Active Directory Security: What IT Pros Need to Understand
Active Directory sits at the centre of nearly every enterprise network in Canada. When attackers want access, they go after it first. In 2025, identity compromise was the leading entry point in data breaches — and in most ransomware campaigns, threat actors gained domain administrator privileges through Active Directory before deploying a single line of malicious code.
If you manage, secure, or audit systems at your organization, you need to understand how Active Directory gets attacked and what you need to do about it. The Canadian Centre for Cyber Security (CCCS) has published dedicated guidance on this — ITSM.60.100, “Guidance for Securing Microsoft Active Directory Services in Your Organization” — and it exists because the risk is real and the failures are predictable.
Why Attackers Target Active Directory
Active Directory is the identity backbone of Windows-based environments. It controls authentication, group policies, access to shared resources, and administrative privileges across the entire domain. When an attacker compromises Active Directory, they don’t need to breach systems one by one. They own the keys to everything.
According to Wavestone’s 2026 incident response data, Active Directory attacks surged 42% year over year, and 38% of breaches now begin with identity compromise — up from 20% two years prior. The Verizon Data Breach Investigations Report 2025 found 74% of breaches involve compromised identities. These are not outlier events. They are the standard playbook threat actors follow when targeting Canadian organizations.
CCCS’s National Cyber Threat Assessment 2025-2026 identifies ransomware as the top cybercrime threat facing Canada’s critical infrastructure, and Active Directory compromise appeared in nearly every major ransomware campaign reviewed. The pattern is consistent: gain a foothold, escalate privileges through AD, move laterally, then deploy ransomware at scale.
The Attacks You Need to Know
Understanding the attack techniques your adversaries use is the first step to building a defence. Three techniques appear most frequently in post-incident reports.
Kerberoasting targets service accounts in Active Directory using Kerberos authentication. An attacker with a low-privilege account requests a service ticket, extracts the encrypted ticket, and cracks the password hash offline. Service accounts with weak passwords give the attacker high-privilege access without triggering a login alert. The fix is straightforward: use long, complex passwords for all service accounts and rotate them on a regular schedule.
Pass-the-Hash attacks exploit how Windows handles NTLM authentication. Once an attacker dumps credential hashes from memory — often by targeting the LSASS process — they authenticate to other systems using the hash directly, bypassing the need to crack a password. Limiting local administrator accounts and enabling Windows Credential Guard removes this path. Without those controls, a single compromised workstation becomes a stepping stone across your entire network.
DCSync abuse lets attackers impersonate a domain controller and request credential replication data. This hands them password hashes for every account in the domain, including privileged administrators. It requires elevated privilege to execute, which is why restricting replication rights and monitoring for unexpected directory replication requests are essential controls under CCCS ITSM.60.100 guidance.
What the CCCS Guidance Requires
The CCCS has published two complementary documents on Active Directory security: ITSM.60.100 for management-level guidance and ITSP.60.100 for practitioners. Both were developed in coordination with CISA, the NSA, and allied cyber agencies. They outline 17 common techniques used against Active Directory and map controls to each.
The core recommendations are consistent across both documents. Enforce the principle of least privilege — accounts should have access only to what their role requires, and nothing more. Segment administrative accounts so domain administrator credentials are never used for routine IT tasks. Audit Group Policy Objects regularly; misconfigured policies are a common way attackers establish persistence. Enable logging and monitor for anomalies, particularly around replication requests, privilege escalation events, and new account creation.
Multi-factor authentication (MFA) is a baseline expectation, not an optional add-on. Accounts with administrative access to Active Directory require MFA without exception. Privileged Access Workstations (PAWs) further reduce exposure by isolating high-privilege sessions from standard user environments.
Certifications for Building Real Competency
Understanding Active Directory security at a theoretical level is not enough. You need to know how attackers think, how to assess your own environment for weaknesses, and how to respond when something goes wrong.
The Certified Cybersecurity Analyst (CCSA) develops the practical skills security analysts need to detect, investigate, and respond to threats in complex environments — including identity-based attacks against directory services. If your organization wants to proactively identify misconfigurations and exposures before an attacker does, the Certified Vulnerability Assessor (CVA) trains you to run structured assessments and map findings to risk-based remediation priorities.
Both certifications align with the CCCS Canadian Cyber Security Skills Framework and address the role-based competencies Canadian employers are actively hiring for.
Start With What You Control
Most Active Directory compromises succeed not because the attacks are sophisticated — they succeed because basic controls are missing. Default configurations, stale accounts, over-privileged service accounts, and no auditing create an environment where attackers move freely once they get in.
Your Active Directory is likely already deployed. The question is whether it’s secured to the standard the CCCS and your own risk posture require. Pull the ITSM.60.100 guidance from cyber.gc.ca, review the CCCS’s National Cyber Threat Assessment 2025-2026 for the threat context applying to your sector, and map your current controls against what the guidance requires. The gaps you find will tell you exactly where to focus.
