Active Directory Security

Active Directory Configuration Audit: Methodology, Tools, and Remediation

MOHAMED T.

12 min read
Active Directory Configuration Audit: Methodology, Tools, and Remediation

Active Directory (AD) remains the cornerstone of enterprise identity and access management for most organizations worldwide. Despite the shift toward cloud services, an estimated 90% of Fortune 1000 companies still rely on AD as their primary authentication and authorization system. This critical infrastructure component often harbors security misconfigurations and design flaws that can be exploited by sophisticated threat actors to achieve domain compromise.

In this comprehensive guide, we'll explore methodologies, tools, and techniques for conducting thorough Active Directory configuration audits. Whether you're a security consultant, system administrator, or blue team analyst, this article will provide you with practical knowledge to identify, assess, and remediate common AD security issues before they can be exploited by advanced adversaries.

Understanding the Active Directory Attack Surface

Before diving into audit methodologies, it's essential to understand the various components of Active Directory and their associated attack vectors. This knowledge provides the foundation for effective security assessments.

Critical Active Directory Components and Their Security Implications

Active Directory consists of several interconnected components, each with unique security considerations:

  1. Domain Controllers: Physical or virtual servers that host the AD database (NTDS.dit) and provide authentication services
  2. DNS Services: Integrated DNS that facilitates AD functionality and communication
  3. LDAP Services: The protocol used to query and modify directory information
  4. Kerberos Infrastructure: The primary authentication protocol used in AD environments
  5. Group Policy: A system for centralized configuration management
  6. Trust Relationships: Connections between different AD domains or forests
  7. Schema: The definition of all object types and their attributes in the directory

Understanding these components and their security implications is crucial for effective auditing. For example, misconfigurations in trust relationships can lead to trust abuse attacks, while improper domain controller hardening can facilitate NTDS.dit extraction.

Common Attack Pathways in Active Directory

Modern attackers typically exploit several common pathways to compromise Active Directory environments:

  1. Credential Theft: Stealing and reusing credentials through LSASS memory dumping or other techniques
  2. Privilege Escalation: Exploiting misconfigurations to elevate from regular user to administrator
  3. Lateral Movement: Moving between systems using legitimate AD authentication mechanisms
  4. Persistence: Establishing backdoors through various AD objects such as Group Policy Objects (GPOs)
  5. Domain Dominance: Achieving complete control through techniques like DCSync, Golden Ticket, or Silver Ticket attacks

A comprehensive audit addresses each of these attack pathways by identifying the misconfigurations and vulnerabilities that enable them.

Active Directory Audit Methodology

A structured approach is essential for conducting thorough and effective AD audits. We recommend the following methodology based on industry best practices and real-world experience.

Audit Planning and Scoping

Before beginning the technical assessment, establish clear parameters:

  1. Define Audit Boundaries:
    • Identify all domains and forests to be included
    • Determine which aspects of AD will be assessed (authentication, authorization, GPOs, etc.)
    • Clarify any exclusions or limitations
  2. Establish Authorization:
    • Obtain proper written approval from stakeholders
    • Document the accounts and permissions required for the assessment
    • Ensure the audit activities won't impact production systems
  3. Determine Audit Timing:
    • Schedule intensive audit activities during maintenance windows
    • Plan for real-time monitoring during the assessment
  4. Prepare Audit Checklists:
    • Create custom checklists based on organizational requirements
    • Incorporate industry frameworks like CIS, NIST, or Microsoft Security Baselines

A well-planned audit minimizes business disruption while maximizing security insights.

Data Collection Techniques

Gathering comprehensive information about the AD environment is the foundation of an effective audit:

Privileged Group Membership:

# Enumerate Domain Admins
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, DistinguishedName

# Check for nested privileged groups
$PrivGroups = "Enterprise Admins", "Domain Admins", "Schema Admins", "Administrators"
foreach ($Group in $PrivGroups) {
    Write-Output "Members of $Group:"
    Get-ADGroupMember -Identity $Group | Select-Object Name, SamAccountName, DistinguishedName
}

User Account Audit:

# Find users with non-expiring passwords
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} -Properties PasswordNeverExpires | Select-Object Name, DistinguishedName

# Identify inactive accounts
$InactiveDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonTimeStamp -lt $InactiveDate -and Enabled -eq $true} -Properties LastLogonTimeStamp | Select-Object Name, @{Name="LastLogon"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}

Domain Configuration:

# Get domain functional level and other settings
Get-ADDomain | Select-Object Name, DomainMode, PDCEmulator, InfrastructureMaster, RIDMaster

# Get forest information
Get-ADForest | Select-Object Name, ForestMode, Domains, SchemaMaster

Domain Controller Information:

# Get domain controller information
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address, OperatingSystem, IsGlobalCatalog, Site

These PowerShell commands represent just a small sample of the data collection processes required for a comprehensive audit. Using a combination of native tools and specialized audit frameworks provides the most complete results.

Automated Assessment Tools

Several specialized tools can enhance the efficiency and effectiveness of AD audits:

  1. Microsoft Security Compliance Toolkit:
    This official Microsoft toolkit includes Policy Analyzer and other tools to help analyze and compare AD configurations against best practice baselines.

BloodHound:
While primarily known as an attack tool, BloodHound provides valuable insights for auditors by visualizing AD relationships and attack paths. The SharpHound collector can be run in audit-only mode:

# Run SharpHound with minimal collection methods for auditing
SharpHound.exe -c Group,User,Computer --LdapUsername auditor --LdapPassword "SecurePassword123" --OutputDirectory C:\Audit

Purple Knight:
Developed by Semperis, Purple Knight checks for indicators of exposure, compromise, and privilege escalation. It evaluates over 100 security indicators across various AD components.

# Run a full assessment with Purple Knight
.\PurpleKnight.exe --scan --full

PingCastle:
This open-source tool performs comprehensive AD security assessments, generating a risk score and detailed reports. It's particularly effective at identifying misconfigurations and security issues based on industry best practices. For detailed usage guidance, see our PingCastle implementation guide.

# Run basic PingCastle healthcheck
PingCastle.exe --healthcheck

# Generate a detailed report in HTML format
PingCastle.exe --healthcheck --server dc01.domain.local --output HC_domain_detailed.html

These tools provide complementary capabilities that, when combined, offer a comprehensive view of the AD security posture.

Key Focus Areas for Active Directory Audits

A thorough AD audit should examine several critical areas where misconfigurations often lead to security breaches. Let's explore each area in detail.

Domain Controller Security Configuration

Domain controllers (DCs) are prime targets for attackers due to their critical role in the AD infrastructure:

  1. Operating System Hardening:
    • Check for missing security updates and patches
    • Verify that unnecessary services are disabled
    • Ensure appropriate security features like Credential Guard and LSASS protection are enabled
  2. Physical and Virtual Security:
    • Verify physical access restrictions for on-premises DCs
    • For virtualized DCs, confirm proper isolation and hardening of the hypervisor
    • Check snapshot policies and backup security
  3. Local Security Policy Settings:
    • Audit account policies (password complexity, lockout thresholds)
    • Verify security options (network security, user account control)
    • Check audit policy settings for comprehensive event logging
  4. Feature and Role Configuration:
    • Ensure only required server roles are installed
    • Verify that dangerous features like NTLM authentication are properly restricted
    • Check for secure configuration of DNS, LDAP, and Kerberos services

A single misconfigured domain controller can compromise the security of the entire forest, making this a critical audit area.

Privileged Access Management

The management of privileged accounts represents one of the most critical aspects of AD security:

  1. Administrative Group Audit:
    • Document and validate all members of built-in administrative groups
    • Check for nested group memberships that might create unintended privilege escalation
    • Verify separation of duties among administrative roles
  2. Privileged Account Policies:
    • Confirm that administrative accounts have stronger password policies
    • Verify multi-factor authentication for privileged access
    • Check for proper implementation of Just-In-Time (JIT) and Just-Enough-Administration (JEA) models
  3. Administrative Workstation Security:
    • Verify that administrative accounts only log into properly secured workstations
    • Check for implementation of Protected Users security group or similar controls
    • Audit Remote Desktop Protocol (RDP) and PowerShell Remoting configurations
  4. Dedicated Administrative Forest:
    • For mature organizations, verify the implementation of a dedicated administrative forest
    • Check trust relationships and security boundaries
    • Audit authentication mechanisms between production and administrative forests

Proper privileged access management is the cornerstone of effective AD security and should receive significant attention during audits.

Group Policy Configuration

Group Policy Objects (GPOs) are powerful tools for configuration management but can introduce significant security risks if misconfigured:

  1. GPO Configuration Review:
    • Check for outdated or conflicting policies
    • Verify that security-critical settings are applied consistently
    • Audit WMI filters and security filtering for proper implementation
  2. GPO Change Control:
    • Verify the existence of a formal change management process for GPOs
    • Check for GPO backup procedures and versioning
    • Audit the implementation of GPO creation and modification controls
  3. Security-Critical GPO Settings:
    • Verify proper configuration of AppLocker or Software Restriction Policies
    • Check Windows Defender and security feature configurations
    • Audit credential management policies, particularly credential caching settings

GPO Permission Audit:

# Export GPO permissions to CSV for review
Import-Module GroupPolicy
$GPOs = Get-GPO -All
$Results = @()

foreach ($GPO in $GPOs) {
    $Permissions = Get-GPPermission -Name $GPO.DisplayName -All
    foreach ($Permission in $Permissions) {
        $Properties = @{
            GPOName = $GPO.DisplayName
            Trustee = $Permission.Trustee.Name
            Permission = $Permission.Permission
        }
        $Results += New-Object PSObject -Property $Properties
    }
}

$Results | Export-Csv -Path "GPOPermissions.csv" -NoTypeInformation

Group Policies often represent an organization's primary security control mechanism, making their proper configuration essential for AD security.

Authentication and Authorization

The authentication and authorization mechanisms in AD are frequent targets for attackers:

  1. Kerberos Policy Settings:
    • Verify appropriate Kerberos policy configuration
    • Check for implementation of features like Kerberos Armoring
    • Audit ticket lifetime and renewal settings
  2. NTLM Usage and Restrictions:
    • Identify systems still using NTLM authentication
    • Verify NTLM restriction policies are in place
    • Check for proper auditing of NTLM usage
  3. Password Policies and Authentication Methods:
    • Audit domain password policies and fine-grained password policies
    • Verify multi-factor authentication implementation
    • Check for smart card enforcement where appropriate

Service Principal Names (SPNs) and Delegation:

# Find user accounts with SPNs (potential Kerberoasting targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# Check for accounts configured for unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation

Weaknesses in authentication mechanisms often provide attackers with their initial foothold in AD environments.

Trust Relationships and Federation

AD trusts and federation configurations can create significant security exposures if not properly managed:

  1. Trust Configuration Audit:
    • Verify proper trust types (one-way vs. two-way, external vs. forest)
    • Check SID filtering and selective authentication settings
    • Audit trust transitivity configuration
  2. Federation Services Review:
    • Audit ADFS configuration and security settings
    • Check certificate management and renewal processes
    • Verify proper claims and transformation rules
  3. External Identity Provider Integration:
    • Audit configurations for Azure AD Connect or other synchronization tools
    • Verify proper attribute mapping and filtering
    • Check password synchronization security settings

Domain and Forest Trust Inventory:

# Enumerate all domain trusts
Get-ADTrust -Filter *

# Get forest trusts
(Get-ADForest).Domains | ForEach-Object {Get-ADTrust -Filter * -Server $_}

Improperly configured trusts can allow privilege escalation across domain and forest boundaries, significantly expanding the attack surface.

Real-World Audit Case Study: Financial Services Company

In a recent engagement with a large financial services organization, our team identified several critical Active Directory misconfigurations that could have led to a complete domain compromise. This case study illustrates common findings in complex environments.

The Environment

The organization had a complex AD infrastructure consisting of:

  • 5 domains in a single forest
  • 40+ domain controllers across multiple global locations
  • 25,000+ user accounts
  • 30,000+ computer objects

Key Findings

  1. Excessive Privileged Access:
    The audit revealed that 78 user accounts had Domain Admin privileges, with many of these accounts used for daily activities and service accounts. Many administrators used their privileged accounts for email and regular workstation logon.
  2. Kerberoasting Opportunities:
    27 user accounts with SPNs were identified, including 3 with administrative privileges. These accounts had weak password policies and were vulnerable to Kerberoasting attacks.
  3. Trust Relationship Issues:
    A two-way forest trust with a recently acquired company lacked proper SID filtering, creating a potential attack path from the less-secure acquisition's forest.
  4. Group Policy Weaknesses:
    Multiple GPOs had overly permissive permissions, allowing non-administrative users to modify security-critical policies. Additionally, several conflicting policies resulted in security controls being unintentionally disabled on certain systems.
  5. Legacy Protocol Usage:
    The audit found extensive use of legacy authentication protocols, with NTLM authentication enabled across the environment and used by critical applications.

Remediation Steps

The organization implemented a comprehensive remediation plan:

  1. Tiered Administration Model:
    • Implemented a formal tiered access model separating workstation, server, and domain administration
    • Reduced Domain Admin membership to 8 carefully managed accounts
    • Created a Privileged Access Workstation (PAW) solution for administrative activities
  2. Trust Relationship Hardening:
    • Reconfigured all trusts with proper security settings
    • Implemented SID filtering and selective authentication
    • Established a formal process for trust review and approval
  3. Authentication Hardening:
    • Deployed MFA for all administrative actions
    • Restricted NTLM usage and implemented NTLM auditing
    • Migrated legacy applications to modern authentication mechanisms
  4. Enhanced Monitoring:
    • Deployed advanced threat detection for credential theft and lateral movement
    • Implemented real-time alerting for privilege escalation and GPO modifications
    • Created a dedicated SOC team for AD security monitoring

By addressing these findings, the organization significantly reduced its attack surface and improved its security posture. The implementation of a SOC dedicated to AD security proved particularly effective in maintaining these improvements over time.

Detection Strategies for Active Directory Attacks

An effective AD audit should include recommendations for ongoing detection of attacks. Here are key detection strategies that should be assessed during the audit:

Event Log Monitoring

Windows Event Logs provide valuable security insights when properly configured and monitored:

  1. Critical Security Events:
    • Account lockouts (Event ID 4740)
    • Privilege use (Event IDs 4672, 4673, 4674)
    • Directory service access (Event IDs 4662, 5136, 5137, 5138, 5139, 5141)
    • Account management changes (Event IDs 4720-4738)
  2. Authentication Events:
    • Failed authentication attempts (Event ID 4625)
    • Successful logons (Event ID 4624), especially from unexpected sources
    • Kerberos TGT/TGS requests (Event IDs 4768, 4769)
    • NTLM authentication events (Event IDs 4776, 8004)
  3. Event Correlation:
    • Implement correlation rules to identify attack patterns
    • Look for unusual sequences of otherwise normal events
    • Monitor for events occurring outside normal business hours

A SIEM implementation is essential for effective event monitoring across multiple domain controllers and member servers.

Advanced Threat Detection

Beyond basic event monitoring, advanced detection techniques should be evaluated:

  1. Behavior Analytics:
    • Establish baselines for normal administrative activity
    • Detect unusual access patterns or privilege usage
    • Monitor for abnormal object modifications in the directory
  2. Honeypot Accounts and Resources:
    • Deploy decoy administrative accounts
    • Create monitored honeypot resources
    • Alert on any access attempts to these decoys
  3. Indicators of Compromise (IoCs):
    • Monitor for known attack tools and techniques
    • Implement detection for common post-exploitation activities
    • Alert on suspicious PowerShell or WMI operations

These advanced detection mechanisms complement traditional security controls and provide early warning of sophisticated attacks.

Mitigation Strategies for Common Active Directory Vulnerabilities

Based on audit findings, organizations should implement appropriate mitigations. Here are key strategies for addressing common vulnerabilities:

Implementing a Tiered Administration Model

A tiered administration model segregates administrative access to reduce the attack surface:

  1. Tier 0: Domain controllers and critical infrastructure
  2. Tier 1: Server infrastructure
  3. Tier 2: Workstations and user devices

Implementation steps include:

# Create security groups for each tier
New-ADGroup -Name "Tier0Admins" -GroupScope Global -GroupCategory Security
New-ADGroup -Name "Tier1Admins" -GroupScope Global -GroupCategory Security
New-ADGroup -Name "Tier2Admins" -GroupScope Global -GroupCategory Security

# Apply logon restrictions using Group Policy
# (This is a simplified example; full implementation requires multiple GPOs)

The tiered model should be complemented with strict workstation controls and network segmentation to prevent credential theft and lateral movement.

Securing Domain Controllers

Domain controllers require special hardening beyond standard server security:

  1. Operating System Hardening:
    • Deploy the latest security updates
    • Implement Microsoft's security baselines
    • Enable additional security features like Credential Guard
  2. Network Protection:
    • Restrict domain controller communication to essential protocols
    • Implement network segmentation for DC traffic
    • Deploy network IDS/IPS specifically for DC protection
  3. Monitoring and Logging:
    • Enable comprehensive audit policies
    • Forward security logs to a central SIEM
    • Implement real-time alerting for suspicious activities
  4. Physical and Virtual Security:
    • Ensure proper physical security controls
    • For virtualized DCs, implement additional hypervisor security
    • Secure backup systems and procedures

Properly secured domain controllers form the foundation of a secure Active Directory environment.

Implementing Privileged Access Management

Comprehensive privileged access management reduces the risk of credential theft and abuse:

  1. Just-In-Time (JIT) Administration:
    • Implement temporary privilege elevation
    • Require approval workflows for sensitive actions
    • Automate privilege revocation after use
  2. Privileged Access Workstations (PAWs):
    • Deploy hardened workstations for administrative use
    • Restrict network connectivity from PAWs
    • Implement application allowlisting and advanced endpoint protection
  3. Password and Secret Management:
    • Deploy a secure solution for privileged credential storage
    • Implement automatic password rotation
    • Ensure proper auditing of credential retrieval and use

Organizations with mature security programs should consider implementing a dedicated administration forest to further isolate privileged access.

Hardening Authentication Mechanisms

Strengthening authentication reduces the risk of credential theft and reuse:

  1. Multi-Factor Authentication (MFA):
    • Require MFA for all administrative actions
    • Implement smart card authentication where possible
    • Deploy strong MFA solutions for remote access
  2. NTLM Restrictions:
    • Disable NTLM where possible
    • Implement NTLM auditing to identify legacy applications
    • Configure network security to block NTLM relay attacks
  3. Kerberos Hardening:
    • Enable Kerberos Armoring (PKINIT)
    • Implement resource-based constrained delegation
    • Audit and restrict delegation configurations

Proper authentication hardening significantly raises the bar for attackers attempting to compromise Active Directory environments.

Building an Active Directory Security Monitoring Program

A comprehensive audit should include recommendations for ongoing monitoring and security assessment. Here's how to build an effective AD security monitoring program:

Continuous Monitoring Framework

  1. Regular Security Assessments:
    • Conduct quarterly automated scans using tools like PingCastle
    • Perform annual comprehensive manual audits
    • Implement continuous configuration monitoring
  2. Change Detection and Management:
    • Monitor for unauthorized changes to critical AD objects
    • Implement formal change control procedures
    • Regularly review and verify authorized changes
  3. Performance and Health Monitoring:
    • Track key AD performance metrics
    • Monitor replication health and latency
    • Implement automated alerts for service disruptions

A well-designed monitoring program ensures that security improvements identified during the audit are maintained over time.

Security Operations Integration

  1. SOC Playbooks for AD Events:
    • Develop specific response procedures for AD security events
    • Train SOC analysts on AD attack patterns
    • Implement automated response for common attack scenarios
  2. Threat Intelligence Integration:
    • Incorporate AD-specific threat intelligence feeds
    • Update detection rules based on emerging threats
    • Perform regular threat hunting for known actor behaviors
  3. Incident Response Planning:
    • Create specific IR plans for domain controller compromise
    • Develop procedures for forest recovery after catastrophic breach
    • Conduct regular tabletop exercises for AD security incidents

The integration of AD security monitoring with broader SOC operations ensures a coordinated approach to threat detection and response.

Recommendations and Best Practices

Based on our extensive experience with Active Directory security, we recommend the following approach for organizations:

  1. Begin with a comprehensive security baseline assessment to identify critical vulnerabilities and misconfigurations
  2. Implement a tiered administration model to contain potential compromises
  3. Deploy robust monitoring and detection capabilities focused on credential theft and privilege escalation
  4. Regularly audit and review security configurations and administrative access
  5. Train IT staff on AD security best practices and attack techniques
  6. Conduct regular penetration testing to validate security controls
  7. Develop and test recovery procedures for worst-case compromise scenarios

Organizations should prioritize these controls based on their specific risk profile and the sensitivity of their environment.

Conclusion: Building a Secure Active Directory Foundation

Active Directory remains a critical enterprise infrastructure component and a prime target for sophisticated attackers. A comprehensive security audit is essential for identifying and addressing the misconfigurations and vulnerabilities that could lead to compromise.

By applying a structured audit methodology, focusing on key security areas, and implementing appropriate mitigations, organizations can significantly enhance their AD security posture. The combination of proper configuration, ongoing monitoring, and defense-in-depth controls creates a resilient environment that can withstand modern attack techniques.

Remember that Active Directory security is not a one-time project but an ongoing process that requires continuous attention and improvement. Regular audits, combined with effective monitoring and incident response capabilities, form the foundation of a secure AD implementation.

For more advanced guidance on securing your organization's identity infrastructure, explore our related resources:

Have you conducted Active Directory security audits in your organization or discovered interesting misconfigurations? Share your experiences in the comments below or reach out to our security team for assistance with comprehensive AD security assessments.

Read more