We use cookies on this website.

By clicking "Accept," you agree to the storage of cookies on your device to improve your browsing experience, analyze site usage, and contribute to our marketing efforts. See our privacy policy for more information.

Accept
Refuse
Cybersecurity
Advice

Active Directory Security: The guide to protecting the core of your IT system

Active Directory is targeted in 9 out of 10 ransomware attacks. Comprehensive guide to securing your AD: hardening, auditing, monitoring, and best practices.

Active Directory Security: The guide to protecting the core of your IT system
Contents :
Example H2
Example H3
Example H4
Example H5
Example H6

Why Active Directory is the No. 1 target for cyberattacks

Active Directory (AD) is the heart of the information system for the vast majority of companies using a Microsoft environment. It manages authentication, access rights, security policies, and network resources for all users and machines. Compromising AD is like obtaining the keys to the entire kingdom.

The figures speak for themselves: according to the Semperis 2024 report, Active Directory is the target of 9 out of 10 ransomware attacks. The Verizon DBIR 2025 confirms that compromised credentials remain the number one initial access vector (22% of breaches) and that 88% of attacks against web applications use stolen credentials. However, in most companies, these credentials are managed by Active Directory.

Sources: Semperis 2024 Ransomware Risk Report — Verizon DBIR 2025

Learn more about our IT infrastructure security services

The 5 most exploited Active Directory vulnerabilities

1. Too many domain administrator accounts

A poorly managed AD accumulates accounts with high privileges. Each Domain Admin account is a prime target for attackers. Best practice: limit Domain Admins to the bare minimum (2-3 accounts), use accounts dedicated to administration (no web browsing), and implement the Microsoft tiering model (Tier 0/1/2).

Case study — Law firm, 65 employees

During an audit, we discovered 14 Domain Admin accounts at a Parisian law firm. The IT manager had assigned these rights over the years to "help out" partners or external service providers. Three of these accounts belonged to a former maintenance provider who had not been involved for 18 months. After remediation, the firm switched to two dedicated DA accounts, with named accounts for day-to-day administration.

2. KRBTGT account password never changed

The KRBTGT account is used to encrypt Kerberos tickets. If an attacker obtains its hash, they can forge a Golden Ticket and gain invisible and persistent access to any resource in the domain. This password must be changed twice consecutively (to invalidate the history) at least once a year, and immediately after any incident.

3. Absence of LAPS (Local Administrator Password Solution)

Without LAPS, the local administrator password is identical on all workstations in the domain. A single compromised workstation gives admin access to the entire network (instant lateral movement). Microsoft LAPS generates a unique password for each machine, stored in AD and automatically rotated.

4. Insufficient or non-existent security GPOs

Group policies (GPOs) are the primary lever for hardening the AD environment: password policy, account lockout, administrator login restrictions, advanced auditing. Without security GPOs, AD operates with its default settings, which are designed for compatibility, not security.

Case study — HR consulting firm, 75 employees

GPO audit: password policy of 6 characters with no complexity, no lockout after failed logins, no restrictions on administrator logins. In practice, a brute force attack on any account could be carried out in a matter of minutes. The remediation took two days, with no service interruption.

Discover our approach to protecting workstations and mobile devices, the essential complement to Active Directory hardening.

5. Insufficient logging

Without advanced auditing of AD events (logins, group modifications, policy changes), attacks go unnoticed. According to IBM (Cost of a Data Breach 2025), the average lifecycle of a breach is 241 days, the lowest in nine years, but still far too long. AD logging allows suspicious behavior (DCSync, DCShadow, pass-the-hash) to be detected before it causes irreversible damage.

Source: IBM Cost of a Data Breach Report 2025

The 10 priority Active Directory hardening measures

  1. Limit Domain Admin accounts to the bare minimum and dedicate accounts to administration.
  2. Implement the Microsoft tiering model (Tier 0/1/2 separation).
  3. Change the KRBTGT password twice consecutively at least once a year.
  4. Deploy LAPS across the entire fleet.
  5. Configure password GPOs in accordance with ANSSI recommendations (minimum 12 characters, no expiration but detection of compromised passwords).
  6. Enable advanced auditing of AD events (4624, 4625, 4672, 4728, 4732, 4756).
  7. Disable obsolete protocols (NTLM v1, unsigned LDAP, SMBv1).
  8. Restrict Kerberos delegation (no unconstrained delegation).
  9. Secure domain controllers physically and logically.
  10. Implement a regularly tested AD backup and restore plan.

IT Systems field estimate: For an SME with 50 to 150 workstations, implementing the priority measures (points 1 to 6) takes 2 to 3 weeks of work, without interrupting production. The initial AD audit takes 3 to 5 days. The return on investment is immediate: these first six measures neutralize more than 80% of the most common AD attack vectors.

The link between AD hardening and workstation hardening

Active Directory security and workstation hardening are inseparable. Active Directory deploys hardening GPOs on workstations, and conversely, a compromised workstation can serve as an entry point into AD. The approach must be comprehensive: harden AD to protect the core of the IT system, and harden workstations to protect the endpoints. This is the approach that IT Systèmes deploys in its infrastructure security services.

Find out how we harden and protect our customers' workstations and mobile devices

FAQ - Active Directory Security

Why is Active Directory the number one target for cyberattacks?

Active Directory manages authentication, access rights, and security policies for all users and machines in a Microsoft environment. Compromising AD gives access to the entire IT system. According to Semperis 2024, Active Directory is targeted in 9 out of 10 ransomware attacks.

How can I secure Active Directory?

Priority measures: limit Domain Admin accounts to the bare minimum (2-3), deploy LAPS for unique passwords per machine, change the KRBTGT password twice a year, enable advanced auditing of AD events, disable obsolete protocols (NTLMv1, SMBv1), and implement the Microsoft Tier 0/1/2 tiering model.

What is LAPS and why deploy it?

LAPS (Local Administrator Password Solution) is a free Microsoft solution that generates a unique local administrator password for each machine, stores it in AD, and automatically renews it. Without LAPS, the same local admin password is used across the entire network: a single compromised workstation gives access to all the others.

What is a Golden Ticket attack on Active Directory?

A Golden Ticket is a fake Kerberos ticket forged from the KRBTGT account hash. It gives the attacker unlimited and invisible access to all resources in the domain. To protect against this, the KRBTGT password must be changed twice consecutively at least once a year, and immediately after any incident.

How long does it take to secure an Active Directory?

An initial AD audit takes 3 to 5 days. The deployment of priority hardening measures (LAPS, tiering, security GPOs, advanced auditing) takes 2 to 6 weeks, depending on the size of the fleet. It is an investment that drastically reduces the attack surface without the need to purchase additional software.

Our latest articles

See more
Cybersecurity

Phishing in 2025: Why 82% of businesses will be phished this year (and how to avoid being phished)

Think your employees will never click on a phishing scam because you've "trained" them? 32% will click anyway, and this figure rises to 45% under stress or at the end of the day. Attackers no longer make spelling mistakes, they have your logo, your graphic charter, and information about your actual projects. A single click = €275k in average costs, 287 days to recover if it's ransomware, and 60% of SMEs affected close down within 6 months. We explain why blaming users is absurd, and which technical protections really work.
February 12, 2026
ModernWork
Cybersecurity
Data & AI

Microsoft Purview: The Complete Data Governance Solution for the Multicloud Era

Your teams spend 60% of their time looking for the right data, your CIO doesn't know where customer information is stored, and the next RGPD audit has you sweating. Microsoft Purview promises to solve these problems by unifying cataloging, security and compliance in a single platform. But is this really the silver bullet for your context, or a vendor lock-in trap in disguise?
February 22, 2026
Data & AI
ModernWork

Microsoft Copilot: Artificial Intelligence that Really Transforms Business Productivity (or Not)

Copilot at €30/month per head: strategic investment or €100k wasted on a tool that nobody uses? 70% of IT Departments buy without defined use cases, train their teams poorly, and discover 6 months later that a third of the licenses are never activated. We tell you how to calculate whether it's worth it BEFORE you sign, and which 5 use cases really pay off.
February 22, 2026