LOCKDOWN HARDENING CHECKLIST

Active Directory Domain Services

22 production-ready hardening checks with PowerShell commands, attack context, and detection queries

10
Critical
12
High
6
Categories
22
Elite Guides
Critical
High
Identity & Access 7 checks
  • Tiered administration model (Tier 0/1/2)
  • Protected Users group for privileged accounts
  • LAPS for local admin password management
  • Harden AdminSDHolder and SDProp
  • Group Managed Service Accounts (gMSA)
  • Restrict Kerberos delegation
  • Disable NTLM authentication
Network 3 checks
  • Enforce LDAP signing & channel binding
  • Require SMB signing on all systems
  • Disable LLMNR, NetBIOS, and WPAD
Encryption 3 checks
  • AES Kerberos encryption, disable RC4
  • Enforce LDAPS (LDAP over TLS/SSL)
  • Enable BitLocker on Domain Controllers
Logging & Detection 4 checks
  • Advanced audit policies for AD
  • Monitor and detect DCSync attacks
  • Monitor Group Policy Object changes
  • Detect AS-REP Roasting accounts
Services 4 checks
  • Disable Print Spooler on DCs
  • Restrict logon rights on DCs
  • Secure SYSVOL & Group Policy deployment
  • Secure DNS and prevent DNS attacks
Patching 1 check
  • DC patching strategy & schema updates
SCW
Shimi's Cyber World
shimiscyberworld.com/hardening
Get Full Checklist + Elite Guides