Active Directory Hardening (Highest Security Level)
1. Tiered Administration Model (Red Forest or ESAE Model)
- Tier 0: Domain Controllers, AD admins
- Tier 1: Server admins (member servers)
- Tier 2: Workstation admins
Enforce logon restrictions—Tier 0 accounts must not log in to lower tiers.
2. Secure Domain Controllers
- Only allow PAW (Privileged Access Workstations) to administer DCs.
- Disable RDP and enable PowerShell Just Enough Admin (JEA) or Remote Server Admin Tools (RSAT) with strict RBAC.
- Use read-only domain controllers (RODCs) in branch sites.
- Enable Code Integrity (AppLocker / Device Guard).
- Enable Credential Guard and LSASS Protection (
RunAsPPL).
3. Kerberos & NTLM Hardening
- Enforce AES-256 for Kerberos.
- Disable NTLM wherever possible using Group Policy.
- Enforce PAC validation on DCs.
- Monitor for Kerberoasting with tools like Microsoft ATA, Defender for Identity, or Mimikatz detection.
4. Admin Account Protection
- Rename built-in admin account and disable if possible.
- Use non-admin accounts for daily tasks; admins must elevate when needed.
- Apply smart card / certificate-based login.
- Enforce Privileged Access Management (PAM)—Just-in-Time (JIT) access using Microsoft PIM or Bastion Forest.
5. Group Policy (GPO) Hardening
- Block inheritance and enforce policies from the top down with loopback processing.
- Disable PowerShell v2, CMD, legacy scripting engines.
- Audit and secure SYSVOL and GPO delegation.
- Use Security Filtering to apply GPOs only where necessary.
- Enable Restricted Groups / Group Policy Preferences for local admins lockdown.
6. Auditing & Monitoring
- Enable Advanced Audit Policy Configuration.
- Monitor:
4624,4625(Logon events)4672(Admin logon)4720-4726(User account changes)4732,4733(Group membership changes)4740(Account lockout)4768-4771(Kerberos events)
- Integrate with SIEM (Splunk, Sentinel, QRadar, ELK).
- Use LSASS dump protection, and monitor for Golden Ticket attacks.
🖥️ Windows Server Hardening
1. Baseline Hardening
- Use Microsoft Security Compliance Toolkit to apply CIS/STIG baselines.
- Remove unused roles/features (
ServerManager→ Remove Roles). - Disable IPv6 if not needed.
- Disable LLMNR, NetBIOS, SMBv1, Telnet, WINS.
2. Patch & Update Discipline
- Apply monthly patch cycles + emergency OOB patches.
- Use WSUS/SCCM/MECM for controlled patching.
- Enable Secure Boot + Firmware update alerts.
3. Firewall & IPsec
- Lock down Windows Firewall with Advanced Security:
- Block all inbound except required (e.g., RDP over VPN).
- Use IPsec encryption for DC <-> DC replication.
- Apply per-service ACLs, not just per-port.
4. Service & Account Hardening
- Run services with gMSA (Group Managed Service Accounts).
- Disable or restrict Schedule Tasks with elevated privileges.
- Harden LSASS, WinRM, and disable WDigest (
UseLogonCredential = 0).
5. Antivirus / EDR Integration
- Use Microsoft Defender for Endpoint, CrowdStrike, or similar.
- Enable tamper protection.
- Block living off the land binaries (LOLBins)—e.g.,
bitsadmin,rundll32.
6. Audit and SIEM Integration
- Forward logs to a central SIEM.
- Enable AppLocker or WDAC policies to whitelist allowed executables.
- Monitor Event ID 7045 for new service creation, 4697 for scheduled task creation.
Additional Security Layers (for Maximum Defense)
- LAPS (Local Administrator Password Solution) or Windows LAPS to rotate local admin passwords.
- Enforce BitLocker with TPM+PIN on servers and critical workstations.
- Deploy Microsoft Defender Credential Guard, App Guard, and Exploit Protection.
- Use DNSSEC, LDAPS only, and enforce DNS scavenging.
- Implement Network Access Control (NAC) and isolate management VLANs.
- Secure NTP to authoritative internal or signed external sources.
Hardening Verification & Continuous Monitoring
- Perform Red Team / Purple Team / Pen Testing regularly.
- Use BloodHound to analyze AD privilege escalation paths.
- Use PingCastle or ADRecon for domain health/security reports.
- Maintain SIEM alerts, UEBA, and baseline deviation detection.