A number of Active Directory security best practices have arisen over the 25+ years since AD was introduced. They include core practices that apply to any identity system, such as rigorously enforcing the principle of least privilege, monitoring for suspicious activity, and conducting regular security awareness training. Other best practices are specific to Active Directory, such as paying close attention to Group Policy; adopting attack path management and attack path monitoring; and building a solid Active Directory backup and recovery strategy that includes both granular recovery and disaster recovery. Over the years, Quest has provided many resources to help IT professionals understand and implement Active Directory security best practices, including this blog post and this e-book.
While these Active Directory security best practices remain essential, the reality is that threat actors today are increasingly focused on identity. And because Active Directory is the primary authentication and authorization directory for over 90 percent of the world’s enterprises, it is a top target for cyberattacks. Hardening external security is no guarantee of AD security, because the biggest threats to AD security are internal, and more than half of insider misuse involves abuse of privileges.
Accordingly, in this article, I’m going to zoom in on the five key Active Directory security best practices specifically related to identity threats.
Background
First, let’s review exactly what Active Directory security is, why a solid AD security posture is vital, and what types of threats organizations need to defend against by implementing Active Directory security best practices.
What is Active Directory security?
Active Directory security refers to the strategies, tools, configurations and best practices used to protect an organization’s Active Directory environment from unauthorized access by adversaries, misuse by insiders, data breaches, and other cyber threats. Active Directory security covers a wide range of areas, including authentication, authorization, access control, activity monitoring and auditing, alerting and automated response, and vulnerability management.
Because Active Directory stores information about identities and permissions and provides services that enable most business processes, any AD compromise can have profound consequences. It’s vital to understand that Active Directory security is not a one-time procedure or configuration but an ongoing process to protect dynamic IT ecosystems in a rapidly evolving threat landscape.
Why is it essential to secure Active Directory?
Active Directory remains a critical infrastructure component for most organizations — including those that have adopted cloud workloads like Microsoft 365. Indeed, Active Directory is often referred to as the “keys to the kingdom” because it holds the credentials and permissions of virtually every user and system in both on-premises and hybrid Microsoft-based IT environments. This central role makes it a high-value target for threat actors and makes Active Directory security best practices a top concern for organizations around the world.
Unauthorized access to AD is like having a stolen key card: Once attackers are inside the building, they can take the elevator, wander through offices, open desks and look through drawers. Indeed, adversaries no longer tend to slip into a network by circumventing perimeter controls like firewalls — they log in using legitimate AD credentials they have stolen through techniques like phishing or purchased on the dark web. From that initial foothold, they move laterally to other systems, escalate their privileges, and potentially gain full control of the AD domain. These actions are facilitated by the design of Active Directory, which allows any authenticated user to read the entire Active Directory structure.
What’s more, adversaries who compromise on-premises Active Directory can often move into the organization’s cloud environment as well. That’s because most organizations sync Active Directory with Entra ID in a hybrid configuration to provide users with seamless access to resources.
What are common threats to Active Directory?
To infiltrate Active Directory and then achieve their goals, adversaries today employ a wide range of tactics, from basic attacks to sophisticated campaigns.
Tactics for gaining initial access include:
- Password-related strategies like password spraying, credential stuffing, and brute force attacks
- Tricking users into giving up their credentials using phishing, social engineering, and AI-powered deep-fakes
Tactics for privilege escalation and lateral movement include:
- Pass-the-Hash and Pass-the-Ticket attacks, which exploit poorly secured credential stores
- Kerberoasting, which involves extracting service account tickets from Active Directory and attempting to crack them offline to gain access to privileged accounts.
- Golden Ticket attacks, in which attackers forge a Kerberos authentication ticket using the KRBTGT account hash to gain unlimited access to the AD domain
- Exploiting Active Directory misconfigurations like unconstrained delegation, excessive permissions, and use of legacy encryption and authentication protocols
- Abusing Group Policy
What are the best practices for securing Active Directory against modern threats?
With that background understanding in place, let’s move on to the key Active Directory security best practices for defending against the top type of attack today: identity-related threats.
Best practice #1: Use a tiered administration model.
The tiered access model provides the foundation for all the Active Directory security best practices I’m going to discuss. Also known as an enterprise access model, it separates systems into different levels based on their criticality. The original tiering model was designed for on-premises environments, but the modern version guides access security across hybrid IT ecosystems.
While there is no defined limit on the number of tiers, the core model defines three:
- Tier 0 includes all critical assets whose compromise could enable an adversary to gain full control of the domain. Key assets in Tier 1 include:
- Privileged accounts and powerful security groups like Domain Admins and Backup Operators
- Powerful machines such as domain controllers (DCs) and servers that host vital applications or critical content
- Key Group Policy objects
- Trusts between Active Directory domains or forests
- Tier 1includes systems that manage or interact with Tier 0 but are less critical. Examples include e-mail servers, file servers and administration servers, along with all accounts that have administrative control over them.
- Tier 2 includes applications, users and devices that consume services but do not administer critical infrastructure, such as the accounts and laptops of standard business users. It also includes accounts with admin privileges over Tier 2 assets, such as basic helpdesk technicians.
Best practice #2: Understand and protect all Tier 0 assets.
Adversaries are keenly focused on compromising an organization’s most powerful and sensitive IT assets, so the second of our critical Active Directory security best practices focuses on protecting Tier 0.
The most fundamental way to protect Tier 0 is to prevent assets in a given tier from gaining access to anything in a more critical tier. Establishing these clear boundaries helps prevent attackers from moving laterally across the network and gaining access to critical systems. The underlying rules of tiering are as follows:
- Credentials from a more highly privileged tier should never be exposed on a lower-tier system. In particular, credentials from a Tier 0 account must not be exposed to systems that are not Tier 0, and assets that are not in Tier 0 should never be able to use services provided by Tier 0. For example, administrators should never use their Domain Admin credentials to log on to business user workstations.
- Lower-tier credentials can use services provided by higher tiers, but not the other way around. For example, administrators who can manage Tier 0 should not have the ability to manage systems in Tier 1 or Tier 2, and Tier 2 systems should be able to authenticate users and consume services from Tier 0 and Tier 1 but not administer them.
- Any system or user account that can manage a more highly privileged (lower numbered) tier is a member of that tier, whether or not you intended it to be.
Furthermore, adhere to Active Directory security best practices for specific types of Tier 0 assets. For example, it’s vital to secure domain controllers by limiting physical and network access, keeping them updated and patched, and removing all unnecessary software. To protect administrative credentials, allow them to be used only on privileged access workstations (PAWs) — hardened machines that are isolated from the rest of the network and protected against web browsing and email use.
Best practice #3: Lock down all critical Tier 0 assets that you can.
Some Tier 0 assets are extremely active. For example, domain controllers are modified every time a user updates their password or is granted access to a new system or application. Therefore, locking down all of Tier 0 would bring business operations to a screeching halt.
However, there are a number of highly sensitive Active Directory objects that should never be changed without a rigorous approval process. They include powerful security groups like Domain Admins, as well as critical GPOs that control things like permissible authentication protocols, account lockout policies, and restrictions on use of removable media.
Implementing this Active Directory security best practice is challenging with native tools. However, some third-party change management solutions enable you to block any changes to the AD objects you deem critical, as well as to define more flexible constraints, such as allowing changes to an AD account only from a specified range of IP addresses.
Best practice #4: Monitor Tier 0 and be prepared to revert unwanted changes.
One of the most important Active Directory security best practices is to monitor for any suspicious activity, and this practice is particularly important for Tier 0 assets. There are multiple ways to spot threats. First, be sure to watch for known attack tactics and indicators of compromise (IOCs). Examples include actions associated with Golden Ticket attacks, use of hacking tools like mimikatz, and attempts to copy the AD database. In addition, establish a baseline of normal behavior and watch closely for any suspicious activity, such as aberrant DC replication and usual attempts to access critical servers or modify Group Policy.
The second component of this Active Directory security best practice is to ensure that you can quickly and accurately revert any unwanted change to a Tier 0 object. The Microsoft AD Recycle Bin cannot help with this task, since it catches only certain types of object deletions, not object modifications. Accordingly, organizations need a robust backup and recovery solution that makes it easy to determine exactly what was changed and granularly restore the object to its known good state.
Best practice #5: Be able to temporarily lock down all of Tier 0 when there’s a threat in progress.
This is one of the latest Active Directory security best practices — because it has only recently become possible to implement. As noted earlier, while you can keep certain critical objects protected against being changed, you cannot lock down all Tier 0 assets. Doing so would keep adversaries from achieving their objectives — but business processes would be unable to function.
Instead, what organizations need is to be able to immediately slam the door shut on all their critical assets when an active threat is detected. That way, they can prevent attackers from achieving their goals and avoid the immense impact of a full-on security incident, from extended downtime to expensive rebuilding to legal and compliance ramifications.
This Active Directory security best practice is not possible to achieve using built-in Active Directory controls, and even PowerShell-based workarounds lack the ability to enforce a true, immediate lockdown at the identity level. However, one security solution now provides blanket protection for Tier 0 assets at the push of a button. Once the emergency is resolved, normal administrative control can be restored just as easily.
Conclusion
Understanding and implementing Active Directory security best practices is vital to avoiding costly data breaches, downtime and compliance penalties. With modern threat actors increasingly focused on identity, organizations should consider prioritizing the set of Active Directory security best practices laid out here by implementing a tiered administration model and rigorously protecting their Tier 0 assets.

 
                             
                 
					