Why AD Is the #1 Target

Attackers who gain domain admin access can:

•       Create new admin accounts

•       Reset any password

•       Access any system

•       Deploy ransomware domain-wide in minutes

•       Maintain hidden backdoors for months

Warning Signs to Monitor

•       New admin accounts: Any new account added to admin groups

•       Privilege changes at odd hours: Admin activities at 2 AM are suspicious

•       Disabled accounts re-enabled: Often a sign of persistence

•       Service account authentication anomalies: Service accounts should be predictable

•       Password spraying patterns: Many accounts with failed logins in short time

Essential AD Security Controls

1.    Tiered Admin Model: Separate accounts for workstation, server, and domain admin

2.    Privileged Access Workstations: Admin tasks only from secured systems

3.    LAPS: Unique local admin passwords on every machine

4.    Credential Guard: Protect credentials from theft

5.    Event Log Forwarding: Centralize logs before attackers can delete them

Questions for Your IT Provider

6.    Do you monitor AD for suspicious changes 24/7?

7.    How quickly would you detect a new admin account?

8.    Do you use a tiered admin model?

9.    When was the last AD security assessment?