
• CIS Benchmark for Windows Server
• NIST SP 800-63B: Digital Identity Guidelines

Contributing

Contributions are welcome. Please open an issue or submit a pull request with improvements, additional checklist items, or corrections.

License

This project is licensed under the MIT License. See LICENSE for details.

---

Professional IT Security Services

Need expert help securing your Active Directory environment? Petronella Technology Group provides:

• Managed IT Services - 24/7 monitoring and management
• Cybersecurity Assessments - Comprehensive security audits
• Network Security - Firewall, IDS/IPS, segmentation
• AI-Powered Security - Next-gen threat detection

Petronella Technology Group is a CMMC-RP certified cybersecurity firm in Raleigh, NC. Contact us or call (919) 348-4912.

About Petronella Technology Group

This checklist is maintained by Petronella Technology Group, Inc. -- a cybersecurity and IT services firm specializing in compliance (CMMC, HIPAA, SOC 2, NIST), managed IT, and security assessments for businesses across the United States.

• Website: https://www.petronellatech.com
• Book a consultation: https://book.petronella.ai
• Phone: (919) 348-4912
• LinkedIn: Petronella Technology Group