antifragile/antifragile-consulting/playbooks/ad-endpoint-hardening.md

On-Premises AD and Endpoint Hardening Playbook

"The cloud gets the glory. Active Directory gets compromised."

This playbook covers the security of on-premises Active Directory, Windows endpoints, and the identity boundary between on-premises and cloud (hybrid identity). It is designed for consulting engagements where the client maintains on-premises infrastructure alongside M365—common in telco, power, and banking environments.

---

The On-Premise Reality

Most M365 clients did not start in the cloud. They have:

• Active Directory forests with 10+ years of technical debt
• Group Policy objects (GPOs) that no one dares to change
• Service accounts with passwords set to "never expire"
• Admin accounts that log in from the same workstations as regular users
• Backup systems that have never been tested
• KRBTGT accounts that have never been rotated

Our job is not to shame them. Our job is to fix the kill chain fast and give them a path to sustainable hygiene.

---

Phase 1: AD Kill Chain Assessment (Days 1-7)

Identity Census

Export and analyze the full AD estate:

# All users with properties
Get-ADUser -Filter * -Properties LastLogonDate, PasswordLastSet, PasswordNeverExpires, ServicePrincipalName, MemberOf | Export-Csv ad-users.csv

# All groups (especially privileged)
Get-ADGroup -Filter * | Where-Object { $_.Name -match "admin|operator|backup|account|server" } | Export-Csv ad-priv-groups.csv

# All computer accounts
Get-ADComputer -Filter * -Properties LastLogonDate, OperatingSystem | Export-Csv ad-computers.csv

# Service accounts (have SPN or description indicating service use)
Get-ADUser -Filter { ServicePrincipalName -like "*" } -Properties ServicePrincipalName | Export-Csv ad-spns.csv

What to look for:

Red Flag	Risk	Action
Accounts with PasswordNeverExpires = $true	Credential stuffing goldmine	Force rotation; justify exceptions
Admin accounts with last logon > 90 days	Stale, possibly compromised	Disable; verify with owner
Users in Domain Admins who should not be	Lateral movement path	Remove; document justification for remaining
Computer accounts with last logon > 180 days	Ghost machines, easy targets	Disable; purge after 30 days
Service accounts with interactive logon	Violation of principle	Convert to managed service accounts or gMSA
Duplicate SPNs	Kerberos authentication failures, potential attack vector	Fix immediately

Privileged Access Assessment

Map the tier model (if it exists) or establish one:

Tier	Scope	Examples
Tier 0	Controls AD and identity	Domain Admins, Enterprise Admins, Schema Admins, Account Operators, KRBTGT
Tier 1	Controls server workloads	Server Admins, Database Admins, Backup Operators
Tier 2	Controls workstations	Workstation Admins, Help Desk

Immediate actions:

• Remove Account Operators, Backup Operators, Print Operators from Tier 0 equivalents if possible (these groups have dangerous default permissions)
• Ensure no Tier 0 account ever logs on to a Tier 2 device (workstation)
• Document every member of Domain Admins with business justification

The KRBTGT Account

The KRBTGT account is the cryptographic foundation of the entire Kerberos realm. Its password hash is used to sign all Kerberos tickets. If an adversary has this hash, they have permanent golden ticket capability.

Check last password change:

Get-ADUser krbtgt -Properties PasswordLastSet

• If last changed > 180 days ago: rotate immediately
• If never changed (common in old forests): rotate immediately, but plan carefully

Rotation procedure (do not do this during business hours without planning):

# Requires Domain Admin; do twice with ~10 hours between (replication window)
Reset-KrbtgtKeyInteractive -Domain "corp.example.com"

Or use the Microsoft KRBTGT rotation script: https://github.com/microsoft/New-KrbtgtKeys.ps1

Warning: Rotating KRBTGT invalidates all existing Kerberos tickets. Users will need to re-authenticate. Plan for:

• Off-hours execution
• Service account impact (may need restart)
• VPN reconnection requirements

---

Phase 2: Endpoint Hardening (Days 8-14)

Microsoft Defender Antivirus (E3 Baseline)

E3 includes Defender Antivirus but not the advanced EDR features. Maximize what you have:

Enable all protection features (often disabled by previous AV migration):

# Check current state
Get-MpPreference | Select-Object Disable*, Exclusion*

# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Enable behaviour monitoring
Set-MpPreference -DisableBehaviorMonitoring $false

# Enable network protection (blocks malicious IPs/URLs at network layer)
Set-MpPreference -EnableNetworkProtection Enabled

# Enable attack surface reduction rules (audit mode - requires ASR-capable license for full enforcement, but audit logging works)
# Note: Full ASR enforcement requires Defender for Endpoint P2, but you can still configure audit mode
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode

Update signatures and engine:

Update-MpSignature
Update-MpThreatDefinitions

Sysmon Deployment (Free Telemetry)

Since E3 lacks EDR, Sysmon is non-negotiable. It provides process creation, network connections, driver loading, and file creation telemetry.

Deployment:

1. Download Sysmon from Microsoft Sysinternals
2. Use the SwiftOnSecurity configuration: sysmonconfig-export.xml
3. Deploy via GPO or Intune:

sysmon.exe -accepteula -i sysmonconfig-export.xml

Log forwarding: Configure Windows Event Forwarding (WEF) or use a free log collector (Wazuh agent, nxlog) to centralize Sysmon logs.

LAPS (Local Administrator Password Solution)

LAPS is free from Microsoft and essential. It randomizes local admin passwords per machine and stores them securely in AD.

Deployment:

1. Download LAPS from Microsoft
2. Extend AD schema (one-time, irreversible):

Update-AdmPwdADSchema

3. Set permissions for computer self-write:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Workstations,DC=corp,DC=example,DC=com"

4. Set read permissions for authorized admins only:

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Workstations,DC=corp,DC=example,DC=com" -AllowedPrincipals "HelpDesk-Admins"

5. Deploy LAPS client via GPO

The conversation:

"Every workstation with the same local admin password is a domino. If I compromise one, I own them all. LAPS makes every password unique and rotates it automatically. It is free, from Microsoft, and takes one day to deploy."

Windows Firewall Hardening

Enable and log all profiles:

# Enable all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# Enable logging for dropped packets
Set-NetFirewallProfile -Profile Domain,Public,Private -LogBlocked True -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log"

Block inbound by default except:

• RDP (only via jump host or PAW)
• SMB (only server-to-server, block workstation inbound)
• Required application ports (documented)

Credential Guard and Device Guard (Where Hardware Supports)

Credential Guard isolates LSASS to prevent credential theft (Mimikatz-style attacks).

Requirements: UEFI 2.3.1c+, Secure Boot, TPM 2.0, Hyper-V Hypervisor

Enable via GPO:

• Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security
• Enable Credential Guard

Banking/telco/power: These sectors often have hardware that supports Credential Guard. Enable it. It is free and dramatically reduces credential theft risk.

---

Phase 3: Network Segmentation and Boundary (Days 15-21)

The Active Directory Perimeter

Most AD environments are "flat": every workstation can reach every server, every VLAN trusts every other VLAN. This is the kill chain.

Segmentation priorities (work with existing network team):

Segment	What It Contains	Access Rules
Tier 0	Domain controllers, AD admin jump hosts	No inbound from Tier 1 or 2. Admin access only from PAWs.
Tier 1	Servers, databases, applications	No inbound from Tier 2 (workstations) except required application ports.
Tier 2	Workstations, user devices	Internet and internal app access only. No direct server admin access.
Management	Monitoring, backup, patch management	Outbound to all tiers for management traffic. Inbound restricted to admin sources.
OT Boundary	SCADA, ICS, control systems	Air-gapped or one-way diode. If integration required, use data diode or unidirectional gateway.

DNS Security

DNS is the most underrated security control. Most malware needs DNS to find its command and control.

Immediate actions:

• Point all endpoints to a DNS resolver with filtering:
  • Quad9 (9.9.9.9) — free, blocks known malicious domains
  • Cloudflare for Teams (free tier) — filtering + logging
  • Microsoft DNS security (if available)
• Enable DNS query logging on internal DNS servers
• Block DNS over HTTPS (DoH) at the firewall unless using a managed DoH provider (prevents DNS tunneling evasion)

Network Monitoring on a Budget

Zeek (formerly Bro) — open-source network analysis framework:

• Deploy on a SPAN port or network tap at internet boundary
• Provides connection logs, DNS logs, HTTP logs, SSL certificate logs
• Feed into Wazuh, Splunk Free, or Elastic Stack

Suricata — open-source IDS/IPS:

• Deploy at internet boundary and critical internal segments
• Use Emerging Threats Open ruleset (free)
• Alert on known malicious indicators

The conversation:

"You do not need a $100,000 NDR platform to see malicious traffic. You need a SPAN port, an old server, and Zeek. We will show you the connections your firewall is allowing that it should not be."

---

Phase 4: Hybrid Identity Security (Days 22-30)

Azure AD Connect Health

Most on-premises AD environments are synchronized to Entra ID (Azure AD) via Azure AD Connect.

Immediate hardening:

• Secure the Azure AD Connect server: Treat it as Tier 0. No interactive logon except admins.
• Enable PTA (Pass-Through Authentication) or PHS (Password Hash Sync) + Seamless SSO: Evaluate which is appropriate
  • PHS: Better resilience (can authenticate even if AAD Connect is down)
  • PTA: Passwords never leave premises (some regulatory preference)
• Enable password hash synchronization even if using PTA: Provides fallback auth and enables Identity Protection detections if you later upgrade to P2
• Enable Seamless SSO: Reduces password prompts, improves MFA adoption

Azure AD Connect configuration audit:

# On the AAD Connect server
Get-ADSyncScheduler
Get-ADSyncConnector

Verify:

• Only required OUs are syncing
• No accidental filtering exclusions that hide accounts
• The sync account has minimal necessary permissions

AD FS (If Present)

AD FS is a high-value target. If compromised, the adversary controls federation for all cloud apps.

Immediate hardening:

• Upgrade to latest supported version (AD FS 2019 or later)
• Enable Extranet Lockout: Prevents brute force against AD FS from the internet
• Enable PPR (Protection Against Password Reuse) / Smart Lockout
• Require MFA for AD FS extranet access (if MFA infrastructure exists)
• Review relying party trusts: Remove stale or unknown trusts
• Enable AD FS audit logging: Forward to SIEM

The conversation:

"If I compromise AD FS, I do not need to crack your passwords. I just federate myself as an administrator. AD FS is Tier 0. Treat it accordingly."

---

OT / Critical Infrastructure Specifics (Telco, Power)

The IT/OT Boundary

In power and telco environments, the AD forest often extends closer to OT than it should.

Rules:

• OT networks must not trust IT AD forests directly
• If Active Directory is required in OT, use a separate forest with one-way trust or no trust
• SCCM / Intune patch management for OT systems must be on a separate hierarchy
• Administrative credentials for OT must never be used on IT workstations

Control System Workstations

• Engineering workstations (EWS) and operator stations (HMI) must run application whitelisting (AppLocker or third-party)
• USB ports: disabled or strictly controlled
• No internet access from OT VLANs
• Antivirus signatures updated via offline mechanism, not direct internet

NIS2 and Critical Infrastructure

For EU critical infrastructure (power, telco):

• Incident reporting to CSIRT/NIS authority within 24-72 hours
• Supply chain security: document every vendor with AD or network access
• Encryption: data at rest and in transit for sensitive systems
• Multi-factor authentication for all remote access to critical systems

See Vertical: Power Utilities for comprehensive OT alignment.

---

Banking Specifics

Privileged Access for Financial Data

• Database administrators with access to core banking systems: vault all credentials, require dual authorization
• SWIFT infrastructure: isolated network, dedicated workstations, no internet
• Audit trails for all financial transaction system access: immutable, 7+ years retention

Regulatory Alignment

Regulation	AD/Endpoint Implication
PSD2	Strong authentication for payment service users; MFA for internal payment systems
DORA	ICT risk management includes identity and access; recovery testing mandatory
GDPR	Access to personal data must be logged, justified, and time-bounded
NIS2 (for systemic banks)	Incident reporting, supply chain risk management, encryption

See Vertical: Banking for comprehensive regulatory alignment.

---

30-Day Checklist for AD/Endpoint Engagements

• Full AD identity census exported and analyzed
• KRBTGT password rotation completed (or scheduled with plan)
• All privileged groups documented and justified
• LAPS deployed to all workstations
• Sysmon deployed to all Windows endpoints
• Defender Antivirus fully enabled and updated
• Windows Firewall enabled and logging on all endpoints
• DNS filtering deployed (Quad9 / Cloudflare)
• Network segmentation plan documented (even if not fully implemented)
• Azure AD Connect server secured and audited
• AD FS hardened (if present)
• Backup of AD System State tested (verify you can restore a DC)
• Credential Guard enabled on capable hardware

---

Previous: M365 E3 Hardening Next: Implementation Playbook