Active Directory Hardening Guidebook
Welcome to the Active Directory Hardening Guidebook. This repository contains a structured, production-grade set of hardening requirements and guidelines specifically designed for securing modern Active Directory (AD) environments in air-gapped (offline) settings.
The guide is tailored for:
- Domain Controllers: Windows Server 2016 (and above).
- Clients: Windows 10 (and above) enterprise workstations.
- Environment: High-security, isolated (air-gapped) environments with no direct internet connection, no Azure/Entra ID integrations, and no external cloud services.
All security recommendations contained herein are aligned with the following cybersecurity standards:
- ANSSI (French National Agency for the Security of Information Systems) - Hardening an Active Directory Directory Service
- CIS Benchmarks (Center for Internet Security) - Windows Server 2016 & Windows 10
- Microsoft Security Baselines
Table of Contents
The guidebook is organized into eight functional modules:
- Module 1: Architecture & Administrative Tiering
- Entry point index and technical treatise on Active Directory tiering and administrative boundaries.
- Hardening controls:
- Module 2: Domain Controller Hardening
- Operating system-level DC security configuration.
- Hardening controls:
- Disable SMBv1
- Disable Multicast Name Resolution
- Disable NTLMv1
- Enforce LDAP Server Signing
- Enforce LDAP Channel Binding
- Enable LSA Protection
- Enable Credential Guard
- Disable Print Spooler Service
- Enforce SMB Message Signing
- Restrict Kerberos Encryption Types
- Restrict Remote SAM API Access
- Disable Unnecessary Services
- Enable Kerberos Armoring
- Restrict NTLM
- Migrate SYSVOL Replication to DFSR
- Harden adminSDHolder Permissions
- Harden Microsoft DNS AD Container Permissions
- Harden Virtualization Hosts for Domain Controllers
- Enforce RDP Restricted Admin Mode
- Windows Defender Antivirus DC Baseline and Exploit Guard
- Configure AppLocker Policies on Domain Controllers
- Module 3: Identities & Services Hardening
- Administrative identity protection, credential hygiene, and service account hardening.
- Hardening controls:
- Enforce Fine-Grained Password Policies
- Enable Local Administrator Password Solution (LAPS)
- Implement Group Managed Service Accounts (gMSA)
- Restrict Kerberos Delegation
- Configure and Populate Protected Users Group
- Rename and Disable Default Administrator and Guest Accounts
- Restrict Interactive Logons for Service Accounts
- Enforce User and Service Account Kerberos Encryption (AES-Only)
- Enforce Kerberos Pre-Authentication
- Restrict Schema Administrators Group Membership
- Enforce Accidental Deletion Protection on Organizational Units
- Configure Active Directory Authentication Silos
- Clean Up adminCount Attribute Orphans
- Renew KDS Root Keys and gMSA Secrets
- Harden Active Directory Certificate Services (ADCS)
- Configure Point and Print Restrictions
- Disable Machine Account Quota
- Restrict Pre-Windows 2000 Compatible Access Group
- Module 4: Network Configuration & Firewalling
- Active Directory network boundaries, port configurations, and encryption/authentication configurations.
- Hardening controls:
- Configure Active Directory Port Matrix
- Restrict RPC Dynamic Ports
- Configure Workstation and Server Isolation
- Configure IPsec Domain Isolation
- Harden IPsec Cryptographic Configurations
- Harden TLS Protocols, Cipher Suites, and Elliptic Curves
- Enforce SMBv3 Security and Digitally Sign/Encrypt Communications
- Configure Firewall Logging and Operational Settings
- Configure Hardened UNC Paths
- Harden WinRM Service and Restrict RPC Clients
- Module 5: Logging, Monitoring & SIEM
- Entry point index for security log auditing, host monitoring, and centralized SIEM ingestion.
- Hardening controls:
- Module 6: Secure Operations & Maintenance
- AD System State backup, restore, and offline immutable storage.
- Hardening controls:
- Module 7: Privileged Access Workstations (PAWs) Hardening
- Physical and operating system isolation rules for administration devices.
- Hardening controls:
- Configure AppLocker Policies for PAWs
- Enable LSA Protection for PAWs
- Restrict Local Administrators Group for PAWs
- Enable BitLocker for PAWs
- UEFI Firmware Security Hardening
- Hardware Virtualization and DMA Protection
- Disable Windows Platform Binary Table (WPBT)
- Windows Defender Antivirus PAW Baseline and Exploit Guard
- Configure User Rights Assignments for PAWs
- Enable VBS and Credential Guard for PAWs
- Harden DMA and Physical Security for PAWs
- Module 8: Endpoint Hardening
- Entry point index for Tier 2 workstation security.
- Hardening controls:
- Harden Network and Name Resolution
- Configure UAC Policies
- Disable AutoPlay and AutoRun
- Block Removable Storage
- Restrict Remote Desktop (RDP) Access
- Restrict Local Administrators Group
- Windows Defender Antivirus Offline Baseline
- WSUS Client Configuration
- Enable Secure Boot
- Enable VBS and Credential Guard
- Configure Windows Defender Application Control
- Enable BitLocker and Network Unlock
- UEFI Firmware Security Hardening
- Hardware Virtualization and DMA Protection
- Disable Windows Platform Binary Table (WPBT)
- Configure User Rights Assignments
- Harden DMA and Physical Security
- Configure Account Policies
- Configure User Profile Restrictions
Compliance Mapping Matrix
Below is a cross-reference matrix mapping each guidebook module to specific guidelines from ANSSI, CIS, and Microsoft Security Baselines:
Script Verification
To ensure that the markdown files contain valid links and that all embedded PowerShell code snippets are syntactically correct, you can run the verification script located in the root of this workspace.
Running the Verification Script
Open a PowerShell console and run:
.\Verify-ADHardeningDocs.ps1
The script parses all markdown documents, verifies internal relative links, and runs a syntax parser on all powershell code blocks without executing them.