5 Active Directory Quick Wins for Defenders
Every internal pentest report looks the same: Kerberoasting, ASREProast, ACL abuse, ADCS misconfig, unconstrained delegation. Fix these five and you eliminate most of them.
Long, random service-account passwords
Kerberoasting only works because service accounts use weak passwords. 28+ characters and gMSAs kill it.
Pre-auth required, everywhere
Disable DONT_REQ_PREAUTH on every account. ASREProast goes away instantly.
Audit ACLs with BloodHound
Run BloodHound monthly. Anything with GenericAll, WriteDACL or ForceChangePassword on a Tier-0 object is a finding.
- Tier your assets — DCs are Tier 0
- Remove legacy delegations
- Monitor for new privileged group members
ADCS ESC1-ESC11
Run Certipy find. Fix templates with EnrolleeSuppliesSubject + client auth + low-privileged enrollment.
Kill unconstrained delegation
If a server has it, an attacker who lands there can impersonate domain admins. Replace with constrained or resource-based delegation.
Tools mentioned
AD security is mostly hygiene. Five fixes remove the bulk of red-team paths.