Active Directory Security Improvement

Virtually all attacks are carried out via the Active Directory. Accordingly, it makes sense to assign special priority to the AD and to examine and harden it from an attacker's perspective. The Active Directory has often grown historically and can sometimes be very confusing. However, excellent tools exist for attackers to find attack paths in this complex interplay and to exploit misconfigurations. So the obvious thing to do is to use the same tools to uncover and stop these attack paths. And that is exactly what is done in this module. This often reveals numerous paths and possibilities, and here we can use our experience and attacker knowledge to create a clear prioritization of measures. This can also be done in several iterations, so that the most critical paths can be mitigated first and no bottleneck occurs during remediation.

If the following questions are still open in your company, a Active Directory security improvement is recommended:

  • Can compromised users elevate their privileges to the point of critical damage?
  • Which of our groups are particularly critical and need to be protected?
  • Are there user accounts which are not actively used and should be deactivated?
  • Do our service accounts have too many permissions?
  • Which accounts and systems do we need to keep a close eye on to respond to cyberattacks?



Active Directory Overview

In a meeting, an overview of the existing Active Directory is developed together with the responsible persons. Questions about the number of domains, users, service accounts, etc. are clarified here.


Required Accounts

For the practical test, normal Active Directory users are required, as they are used by regular users in the company. No elevated rights are required and existing accounts can be used.


Test device

For the practical tests, access to the Active Directory with the provided AD user is required. This can be done from a work notebook or via remote access, such as Citrix. Here, too, it is recommended to keep the setting as close as possible to the regular setup of employees.


collecting test data

In a relatively short time, a lot of data can be queried via the Active Directory. This large amount of data must then be evaluated correctly. The procedure is identical to that of real attackers and any detection mechanisms can be checked at the same time.


gaining insights

The collected data is then evaluated and possible attack paths are searched for. The attack paths are then prioritized and broken down into individual measures that are as effective as possible.


report writing

All results are summarized and evaluated. Measures are proposed for all risks and their priority is recorded. For benchmark environments, a score can be determined for comparison with other AD environments.


Sustained improvement

The measures can be checked for their effectiveness using the tools shown. Especially for larger AD environments, it is recommended to use an iterative top-down approach.

All results are submitted in a final report (PDF, Excel and JSON) and made available via the Mesher platform. This is where the real work begins. Cybersecurity can only be increased if measures are also implemented. Thanks to the basic health check, measures can now be addressed according to their priority and cost-benefit ratio. Via Mesher, your current security level is recorded and you can view the return on investment for the various measures. All results are also visualized here and can be linked to existing tools thanks to integrations. With the platform, technical measures can be directly assigned with tasks to the appropriate people and agile working without media breaks is made possible. This lays the foundation for efficient and sustainable cyber security in the company.

More about the Mesher platform

Mesher Plattform