Skip to content

Common Active Directory Misconfigurations - Where Security Breaks

Scenario: An attacker gains access to a low-privilege domain user account. Within hours, they're domain admin. How? Misconfigurations. One misconfigured service account, one over-permissive ACL, one forgotten legacy setting - that's all it takes.

Active Directory misconfigurations are the low-hanging fruit of enterprise security. They're not zero-day exploits. They're not sophisticated attacks. They're mistakes - configurations that seemed reasonable at the time but create security holes attackers eagerly exploit.

This guide catalogs these mistakes. Not to shame organizations (everyone has them), but to help identify and fix them before attackers do.

Table of Contents

  1. Introduction to AD Misconfigurations
  2. Account and Password Misconfigurations
  3. Group Policy Misconfigurations
  4. Permission and ACL Misconfigurations
  5. Service and SPN Misconfigurations
  6. Trust and Delegation Misconfigurations
  7. Network and DNS Misconfigurations
  8. Monitoring and Logging Gaps
  9. Detection and Assessment Tools
  10. Remediation Strategies

Introduction to AD Misconfigurations

The Uncomfortable Truth:

Most Active Directory compromises don't require sophisticated exploits. They require finding one misconfiguration - one account with too many permissions, one service with an SPN that shouldn't exist, one group policy that exposes too much. These misconfigurations are everywhere, in organizations of all sizes.

Real-World Impact:

When researchers analyze compromised AD environments, they consistently find: - Service accounts with domain admin privileges - Users in 20+ security groups when they need 2-3 - Password policies that allow weak passwords - Delegation settings that enable lateral movement - Exposed credentials in Group Policy Preferences - Overly permissive ACLs on critical objects

These aren't theoretical issues. They're in production environments right now.

Why Misconfigurations Matter

Misconfigurations aren't just "bad settings" - they're attack vectors:

Initial Access: - Weak passwords allow password spraying - Service accounts with known passwords - Exposed credentials in configuration files

Privilege Escalation: - Users with excessive group memberships - Unrestricted delegation enabling impersonation - Weak ACLs allowing privilege modification

Lateral Movement: - Service accounts that can access multiple systems - Trust relationships that enable cross-domain access - Over-permissive shares and file permissions

Persistence: - Accounts that never expire - Service accounts with permanent credentials - Delegation rights that persist across password changes

Data Exfiltration: - Excessive permissions on sensitive data - Service accounts that can read databases - Delegation enabling access to multiple systems

Why They Happen - The Root Causes

1. Time Pressure: "We need this service account working by end of day." Solution: Give it domain admin rights, figure out minimal permissions later. Later never comes.

2. Complexity: Active Directory environments grow organically. Over years, permissions accumulate. Service accounts multiply. Policies get layered. Nobody has the full picture anymore.

3. Legacy Systems: That server from 2012 needs NTLM. That application requires full delegation. That service account can't use managed accounts. Compatibility requirements create security debt.

4. Lack of Documentation: "Why is this account domain admin?" Nobody remembers. "What does this GPO do?" Lost to time. Without documentation, misconfigurations persist because nobody knows if they're safe to change.

5. Multiple Teams: Network team configures trusts. Application team creates service accounts. Security team sets policies. Without coordination, each team's "reasonable" configuration creates vulnerabilities when combined.

The Pattern:

Most misconfigurations follow a pattern: 1. Functional Requirement: "We need X to work" 2. Quick Solution: "Give it admin rights / disable security / allow everything" 3. Verification: "It works!" 4. Documentation: (Missing or forgotten) 5. Security Review: (Never happens or happens too late)

This guide helps break that pattern by identifying common misconfigurations and providing proper remediation paths.

Account and Password Misconfigurations

Weak Password Policies

# Check for weak password policies
Get-ADDefaultDomainPasswordPolicy

# Common issues:
# - Password length < 14 characters
# - No complexity requirements
# - Long password expiration (> 90 days)
# - Short password history (< 24 passwords)

Password in Description Fields

# Find passwords in description fields
Get-ADUser -Filter * -Properties Description | 
Where-Object {$_.Description -like "*password*" -or $_.Description -like "*pwd*"} |
Select-Object SamAccountName, Description

Get-ADComputer -Filter * -Properties Description |
Where-Object {$_.Description -like "*password*" -or $_.Description -like "*pwd*"} |
Select-Object Name, Description

Service Account Issues

# Service accounts with password never expire
Get-ADUser -Filter {ServicePrincipalName -ne "$null" -and PasswordNeverExpires -eq $true} -Properties ServicePrincipalName, PasswordNeverExpires

# Service accounts with excessive privileges
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties MemberOf | 
Where-Object {$_.MemberOf -match "Domain Admins|Enterprise Admins"} |
Select-Object SamAccountName, MemberOf

Admin Account Misconfigurations

# Admin accounts without proper protection
Get-ADUser -Filter {AdminCount -eq 1} -Properties MemberOf, PasswordLastSet, LastLogonDate |
Where-Object {$_.MemberOf -notcontains "Protected Users"} |
Select-Object SamAccountName, MemberOf

# Admin accounts with old passwords
$cutoffDate = (Get-Date).AddDays(-365)
Get-ADUser -Filter {AdminCount -eq 1} -Properties PasswordLastSet |
Where-Object {$_.PasswordLastSet -lt $cutoffDate} |
Select-Object SamAccountName, PasswordLastSet

Group Policy Misconfigurations

Insecure GPO Permissions

# Find GPOs with insecure permissions
$gpos = Get-GPO -All
foreach ($gpo in $gpos) {
    $perms = Get-GPPermission -Guid $gpo.Id -All
    $insecure = $perms | Where-Object {
        $_.Trustee.Name -like "*Authenticated Users*" -and 
        $_.Permission -eq "GpoApply"
    }
    if ($insecure) {
        Write-Host "Insecure GPO: $($gpo.DisplayName)" -ForegroundColor Red
    }
}

GPO Preference Passwords

# Check for GPP passwords (historical issue)
# These were stored in SYSVOL in cpassword field
# Modern systems should not have these, but legacy ones might

# Check SYSVOL for files containing cpassword
Get-ChildItem \\domain.com\SYSVOL -Recurse -Include *.xml | 
Select-String "cpassword" | 
Select-Object FileName, LineNumber

Missing Security Settings

# Check for missing critical security settings
# Common missing settings:
# - SMB signing not enforced
# - NTLMv1 not disabled
# - LLMNR not disabled
# - LDAP signing not required

Permission and ACL Misconfigurations

Excessive User Rights

# Find users with dangerous rights
$dangerousRights = @(
    "SeDebugPrivilege",
    "SeTcbPrivilege",
    "SeBackupPrivilege",
    "SeRestorePrivilege",
    "SeLoadDriverPrivilege",
    "SeTakeOwnershipPrivilege"
)

# Check user rights assignment via GPO or local policy

Insecure ACLs on AD Objects

# Find objects with insecure ACLs
$dangerousACEs = @(
    "GenericAll",
    "WriteDacl",
    "WriteOwner",
    "GenericWrite",
    "Self",
    "ExtendedRight"
)

Get-ADObject -Filter * -Properties nTSecurityDescriptor | 
ForEach-Object {
    $acl = $_.nTSecurityDescriptor
    foreach ($ace in $acl.Access) {
        if ($dangerousACEs -contains $ace.ActiveDirectoryRights.ToString()) {
            Write-Host "Dangerous ACE on: $($_.DistinguishedName)" -ForegroundColor Red
            Write-Host "  Right: $($ace.ActiveDirectoryRights)"
            Write-Host "  Identity: $($ace.IdentityReference)"
        }
    }
}

Inactive Account Permissions

# Find permissions assigned to inactive accounts
$inactiveCutoff = (Get-Date).AddDays(-90)
$inactiveUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate |
Where-Object {$_.LastLogonDate -lt $inactiveCutoff} |
Select-Object SamAccountName

foreach ($user in $inactiveUsers) {
    # Check group memberships
    $groups = Get-ADPrincipalGroupMembership -Identity $user.SamAccountName
    if ($groups) {
        Write-Host "Inactive user in groups: $($user.SamAccountName)" -ForegroundColor Yellow
        $groups | ForEach-Object { Write-Host "  Group: $($_.Name)" }
    }
}

Service and SPN Misconfigurations

Duplicate SPNs

# Find duplicate SPNs
setspn -X

# Or using PowerShell
$allSPNs = Get-ADObject -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
$spnCount = @{}
$allSPNs | ForEach-Object {
    foreach ($spn in $_.ServicePrincipalName) {
        if (-not $spnCount.ContainsKey($spn)) {
            $spnCount[$spn] = 0
        }
        $spnCount[$spn]++
    }
}

$spnCount.GetEnumerator() | Where-Object {$_.Value -gt 1} | Sort-Object Value -Descending

Unconstrained Delegation

# Find computers with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, OperatingSystem

# Find users with unconstrained delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation

Constrained Delegation Issues

# Check constrained delegation configurations
Get-ADComputer -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo, OperatingSystem

Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Trust and Delegation Misconfigurations

Insecure Trust Relationships

# Analyze trust relationships
$trusts = Get-ADTrust -Filter *
foreach ($trust in $trusts) {
    Write-Host "Trust: $($trust.Name)" -ForegroundColor Yellow
    Write-Host "  Direction: $($trust.Direction)"
    Write-Host "  Type: $($trust.TrustType)"
    Write-Host "  Attributes: $($trust.TrustAttributes)"

    # Check for SID filtering
    if ($trust.TrustAttributes -band 0x00000004) {
        Write-Host "  SID Filtering: Enabled" -ForegroundColor Green
    } else {
        Write-Host "  SID Filtering: Disabled" -ForegroundColor Red
    }
}

Cross-Domain Permission Issues

# Check for cross-domain permissions
# These can allow privilege escalation across trust boundaries

# Use tools like BloodHound to analyze cross-domain attack paths

Network and DNS Misconfigurations

DNS Configuration Issues

# Check DNS configuration
# Common issues:
# - Dynamic updates allowed from unauthorized systems
# - Zone transfers allowed to unauthorized systems
# - Lack of DNSSEC
# - Poor DNS hygiene (stale records)

Network Protocol Issues

# Check for insecure protocols
# Common issues:
# - SMBv1 enabled
# - LLMNR enabled
# - NBT-NS enabled
# - Weak encryption protocols enabled

Firewall Misconfigurations

# Common firewall issues:
# - Excessive ports open between segments
# - Lack of segmentation between tiers
# - Missing egress filtering
# - Inadequate monitoring of network traffic

Monitoring and Logging Gaps

Inadequate Auditing

# Check audit policy settings
auditpol /get /category:*

# Common gaps:
# - No success auditing for sensitive operations
# - No failure auditing for logon events
# - Inadequate object access auditing
# - Missing privilege use auditing

Log Retention Issues

# Check event log settings
# Common issues:
# - Logs too small for retention requirements
# - Logs not archived or backed up
# - Critical events not forwarded to SIEM
# - Lack of log analysis and alerting

Monitoring Gaps

# Common monitoring gaps:
# - No monitoring of admin account usage
# - No alerting for suspicious authentication patterns
# - Lack of change monitoring for critical AD objects
# - No baseline behavior analysis

Detection and Assessment Tools

Built-in Windows Tools

# PowerShell AD module
Get-ADObject, Get-ADUser, Get-ADComputer, etc.

# Group Policy tools
Get-GPO, Get-GPPermission, gpresult

# Security auditing tools
auditpol, wevtutil

Third-Party Assessment Tools

# BloodHound
# - Graph-based AD analysis
# - Attack path discovery
# - Permission analysis

# PingCastle
# - AD security assessment
# - Risk scoring
# - Configuration analysis

# ADRecon
# - AD information gathering
# - Security assessment
# - Reporting

Custom Assessment Scripts

# PowerShell scripts for specific checks
# - Account permission analysis
# - GPO security analysis
# - Service account analysis
# - Trust relationship analysis

Remediation Strategies

Prioritization Framework

# Risk-based prioritization
# - Critical: Immediate remediation required
# - High: Remediate within 30 days
# - Medium: Remediate within 90 days
# - Low: Remediate within 180 days

# Consider:
# - Exploitability
# - Impact
# - Prevalence
# - Business impact

Technical Remediation

# Account security
# - Strengthen password policies
# - Remove excessive permissions
# - Clean up inactive accounts
# - Secure service accounts

# Group Policy
# - Apply security baselines
# - Fix insecure GPO permissions
# - Remove GPP passwords

# Permissions
# - Remove dangerous ACEs
# - Implement least privilege
# - Regular access reviews

Process Improvements

# Change management
# - Formal change control process
# - Security review of changes
# - Testing before production

# Access reviews
# - Regular account reviews
# - Permission reviews
# - Service account reviews

# Monitoring and alerting
# - Enhanced logging
# - SIEM integration
# - Automated alerting

Continuous Improvement

# Regular assessments
# - Quarterly security assessments
# - Annual penetration tests
# - Continuous monitoring

# Training and awareness
# - Admin security training
# - Security awareness programs
# - Incident response training

# Documentation
# - Configuration documentation
# - Process documentation
# - Incident response plans

Conclusion

Active Directory misconfigurations represent significant security risks that attackers frequently exploit. Regular assessment, prompt remediation, and continuous monitoring are essential for maintaining a secure AD environment.

Key takeaways: - Misconfigurations are common and often severe - Regular assessment is crucial for discovery - Risk-based prioritization guides remediation - Process improvements prevent recurrence - Continuous monitoring detects new issues

By addressing these common misconfigurations, organizations can significantly reduce their attack surface and improve their overall security posture.