All articles
TIP · 5 min read

5 Active Directory Quick Wins for Defenders

Every internal pentest report looks the same: Kerberoasting, ASREProast, ACL abuse, ADCS misconfig, unconstrained delegation. Fix these five and you eliminate most of them.

Long, random service-account passwords

Kerberoasting only works because service accounts use weak passwords. 28+ characters and gMSAs kill it.

Pre-auth required, everywhere

Disable DONT_REQ_PREAUTH on every account. ASREProast goes away instantly.

Audit ACLs with BloodHound

Run BloodHound monthly. Anything with GenericAll, WriteDACL or ForceChangePassword on a Tier-0 object is a finding.

  • Tier your assets — DCs are Tier 0
  • Remove legacy delegations
  • Monitor for new privileged group members

ADCS ESC1-ESC11

Run Certipy find. Fix templates with EnrolleeSuppliesSubject + client auth + low-privileged enrollment.

Kill unconstrained delegation

If a server has it, an attacker who lands there can impersonate domain admins. Replace with constrained or resource-based delegation.

Tools mentioned

BloodHoundCertipyPingCastlePurpleKnightRubeus
⟩ takeaway

AD security is mostly hygiene. Five fixes remove the bulk of red-team paths.

⟩ keep reading

Related articles