Active Directory Hardening Checklist

What's in the checklist

Most ransomware intrusions and red team engagements in Malaysian enterprise environments end the same way: the attacker reaches Domain Admin, and from there, every workstation, every file share, and every backup repository becomes accessible. The path to Domain Admin is rarely surprising — it almost always passes through a small set of well-understood Active Directory misconfigurations and identity-tier mixing problems.

This 18-page checklist consolidates the Tier 0 hardening actions that nCrypt's offensive security team most frequently recommends after Active Directory security assessments and red team engagements in Malaysia. It is written for Windows infrastructure teams, identity engineers, and CISOs who need a concrete, prioritised, and actionable starting point.

The checklist covers:

• Tier 0 / Tier 1 / Tier 2 model basics — and the most common ways the model is broken in practice.
• Privileged access workstation (PAW) deployment guidance.
• Kerberoasting and AS-REP roasting hardening — service account naming, password length, and managed service account migration.
• NTLM relay mitigations including SMB signing, LDAP signing, and channel binding.
• Active Directory Certificate Services (ADCS) attack-surface reduction (ESC1–ESC8).
• Group Policy Object review and Restricted Groups hygiene.
• Tier 0 group membership audit checklist.
• BloodHound / SharpHound usage guidance for defenders.
• Monitoring rules to detect post-exploitation behaviour pre-Domain-Admin.

Pair the checklist with the Active Directory Security Assessment service for a guided assessment, or with the AD attack paths blog post for the offensive perspective.

Note: the PDF download link is delivered to the work email you provide.

Accreditation context: nCrypt Malaysia's individual consultants hold OSCP, CRTO, CRTP, and CISSP among other relevant certifications. CREST member-firm application in progress; NACSA CSP licence application submitted.