Active Directory Security: What IT Pros Need to Understand
Active Directory sits at the centre of nearly every enterprise network in Canada. It controls who gets in, what they access, and how far they go. When it fails — or gets exploited — attackers get the keys to everything. This is not a metaphor. According to Wavestone incident response data, 38% of attacks in 2024-2025 began with identity compromise, up from 20% the year before. Active Directory is where the compromise happens.
If you manage systems and have never taken a structured look at your AD security posture, this is where to start.
Why Active Directory Is Such a Target
Active Directory is not inherently broken. It is, by design, accessible. Every authenticated user in an AD environment has enough read access to query the directory and enumerate users, groups, and permissions. The accessibility makes it functional. It also makes the attack surface enormous.
Attackers do not need a zero-day to exploit AD. They need a foothold and patience. Once inside, techniques like Pass-the-Hash, Kerberoasting, and Golden Ticket attacks allow them to escalate privileges without triggering obvious alerts. Verizon’s 2025 Data Breach Investigations Report found 88% of breaches involve compromised credentials. In most enterprise environments, those credentials are AD credentials.
The speed at which this plays out is what security teams often underestimate. Research from 2025 found lateral movement begins within 48 minutes of initial compromise on average. In the fastest recorded intrusions, attackers reached full network propagation in under 20 minutes. Your AD environment is not a static target. It is an active one.
What the Canadian Centre for Cyber Security Says
The Canadian Centre for Cyber Security (CCCS) has published two documents every IT professional in Canada should read before touching their AD configuration.
The first is ITSM.60.100 — the management-level guidance for securing Microsoft Active Directory. It sets the strategic baseline for organizations operating AD in on-premises or hybrid environments.
The second is ITSP.60.100 — the practitioner guidance. This document goes further, with specific controls around privileged access, authentication hardening, and monitoring requirements. One of its non-negotiable requirements: all access to AD services must use hardware token MFA for all user and administrative accounts. Not soft tokens. Not SMS. Hardware.
The CCCS also co-authored joint guidance with the Five Eyes alliance — including CISA, the NSA, and the UK’s NCSC — specifically on detecting and mitigating Active Directory compromises. The joint document identifies 17 common attack techniques observed across member nations. If your organization has not reviewed it, start there.
The Privileged Access Problem
Most AD security failures trace back to the same root cause: over-privileged accounts left unmanaged for too long.
Domain Admin accounts used for daily tasks. Service accounts with passwords never rotating. Admin accounts with no MFA. These are not exotic attack paths. They are the standard ones. Attackers know IT environments tend to accumulate privilege debt over time, and they exploit exactly this.
Your first hardening priority is a privilege audit. Map every account with elevated permissions. Separate administrative functions from daily use accounts. Implement a tiered administration model isolating your domain controllers from workstation-level administration. The CCCS ITSP.60.100 guidance outlines this structure in detail, and it is worth following line by line.
What Your Monitoring Needs to Cover
Hardening reduces attack surface. Monitoring gives you visibility when something gets through anyway.
The specific AD events to monitor are well-documented: changes to privileged group membership, new accounts added to Domain Admins, changes to Group Policy Objects, failed Kerberos authentication attempts, and replication requests from non-domain-controller machines — a classic indicator of a DCSync attack.
Most organizations collect these logs. Few analyze them in time to matter. The 2025 IBM Cost of a Data Breach Report found breaches take an average of 292 days to detect. This number reflects what happens when monitoring is present but not acted on.
If your organization runs a SIEM, your AD logging should feed into it with alerting tuned specifically to these event IDs. If it does not, this is a gap worth closing before anything else.
The Career Angle: Why AD Security Skills Matter Right Now
Understanding Active Directory — and how attackers exploit it — is one of the most transferable skills in cybersecurity. It applies to penetration testing, vulnerability assessment, security operations, and compliance work.
If you want to work in offensive security, the Mile2 Certified Penetration Testing Engineer (CPTE) covers AD attack techniques including lateral movement, privilege escalation, and credential harvesting in a structured, lab-based environment. These are not theoretical exercises. They reflect what real threat actors do in production environments.
If your focus is on the defensive side — assessing and documenting what is exposed before attackers find it — the Certified Vulnerability Assessor (CVA) builds the skills to systematically identify privilege misconfigurations, excessive permissions, and authentication weaknesses across an AD environment.
Both tracks assume you already work in IT. They build on existing experience rather than replacing it.
Where to Start This Week
You do not need a full infrastructure overhaul to improve your AD security posture. Three actions, in order of impact: read the CCCS ITSP.60.100 document and map your current controls against it; pull a list of all accounts in privileged groups and confirm whether each one still requires the access; and verify your domain controllers are generating and forwarding authentication and replication event logs into your SIEM.
Active Directory security is not a project with a finish line. It is an ongoing practice. The organizations treating it as one are the ones keeping attackers from turning a single compromised account into a full domain takeover.
