Close Menu
Security

Active Directory hardening 2026: Tier 0, DSRM, PRT theft

Jesse William McGrawBy No Comments7 Mins Read49 Views
Concentric defensive rings around a glowing core with server-rack outlines, dark editorial illustration

Updated May 2026.

Speaking from experience on both sides of the wire: the single highest-leverage thing any enterprise environment running Windows can do in 2026 is harden Active Directory. Not the perimeter, not the endpoint, not even the email gateway. AD. It’s the central nervous system of almost every enterprise breach we cover on the Ransomtracker dashboard, and it’s the thing most internal security teams under-resource because it sits in the seam between IT operations and security.

This is a practitioner walkthrough, not a theoretical one. We’ll work through the three highest-impact controls, Tier 0 isolation, DSRM rotation, and Primary Refresh Token theft mitigation, plus the AD audit baseline that catches what the controls miss.

Why AD is the centre of gravity

Read any of the operator profiles in our Threat Groups archive and the same shape repeats. Initial access via VPN credential or phishing. Lateral movement via Windows administrative protocols. Credential theft from LSASS or browser stores. Privilege escalation to Domain Admin. Reconnaissance for backup infrastructure. Encryption deployment via Group Policy or PsExec. Every step lives or dies on what AD allows.

The good news: Microsoft has shipped useful primitives for the 2020s. The bad news: most enterprises still run AD in the 2010s configuration that allowed those primitives to be optional.

Control 1, Tier 0 isolation

The Microsoft Tier 0 / Tier 1 / Tier 2 administrative model, sometimes called the Enterprise Access Model in newer documentation, is the single biggest operational change you can make. The principle is simple:

  • Tier 0 = systems that can directly compromise the entire domain. Domain controllers, ADFS, AAD Connect, certificate authorities, the privileged-access management (PAM) host itself. Treated as crown jewels.
  • Tier 1 = servers and applications that hold business data, file servers, SQL, ERP. Compromised individually, severe; not inherently the whole estate.
  • Tier 2 = user workstations, the daily compute environment.

The rule that makes the model work is bidirectional: Tier 0 admin accounts only authenticate to Tier 0 systems, and Tier 0 systems only accept logons from Tier 0 admin accounts. No “I’ll just RDP from my laptop into the DC for ten minutes.” No service accounts spanning tiers. No helpdesk tools running with domain-wide privilege.

Implementation in the order it usually breaks:

  • Inventory existing Domain Admins, Enterprise Admins, Schema Admins, and members of Built-In Administrators on every DC. Most environments have 4-10x what they need.
  • Issue dedicated Tier 0 admin accounts. Naming convention helps (t0_jsmith). These accounts only log on to Tier 0 systems.
  • Stand up Privileged Access Workstations (PAWs), clean-build Windows boxes used only for Tier 0 administration. No general internet, no email, no Office. Microsoft’s Privileged Access Deployment guide is the reference.
  • Constrain logon. Use Authentication Policies and Authentication Policy Silos to enforce that t0 accounts can only log on from PAWs and only authenticate to Tier 0 hosts.
  • Disable interactive logon for service accounts that don’t need it. Most don’t.

The control to verify it’s working: a Tier 0 account attempting to log on to a Tier 2 workstation should fail at the authentication policy boundary. Test it monthly.

Control 2, DSRM rotation and DC backup hygiene

Every domain controller has a Directory Services Restore Mode (DSRM) account, a local administrator on the DC that boots into a recovery mode bypassing AD. The DSRM password is set when the DC is promoted and, in environments that have run for years, often hasn’t been touched since.

An attacker with code execution on a DC can read the DSRM password hash and use it to persist after you’ve reset every domain admin. It’s a catastrophic persistence vector and trivial to overlook.

Rotation procedure:

# On each DC, in an elevated prompt:
ntdsutil
set dsrm password
reset password on server null
<new strong password>
quit
quit

Rotate every 90 days minimum, and immediately after any incident. Store passwords in your privileged-access vault (CyberArk, BeyondTrust, Delinea, or even a hardware-key-protected password manager for smaller environments) with break-glass procedures documented.

While you’re on DCs: verify backup hygiene. Modern ransomware crews specifically target backups, including AD backups. Ensure system-state backups exist offsite, are encrypted with keys not stored in AD, and are tested by full-DC-restore exercises at least annually.

Control 3, Primary Refresh Token theft mitigation

For hybrid (on-premises + Entra ID) environments, the 2024–2026 attack du jour is PRT theft. The Primary Refresh Token is a long-lived authentication artifact stored on Entra-joined devices. An attacker with TPM-bypassing tooling on a compromised user’s machine can extract the PRT and use it to authenticate as that user against Entra ID, including against MFA-protected resources, because the PRT is itself the proof of MFA.

The mitigation stack:

  • Conditional Access policies that require compliant device. A stolen PRT used from an attacker-controlled machine fails compliance. This is the single highest-leverage control.
  • Phishing-resistant MFA, passkeys, FIDO2, or Windows Hello for Business. The legacy SMS or push-notification MFA does not raise the bar against PRT theft because the PRT bypasses the MFA prompt.
  • Sign-in risk policies in Conditional Access. A logon from an unfamiliar IP, country, or browser fingerprint that uses an existing PRT should require step-up authentication.
  • Token Protection, newer Entra feature that binds the PRT to the device’s TPM so a copy off the device fails. Roll it out where supported.
  • Aggressive session lifetimes for sensitive applications. The half-life of a stolen PRT equals your token lifetime.

The AD audit baseline

Hardening alone isn’t enough; you have to be able to detect when something slips. Five log streams to baseline:

  • 4624 / 4625, successful and failed logons. Surface 4625 failed logons per source IP, alert on spikes.
  • 4720 / 4732 / 4756, account creation, group membership change, security-enabled-group changes. Every Domain Admin addition should be a paged alert.
  • 4768 / 4769, Kerberos AS-REQ and TGS-REQ. Kerberoasting attacks show up as TGS requests for service accounts; AS-REP roasting shows up as AS-REQ for accounts with pre-authentication disabled.
  • 4670 / 5136, directory object permission changes and modifications. AdminSDHolder modifications and DCSync rights are the canonical persistence patterns.
  • NTLM authentication events, disable where possible, audit aggressively where not. NTLM is the attacker’s protocol of choice for Pass-The-Hash.

If you don’t have a SIEM, a basic Wazuh deployment covers the ingestion side at zero licence cost. Pair it with the Hayabusa Sigma-rule engine for ad-hoc forensic searches across event logs.

Tools you should be running, free

  • PingCastle, automated AD security audit, produces an actionable report. Run it monthly.
  • BloodHound, graphs attack paths through your AD. The same tool red teams use; run it on yourself first.
  • AaronLocker, Microsoft-recommended starter for App Locker policies, blocks the dropper-and-execute chain that ransomware affiliates rely on.
  • SkyArk, discovers shadow-admin accounts in AD and Azure AD that don’t show up in standard Domain Admins audits.

A 90-day rollout plan

  • Week 1–2: Run PingCastle and BloodHound. Triage findings; fix the worst.
  • Week 3–4: Inventory Tier 0 accounts; trim to minimum; create dedicated t0_ accounts; deploy first PAW.
  • Month 2: Authentication Policy Silos in audit-only mode; rotate every DSRM password; verify DC backup posture.
  • Month 3: Authentication Policy Silos in enforcement; Conditional Access policies for compliant device + phishing-resistant MFA; sign-in risk policies live.

Run the same audit on day 91 and compare to day 1. The gap is the value you delivered.

Further reading

If you do nothing else from this article, do Tier 0 isolation. It’s the single change with the largest blast-radius reduction. Modern ransomware kills environments by walking from Tier 2 to Tier 0 in eight hops. Refusing those eight hops is the difference between an incident and an extinction event.

Share.

Jesse William McGraw, also known as GhostExodus, is a former insider threat and threat actor. He became the first person in recent U.S. history to be convicted of corrupting industrial control systems. Today he focuses on threat intelligence, OSINT, and public speaking, using his knowledge to bring awareness to the security risks that organisations and individuals face.

Related Posts

Comments are closed.