How to harden Active Directory: Part-1

7 min readOct 8, 2023

I will be put together things from one of the TryHackMe room. But I will add my comment also whereever I found information shortage. First you need to make sure you have a strong password policy set in place.

Go to: Computer Configurations -> Policies -> Windows Setting -> Security Settings -> Account Policies -> Password Policy

You can set the max password age 90 days as per PCI DSS recommendation. Password length should be 16 characters long. Password must meet the complexity.

Understanding Password Policy Settings

Enforce password history: Prevent at least 10 to 15 old passwords from being set as new ones.
Minimum password length: The minimum password length should be set between 10 to 14.
Complexity requirements: Must not contain the name of the user account and ensure the password has uppercase letters, lowercase letters, digits, or special characters.

Password Rotation

Active Directory password security is critical/important to address because of security breaches and password reuse (This is not true if you do not use easy guessable password that are available in popular dictionary). It becomes challenging for any organisation to reset account passwords or update them everywhere, so they prefer not to do it. This scenario could have a few alternate approaches, and each method has pros and cons.

First Technique: Creating a script to update passwords automatically in the Scheduled Task with the help of PowerShell. This method does not require any additional overhead and removes all the manual efforts for password rotation, but it requires you to write and maintain your script which could be challenging. Most people do not do it as they are using strong passwords.
Second Technique: Add a Multi-Factor Authentication (MFA) solution to AD and choose not to change the password often. It adds a security layer, and you will not need to change your password often. You can read more about implementing MFA here.
Third Technique: Microsoft provides a solution for services account password rotation through Group Managed Services Accounts (gMSAs), which changes passwords after every 30 days. You can learn more about it here.

Always monitor authentication logs 4624 in AD. If you find any suspicious login activity in unusual time frame then investigate it. Setting a strong password, change it after a period of 90 days I think good enough besides using 2FA. Also if you do not use easy password, then you need not to worry.

Now let’s restrict some features as per management decision:

Restrict Access to Control Panel

We want to restrict access to the Control Panel across all machines to only the users that are not part of the IT department. Users of other departments shouldn’t be able to change the system’s preferences.

Let’s create a new GPO called Restrict Control Panel Access and open it for editing. Since we want this GPO to apply to specific users, we will look under User Configuration for the following policy:

Then we link the GPO to the appropriate OU. When you create any GPO then it comes under Group Policy Objects.

This is not the hardening part. This is just a requirement from the management.

Auto Lock Screen GPO

For the first GPO, regarding screen locking for workstations and servers, we could directly apply it over the Workstations, Servers and Domain Controllers OUs we created previously.

While this solution should work, an alternative consists of simply applying the GPO to the root domain, as we want the GPO to affect all of our computers. Since the Workstations, Servers and Domain Controllers OUs are all child OUs of the root domain, they will inherit its policies.

Note: You might notice that if our GPO is applied to the root domain thm.local, it will also be inherited by other OUs like Sales or Marketing. Since these OUs contain users only, any Computer Configuration in our GPO will be ignored by them. But in Workstations OU, sales or marketing user’s computer are also present there. From that point this policy will apply on those computer’s.

Let’s create a new GPO, call it Auto Lock Screen, and edit it. The policy to achieve what we want is located in the following route:

Securing Authentication Methods:

The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.

How to change LAN Manager Authentication Level in Windows 11/10

Learn how to change LAN Manager Authentication Level using Registry or Group Policy Editor. It lets you set the…

www.thewindowsclub.com

From the above link, understand the fact. It’s easy that’s why I am further not explaining it. Just telling you what is default settings in place.

Windows 2000 and windows XP: Send LM & NTLM responses

Windows Server 2003: Send NTLM response only

Windows Vista, Windows Server 2008, Windows 7 and later, and Windows Server 2008 R2 and later: Send NTLMv2 response only

If the policy is set to “Not Defined,” it means that the mentioned default behavior for the specific Windows version will be used. However, it’s important to note that you can still configure this policy explicitly to control how authentication is handled in your environment if needed. You can choose one of the provided options, such as “Send NTLM response only” or “Send NTLMv2 response only,” based on your security and compatibility requirements.

Kerberos is the main authentication protocol used in active directory domain environment. If for any reasons like compatibility issues or any other, kerberos is not able serve the issue, then NTLMv2 will be used. For example, you are accessing a domain joined server and the account that you are using to connect to that server is local account (not domain account). In that case NTLMv2 will be used instead of kerberos.

Do not store LAN Manager Hash:

The user account password for Windows isn’t stored in clear text; instead, it stores passwords with two types of hash representation. When the password for any user account is changed or set with fewer than 15 characters, both LM hash (LAN Manager hash) and NT hash (Windows NT hash) are generated by Windows and can be stored in AD. The LM hash is relatively weaker than the NT and is prone to a fast brute-force attack. The best recommendation is to prevent Windows from storing the password’s LM hash. You can access it through the following:

Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > double click Network security - Do not store LM hash value on next password change policy > select "Define policy setting"

SMB Signing:

SMB stands for Server Message Block. Generally, Microsoft-based networks utilise this protocol for file and print communication. Moreover, it allows secure transmission over the network. Configuring SMB signing through group policy is crucial to detect Man in the Middle (MiTM) attacks that may result in modification of SMB traffic in transit. SMB signing ensures the integrity of data for both client and server. All supported Windows versions have an SMB packet signing option. Also when this is enabled then ntlm relay attack will not happen.

Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > double click Microsoft network server: Digitally sign communication (always) > select Enable Digitally Sign Communications

LDAP Signing:

Light Weight Directory Access Protocol (LDAP) enables locating and authenticating resources on the network. Hackers may introduce replay or MiTM attacks to launch custom LDAP requests. Therefore, LDAP signing is a Simple Authentication and Security Layer (SASL) property that only accepts signed LDAP requests and ignores other requests (plain-text or non-SSL). We can enable LDAP signing through the following:

Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Domain controller: LDAP server signing requirements > select Require signing from the dropdown