# On-Premises AD and Endpoint Hardening Playbook > *"The cloud gets the glory. Active Directory gets compromised."* This playbook covers the security of on-premises Active Directory, Windows endpoints, and the identity boundary between on-premises and cloud (hybrid identity). It is designed for consulting engagements where the client maintains on-premises infrastructure alongside M365—common in telco, power, and banking environments. --- ## The On-Premise Reality Most M365 clients did not start in the cloud. They have: - Active Directory forests with 10+ years of technical debt - Group Policy objects (GPOs) that no one dares to change - Service accounts with passwords set to "never expire" - Admin accounts that log in from the same workstations as regular users - Backup systems that have never been tested - KRBTGT accounts that have never been rotated Our job is not to shame them. Our job is to **fix the kill chain fast** and give them a path to sustainable hygiene. --- ## Phase 1: AD Kill Chain Assessment (Days 1-7) ### Identity Census **Export and analyze the full AD estate**: ```powershell # All users with properties Get-ADUser -Filter * -Properties LastLogonDate, PasswordLastSet, PasswordNeverExpires, ServicePrincipalName, MemberOf | Export-Csv ad-users.csv # All groups (especially privileged) Get-ADGroup -Filter * | Where-Object { $_.Name -match "admin|operator|backup|account|server" } | Export-Csv ad-priv-groups.csv # All computer accounts Get-ADComputer -Filter * -Properties LastLogonDate, OperatingSystem | Export-Csv ad-computers.csv # Service accounts (have SPN or description indicating service use) Get-ADUser -Filter { ServicePrincipalName -like "*" } -Properties ServicePrincipalName | Export-Csv ad-spns.csv ``` **What to look for**: | Red Flag | Risk | Action | |----------|------|--------| | Accounts with PasswordNeverExpires = $true | Credential stuffing goldmine | Force rotation; justify exceptions | | Admin accounts with last logon > 90 days | Stale, possibly compromised | Disable; verify with owner | | Users in Domain Admins who should not be | Lateral movement path | Remove; document justification for remaining | | Computer accounts with last logon > 180 days | Ghost machines, easy targets | Disable; purge after 30 days | | Service accounts with interactive logon | Violation of principle | Convert to managed service accounts or gMSA | | Duplicate SPNs | Kerberos authentication failures, potential attack vector | Fix immediately | ### Privileged Access Assessment **Map the tier model** (if it exists) or establish one: | Tier | Scope | Examples | |------|-------|----------| | Tier 0 | Controls AD and identity | Domain Admins, Enterprise Admins, Schema Admins, Account Operators, KRBTGT | | Tier 1 | Controls server workloads | Server Admins, Database Admins, Backup Operators | | Tier 2 | Controls workstations | Workstation Admins, Help Desk | **Immediate actions**: - Remove Account Operators, Backup Operators, Print Operators from Tier 0 equivalents if possible (these groups have dangerous default permissions) - Ensure no Tier 0 account ever logs on to a Tier 2 device (workstation) - Document every member of Domain Admins with business justification ### The KRBTGT Account The KRBTGT account is the **cryptographic foundation of the entire Kerberos realm**. Its password hash is used to sign all Kerberos tickets. If an adversary has this hash, they have permanent golden ticket capability. **Check last password change**: ```powershell Get-ADUser krbtgt -Properties PasswordLastSet ``` - If last changed > 180 days ago: **rotate immediately** - If never changed (common in old forests): **rotate immediately, but plan carefully** **Rotation procedure** (do not do this during business hours without planning): ```powershell # Requires Domain Admin; do twice with ~10 hours between (replication window) Reset-KrbtgtKeyInteractive -Domain "corp.example.com" ``` Or use the Microsoft KRBTGT rotation script: `https://github.com/microsoft/New-KrbtgtKeys.ps1` **Warning**: Rotating KRBTGT invalidates all existing Kerberos tickets. Users will need to re-authenticate. Plan for: - Off-hours execution - Service account impact (may need restart) - VPN reconnection requirements --- ## Phase 2: Endpoint Hardening (Days 8-14) ### Microsoft Defender Antivirus (E3 Baseline) E3 includes Defender Antivirus but **not** the advanced EDR features. Maximize what you have: **Enable all protection features** (often disabled by previous AV migration): ```powershell # Check current state Get-MpPreference | Select-Object Disable*, Exclusion* # Enable real-time protection Set-MpPreference -DisableRealtimeMonitoring $false # Enable behaviour monitoring Set-MpPreference -DisableBehaviorMonitoring $false # Enable network protection (blocks malicious IPs/URLs at network layer) Set-MpPreference -EnableNetworkProtection Enabled # Enable attack surface reduction rules (audit mode - requires ASR-capable license for full enforcement, but audit logging works) # Note: Full ASR enforcement requires Defender for Endpoint P2, but you can still configure audit mode Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` **Update signatures and engine**: ```powershell Update-MpSignature Update-MpThreatDefinitions ``` ### Sysmon Deployment (Free Telemetry) Since E3 lacks EDR, **Sysmon is non-negotiable**. It provides process creation, network connections, driver loading, and file creation telemetry. **Deployment**: 1. Download Sysmon from Microsoft Sysinternals 2. Use the SwiftOnSecurity configuration: `sysmonconfig-export.xml` 3. Deploy via GPO or Intune: ```cmd sysmon.exe -accepteula -i sysmonconfig-export.xml ``` **Log forwarding**: Configure Windows Event Forwarding (WEF) or use a free log collector (Wazuh agent, nxlog) to centralize Sysmon logs. ### LAPS (Local Administrator Password Solution) LAPS is **free from Microsoft** and essential. It randomizes local admin passwords per machine and stores them securely in AD. **Deployment**: 1. Download LAPS from Microsoft 2. Extend AD schema (one-time, irreversible): ```powershell Update-AdmPwdADSchema ``` 3. Set permissions for computer self-write: ```powershell Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Workstations,DC=corp,DC=example,DC=com" ``` 4. Set read permissions for authorized admins only: ```powershell Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Workstations,DC=corp,DC=example,DC=com" -AllowedPrincipals "HelpDesk-Admins" ``` 5. Deploy LAPS client via GPO **The conversation**: > *"Every workstation with the same local admin password is a domino. If I compromise one, I own them all. LAPS makes every password unique and rotates it automatically. It is free, from Microsoft, and takes one day to deploy."* ### Windows Firewall Hardening Enable and log all profiles: ```powershell # Enable all profiles Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True # Enable logging for dropped packets Set-NetFirewallProfile -Profile Domain,Public,Private -LogBlocked True -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log" ``` **Block inbound by default** except: - RDP (only via jump host or PAW) - SMB (only server-to-server, block workstation inbound) - Required application ports (documented) ### Credential Guard and Device Guard (Where Hardware Supports) Credential Guard isolates LSASS to prevent credential theft (Mimikatz-style attacks). **Requirements**: UEFI 2.3.1c+, Secure Boot, TPM 2.0, Hyper-V Hypervisor **Enable via GPO**: - Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security - Enable Credential Guard **Banking/telco/power**: These sectors often have hardware that supports Credential Guard. Enable it. It is free and dramatically reduces credential theft risk. --- ## Phase 3: Network Segmentation and Boundary (Days 15-21) ### The Active Directory Perimeter Most AD environments are "flat": every workstation can reach every server, every VLAN trusts every other VLAN. This is the kill chain. **Segmentation priorities** (work with existing network team): | Segment | What It Contains | Access Rules | |---------|-----------------|--------------| | Tier 0 | Domain controllers, AD admin jump hosts | No inbound from Tier 1 or 2. Admin access only from PAWs. | | Tier 1 | Servers, databases, applications | No inbound from Tier 2 (workstations) except required application ports. | | Tier 2 | Workstations, user devices | Internet and internal app access only. No direct server admin access. | | Management | Monitoring, backup, patch management | Outbound to all tiers for management traffic. Inbound restricted to admin sources. | | OT Boundary | SCADA, ICS, control systems | **Air-gapped or one-way diode**. If integration required, use data diode or unidirectional gateway. | ### DNS Security DNS is the most underrated security control. Most malware needs DNS to find its command and control. **Immediate actions**: - Point all endpoints to a DNS resolver with filtering: - **Quad9** (9.9.9.9) — free, blocks known malicious domains - **Cloudflare for Teams** (free tier) — filtering + logging - **Microsoft DNS security** (if available) - Enable DNS query logging on internal DNS servers - Block DNS over HTTPS (DoH) at the firewall unless using a managed DoH provider (prevents DNS tunneling evasion) ### Network Monitoring on a Budget **Zeek (formerly Bro)** — open-source network analysis framework: - Deploy on a SPAN port or network tap at internet boundary - Provides connection logs, DNS logs, HTTP logs, SSL certificate logs - Feed into Wazuh, Splunk Free, or Elastic Stack **Suricata** — open-source IDS/IPS: - Deploy at internet boundary and critical internal segments - Use Emerging Threats Open ruleset (free) - Alert on known malicious indicators **The conversation**: > *"You do not need a $100,000 NDR platform to see malicious traffic. You need a SPAN port, an old server, and Zeek. We will show you the connections your firewall is allowing that it should not be."* --- ## Phase 4: Hybrid Identity Security (Days 22-30) ### Azure AD Connect Health Most on-premises AD environments are synchronized to Entra ID (Azure AD) via Azure AD Connect. **Immediate hardening**: - **Secure the Azure AD Connect server**: Treat it as Tier 0. No interactive logon except admins. - **Enable PTA (Pass-Through Authentication) or PHS (Password Hash Sync) + Seamless SSO**: Evaluate which is appropriate - PHS: Better resilience (can authenticate even if AAD Connect is down) - PTA: Passwords never leave premises (some regulatory preference) - **Enable password hash synchronization even if using PTA**: Provides fallback auth and enables Identity Protection detections if you later upgrade to P2 - **Enable Seamless SSO**: Reduces password prompts, improves MFA adoption **Azure AD Connect configuration audit**: ```powershell # On the AAD Connect server Get-ADSyncScheduler Get-ADSyncConnector ``` Verify: - Only required OUs are syncing - No accidental filtering exclusions that hide accounts - The sync account has minimal necessary permissions ### AD FS (If Present) AD FS is a **high-value target**. If compromised, the adversary controls federation for all cloud apps. **Immediate hardening**: - **Upgrade to latest supported version** (AD FS 2019 or later) - **Enable Extranet Lockout**: Prevents brute force against AD FS from the internet - **Enable PPR (Protection Against Password Reuse) / Smart Lockout** - **Require MFA for AD FS extranet access** (if MFA infrastructure exists) - **Review relying party trusts**: Remove stale or unknown trusts - **Enable AD FS audit logging**: Forward to SIEM **The conversation**: > *"If I compromise AD FS, I do not need to crack your passwords. I just federate myself as an administrator. AD FS is Tier 0. Treat it accordingly."* --- ## OT / Critical Infrastructure Specifics (Telco, Power) ### The IT/OT Boundary In power and telco environments, the AD forest often extends closer to OT than it should. **Rules**: - OT networks must not trust IT AD forests directly - If Active Directory is required in OT, use a **separate forest** with one-way trust or no trust - SCCM / Intune patch management for OT systems must be on a separate hierarchy - Administrative credentials for OT must never be used on IT workstations ### Control System Workstations - Engineering workstations (EWS) and operator stations (HMI) must run **application whitelisting** (AppLocker or third-party) - USB ports: disabled or strictly controlled - No internet access from OT VLANs - Antivirus signatures updated via offline mechanism, not direct internet ### NIS2 and Critical Infrastructure For EU critical infrastructure (power, telco): - Incident reporting to CSIRT/NIS authority within 24-72 hours - Supply chain security: document every vendor with AD or network access - Encryption: data at rest and in transit for sensitive systems - Multi-factor authentication for all remote access to critical systems See [Vertical: Power Utilities](../reference/vertical-power-utilities.md) for comprehensive OT alignment. --- ## Banking Specifics ### Privileged Access for Financial Data - Database administrators with access to core banking systems: **vault all credentials**, require dual authorization - SWIFT infrastructure: isolated network, dedicated workstations, no internet - Audit trails for all financial transaction system access: immutable, 7+ years retention ### Regulatory Alignment | Regulation | AD/Endpoint Implication | |-----------|------------------------| | **PSD2** | Strong authentication for payment service users; MFA for internal payment systems | | **DORA** | ICT risk management includes identity and access; recovery testing mandatory | | **GDPR** | Access to personal data must be logged, justified, and time-bounded | | **NIS2** (for systemic banks) | Incident reporting, supply chain risk management, encryption | See [Vertical: Banking](../reference/vertical-banking.md) for comprehensive regulatory alignment. --- ## 30-Day Checklist for AD/Endpoint Engagements - [ ] Full AD identity census exported and analyzed - [ ] KRBTGT password rotation completed (or scheduled with plan) - [ ] All privileged groups documented and justified - [ ] LAPS deployed to all workstations - [ ] Sysmon deployed to all Windows endpoints - [ ] Defender Antivirus fully enabled and updated - [ ] Windows Firewall enabled and logging on all endpoints - [ ] DNS filtering deployed (Quad9 / Cloudflare) - [ ] Network segmentation plan documented (even if not fully implemented) - [ ] Azure AD Connect server secured and audited - [ ] AD FS hardened (if present) - [ ] Backup of AD System State tested (verify you can restore a DC) - [ ] Credential Guard enabled on capable hardware --- *Previous: [M365 E3 Hardening](m365-e3-hardening.md)* *Next: [Implementation Playbook](implementation-playbook.md)*