Security applied blindly is just another outage waiting to happen.
Ethical Threat Insight: Active Directory Security Mistakes
Active Directory is the backbone of your network, and attackers know it just as well (if not better) than most admins.
A staggering amount of breaches don’t require fancy exploits.
They rely on common misconfigurations, they count on IT admins not doing the hard things that need to be done to secure an AD environment.
These are some of the most frequent (and dangerous) Active Directory security mistakes I see during internal pentests.
1) Weak or reused password
Fix: strong password policies & prevention of weak/compromised credentials
2) Assigning overly broad permissions on OU, Security Groups, and file shares
Fix: adherence to least privilege & regular permission audits
🎥 I made a short video on how to identify these issues. Watch it here.
3) LAPS deployed but not monitored
Fix: alerts when hosts don’t have LAPS or when password age > 30 days
4) Deploying Active Directory Certificate Services but never checking for misconfigs
Fix: Run Locksmith, find insecure settings, fix them one by one
5) Allowing regular users to have local admin rights
Fix: Remove accounts from local admins and find another way for users who need it
6) Including daily use accounts in privileged groups, like Domain Admins
Fix: Adoption of tiered security and protection of tier-0 resources
7) Logging into untrusted hosts with Domain Admin accounts
Fix: GPO to deny logons to untrusted systems by DA accounts
8) Not using Protected Users group
Fix: Add admin accounts to the group slowly, test and then fully deploy
9) Weak LM/NTLM domain settings
Fix: Audit NTLM usage then implement stronger NTLM level
Yes, all of this is much easier said than done.
But with focused effort, knowledge, and expertise, it is absolutely possible.
I know this because I work with folks week in and week out who are doing this.
You don’t have to go it alone.
👉 Curious if attackers could compromise your Active Directory domain?
PS - How it feels sometimes when describing AD permissions 😅