Active Directory Security: Attack Paths and Hardening

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Active Directory remains the backbone of enterprise identity management, and it is also one of the most targeted components in any network. Attackers know that compromising AD usually means game over for the entire domain. If you work in security and your org runs AD, you need to understand both the offensive techniques and the defensive controls.

Common Attack Vectors

Kerberoasting targets service accounts by requesting Kerberos service tickets (TGS) for SPNs, then cracking them offline. Any authenticated user can request these tickets, making detection the primary defense. Monitor for anomalous TGS requests, especially bulk requests from a single account.

AS-REP Roasting goes after accounts with Kerberos pre-authentication disabled. Attackers request authentication data for these accounts and crack it offline. Audit your environment for accounts with DONT_REQUIRE_PREAUTH set — there should be almost none.

Delegation Attacks exploit unconstrained, constrained, or resource-based constrained delegation. Unconstrained delegation is the worst offender: any service with it can impersonate any user who authenticates to it. Migrate to constrained delegation with protocol transition, and use the Protected Users group for privileged accounts.

GPO Abuse happens when attackers modify Group Policy Objects to push malicious configurations, scripts, or scheduled tasks across the domain. Restrict GPO modification rights and monitor changes to SYSVOL.

Hardening Practices

Start with tiering. Implement a tiered administration model where Tier 0 (domain controllers, AD admins) credentials never touch Tier 1 (servers) or Tier 2 (workstations) systems. Use Privileged Access Workstations (PAWs) for Tier 0 administration.

Enforce the Protected Users security group for all privileged accounts. This disables NTLM authentication, Kerberos delegation, and DES/RC4 encryption for those accounts.

Deploy LAPS (Local Administrator Password Solution) to randomize local admin passwords on every machine. This breaks lateral movement chains that rely on shared local admin credentials.

Enable Advanced Audit Policies rather than the legacy audit categories. At minimum, log account logon events, logon events, object access, and directory service changes. Forward these to your SIEM and build detection rules for Kerberoasting (Event ID 4769 with RC4 encryption), DCSync (4662 with replication rights), and Golden Ticket usage.

Run regular assessments with tools like BloodHound to map attack paths. If BloodHound can find a path from a standard user to Domain Admin, so can an attacker.

What to Learn Next

AD security sits at the intersection of identity, network, and endpoint security. You need to understand Kerberos internals, LDAP, and Windows authentication flows at a protocol level to be effective here.

Next Steps

• Assess your current AD security knowledge with our skills assessment
• Browse the skills library for related identity and network security topics
• Plan your certifications with the certificate roadmap — look at CRTP and CRTO for AD-focused offensive certs
• Use the coaching tool to build a study plan around AD hardening and attack detection

Related Guides in This Series

• AWS ALB Security: TLS, Authentication, and Access Controls
• AWS CloudTrail: Log Analysis and Security Monitoring
• AWS CloudWatch for Security: Metrics, Alarms, and Log Analysis

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.