Top Active Directory Misconfigurations

These common misconfigurations create attack paths that attackers exploit to escalate privileges and move laterally.

Weak Delegation Settings

Unconstrained Delegation: Allows a service to impersonate any user to any service. Attackers can abuse this to steal tickets and escalate privileges.

Constrained Delegation Misconfiguration: When constrained delegation is too permissive, allowing access to more services than necessary.

Resource-Based Constrained Delegation (RBCD) Abuse: Attackers can modify msDS-AllowedToActOnBehalfOfOtherIdentity to grant themselves delegation rights.

Remediation: Use constrained delegation with specific service principal names (SPNs). Avoid unconstrained delegation. Regularly audit delegation settings.

Permissive ACLs

Generic Write Permissions: Accounts with generic write permissions on user or computer objects can modify attributes, reset passwords, or add group membership.

DCSync Rights: Accounts with DCSync rights can replicate password hashes from domain controllers, enabling credential theft.

GenericAll on Groups: Allows adding any account to privileged groups like Domain Admins.

Remediation: Use least privilege. Regularly audit ACLs on sensitive objects. Remove unnecessary permissions. Use Protected Users group for high-value accounts.

Trust Relationship Issues

External Trusts Without SID Filtering: Allows attackers from trusted domains to access resources using SID history, potentially gaining unauthorized access.

Forest Trust Selective Authentication Not Used: Without selective authentication, all users from trusted forest can authenticate.

One-Way Trusts That Should Be Two-Way: Can create confusion and unexpected access paths.

Remediation: Enable SID filtering on external trusts. Use selective authentication on forest trusts. Document trust purpose and review regularly.

Group Policy Misconfigurations

GPOs with Overly Broad Scope: GPOs applied to entire domain or large OUs can have unintended consequences.

GPO Permissions Too Permissive: Authenticated Users with write permissions can modify GPOs.

Legacy GPOs Not Removed: Old GPOs may contain insecure settings or be linked to OUs that no longer exist.

Remediation: Use security filtering to limit GPO scope. Restrict GPO modification permissions. Remove unused GPOs. Document GPO purpose.

Service Account Issues

Service Accounts in Domain Admins: Service accounts with excessive privilege create high-value targets.

Service Accounts with Password Never Expire: Makes password rotation difficult and increases risk if compromised.

Generic Service Accounts: Shared service accounts make attribution and rotation difficult.

Remediation: Use least privilege for service accounts. Implement regular password rotation. Use Group Managed Service Accounts (gMSAs) where possible.

Authentication Weaknesses

Weak Kerberos Encryption: DES and RC4 are weak and can be exploited.

NTLM Still Enabled: NTLM is less secure than Kerberos and should be disabled where possible.

LDAP Signing Not Enforced: Allows man-in-the-middle attacks on LDAP traffic.

SMB Signing Not Required: Allows SMB relay attacks.

Remediation: Disable weak encryption types. Reduce NTLM usage. Enable LDAP signing and channel binding. Require SMB signing.

Organizational Unit Structure Issues

Flat OU Structure: Makes it difficult to apply security policies consistently.

Security Groups in Wrong OUs: Can lead to incorrect permission inheritance.

Computers in Users OU: Breaks security policy application and makes management difficult.

Remediation: Design OU structure with security in mind. Separate users, computers, and service accounts. Use OUs to apply security policies consistently.

Monitoring Gaps

No Audit Policy: Cannot detect privilege escalation or unauthorized access.

Event Logs Not Retained: Cannot investigate security incidents.

No SIEM Integration: Cannot correlate events or detect attack patterns.

Remediation: Enable comprehensive audit policies. Retain event logs for at least 30 days. Forward logs to SIEM. Monitor privileged group changes.