Active Directory Hardening — Practical Checklist for Mid-Market Companies

Cybersecurity · May 2026 · 13 min read

← Part of the Cybersecurity Guide
Martin Keller By Martin Keller · Reepa Solutions

Active Directory is the central nervous system of IT in virtually every German mid-market company — logins, permissions, Group Policy, file access, cloud connectivity via Entra ID. That is precisely why it has been the most common entry vector for serious ransomware incidents in the mid-market for years. Failing to harden it systematically means risking the loss of entire sites overnight: encrypted file servers, destroyed backups, halted production. This practical checklist shows which hardening measures deliver the highest security leverage for mid-market companies, in what order they make sense, what they cost, and which monitoring vendors are established in the market. It complements our Cybersecurity Guide for Mid-Market Companies, where we outline the broader defensive framework including NIS2, ISO 27001, and incident response.

Why AD Hardening Is a Board-Level Topic: Ransomware, Liability, Insurance

For executive management, CFOs, and IT leadership, Active Directory is no longer just an operational topic — it is a classic boardroom item. The Allianz Risk Barometer 2025 again ranked cyber incidents as the most important business risk in Germany. In the most severe incidents — production downtime, supply chain disruption, six- to seven-figure losses — the point of entry in over 80 percent of documented cases runs through identity management. An unhardened AD environment acts for skilled threat actors like an exposed master key to the entire organization.

Three regulatory drivers are increasing the pressure. First, GDPR Article 32: technical and organizational measures must correspond to the state of the art. An AD environment without MFA for domain admin accounts, without clean tiering, and without active monitoring no longer meets the state of the art under established administrative practice. Second, NIS2: in force since October 2024, with personal liability for executive management. Third, cyber insurance: nearly all insurers today require evidence of MFA, separate administrative accounts, and DC logging — without this evidence, either no policy is issued or premiums rise significantly.

Supply chain risk is also growing. Industrial customers, hospital groups, and critical infrastructure operators are increasingly demanding written declarations from suppliers on AD hardening. Those unable to provide clear answers lose contracts or must demonstrate compliance under pressure in accelerated audits.

The Tiering Model: Three Clear Protection Layers

The central organizational protection measure is account tiering. Microsoft has recommended it for over ten years, the BSI has integrated it into IT-Grundschutz, and it is the single most effective measure that costs nothing beyond discipline and consistent training. The model fully separates administrative access levels from one another, so that a compromised workstation can never serve as a stepping stone to higher-level administrative accounts.

TIER 0

Identity and Control Layer

Domain controllers, Entra ID federation, PKI, backup servers for identity systems, hypervisors hosting domain controllers. Logon exclusively from dedicated, hardened Tier 0 workstations.

TIER 1

Server and Application Layer

File servers, line-of-business application servers, databases, application clusters. Dedicated Tier 1 administrative accounts, separate Tier 1 management stations, no logon to workstations.

TIER 2

Workstation and End-User Device Layer

User workstations, printers, mobile devices. Helpdesk accounts may only operate at Tier 2. No write access to Tier 0 or Tier 1 components whatsoever.

The fundamental rule is: administrative accounts of higher tiers must never log on to devices of lower tiers. A domain admin never logs on to a standard workstation. A server admin does not manage printers. This strict separation is supplemented by dedicated logon devices — so-called Privileged Access Workstations for Tier 0 and jump hosts for Tier 1. These devices are dedicated, hardened, without internet access, with their own BitLocker encryption and a reduced application profile. In mid-market practice, three to five such centrally managed devices are often sufficient.

The most challenging discipline in tiering is not the technical rollout but maintaining it in daily operations. Anyone introducing tiering must embed an identity governance process — quarterly reviews, documented exceptions, automated reports. Without this process, the model erodes after 12 to 18 months.

LAPS: The Local Administrator Password as a Core Protection Layer

The second mandatory measure is the Local Administrator Password Solution, integrated directly in Windows 11 and Server 2022 under the name Windows LAPS, and available in older environments via the free Microsoft LAPS extension. The principle is simple: every machine receives a different, regularly auto-rotated local administrator password that is stored encrypted in Active Directory and retrievable by authorized helpdesk accounts.

Without LAPS, virtually all workstations and a significant portion of servers in practice share the same local admin password — a consequence of typical image deployment. A single compromised endpoint thereby opens access to all other devices with the same image. This lateral movement through the network is one of the most important levers in any ransomware campaign. With LAPS it is effectively blocked: one unique password per device of at least 14 characters, automatic rotation after retrieval, complete audit trail.

LAPS is free, Microsoft-native, and is considered state of the art under BSI IT-Grundschutz. In Reepa's audit practice, we regularly encounter environments where LAPS is only partially or not at all activated. The effort for a complete rollout in a company with 500 to 1,500 endpoints is three to seven person-days — hour for hour one of the most cost-effective security investments available.

MFA for Privileged Accounts and Kerberos Hardening

Multi-factor authentication belongs on every account with administrative rights — without exception. For pure domain environments, MFA can be implemented via Entra ID and Azure Conditional Access or through local providers such as Yubico, Duo Security, or the push-based methods integrated into many identity providers. What matters is not the product but consistent enforcement: every session of a Tier 0 or Tier 1 account begins with a second factor, ideally FIDO2-based.

Kerberos hardening addresses the cryptographic properties of the authentication protocol. The most important defensive configurations apply across the board: AES-128 and AES-256 encryption as the sole standard, complete disabling of RC4 and DES, enabling Kerberos pre-authentication for all accounts, short ticket lifetimes for privileged sessions, and strict avoidance of the "unconstrained delegation" attribute on domain controllers and sensitive servers. Additionally, Group Managed Service Accounts should be introduced for all service accounts, since these use long random passwords that Windows automatically rotates every 30 days. Classic service accounts with static passwords remain a weak point — migrating to gMSA belongs in every hardening roadmap.

We deliberately do not go into specific threat scenarios addressed by these configurations here. The technical details are part of a guided audit or dedicated training — what matters for executive management is that the defensive settings are in place, documented, and reviewed at regular intervals.

Free AD Hardening Quick-Check

We review your Active Directory environment in a structured conversation against the most important hardening controls — account tiering, LAPS, MFA for privileged accounts, monitoring, backup separation. You receive a written short assessment with a traffic-light rating and prioritized recommendations.

Request your free AD Hardening Quick-Check

Audit Logging and SIEM Integration

Hardening without visibility is patchwork. The central prerequisite for any serious AD defense is a complete, centrally evaluated audit trail. Security events are generated on domain controllers, member servers, and workstations — logins, permission changes, group modifications, account creations. These events belong in a SIEM, where they are correlated, alerted on, and retained for 90 to 365 days.

Mid-market companies typically choose between three paths: Microsoft Sentinel as a cloud SIEM with native connectivity to Entra ID and Defender for Identity, Splunk Enterprise Security with high maturity and corresponding license costs, or open-source stacks such as Wazuh and Elastic Security with low license but high maintenance costs. Which path makes sense depends on the team's maturity, cloud strategy, and budget.

Clear use cases are essential: unusual logins outside business hours, access from new endpoints, changes to privileged groups, unusual service ticket requests, manipulations of Group Policy. These use cases are industry standard and available as templates in virtually all SIEM products. Effort: ten to fifteen person-days for initial setup, half to one day per week for ongoing maintenance.

Monitoring Vendors: Four Categories at a Glance

Beyond generic SIEM, there is an established market for AD-specific monitoring and protection platforms. We recommend that mid-market companies not get lost in vendor comparisons but instead orient themselves by their own IT strategy. Four categories are prevalent.

Microsoft-native platforms. Microsoft Defender for Identity (formerly Azure ATP) is the natural choice for organizations with Microsoft 365 E5 or supplementary Defender licenses. Domain controller connectivity runs via a lightweight sensor, evaluation takes place in the Microsoft cloud, and Sentinel integration is seamless.

Tenable Identity Exposure. Static assessment of AD configuration, continuous detection of new privilege paths, clear risk-based prioritization. Strong on compliance reporting and attack path visualization.

Semperis Directory Services Protector. Focus on post-incident recovery: forest recovery functions, backup of AD structures outside AD itself, automated rollback options. Particularly relevant for regulated industries and critical infrastructure.

Quest Change Auditor. Classic audit solution with a long market presence. Detailed recording of every AD change with user-friendly reports — in particular demand wherever auditors regularly require evidence.

A recommendation from recent engagements: in mid-market environments with fewer than 1,000 employees and Microsoft 365 E5, Defender for Identity suffices in four out of five cases. Specialized platforms pay off once compliance pressure (NIS2 sector, critical infrastructure), multi-forest complexity, or standalone disaster recovery requirements come into play. For those who also need an external perspective during an AD audit, see our cluster on Penetration Test Process and the Red Team vs. Pentest distinction.

What Does Hardening Cost in the Mid-Market?

Costs depend on the maturity of the starting environment, the number of domains and sites, and the choice of monitoring platform. The following overview shows typical ranges for a mid-market company with one to three domains and 200 to 1,500 employees. It is intended as orientation, not as a binding offer — precise figures require a brief scoping workshop.

Measure ClusterEffort (person-days)External Consultant (€)License Costs p.a. (€)
Account inventory, domain admin reduction, stale account cleanup4–8from 5,000
Tier model rollout incl. Privileged Access Workstations10–20from 12,000minor hardware costs
LAPS / Windows LAPS rollout3–7from 3,500
MFA for Tier 0 and Tier 1 accounts4–8from 4,5003,000–10,000
Kerberos hardening and gMSA migration5–10from 6,000
SIEM integration and use-case library10–15from 10,00010,000–40,000
AD monitoring platform (Defender for Identity, Tenable, Semperis)3–6from 4,0005,000–25,000
Identity governance and quarterly reviewsongoing 2–4 PT/quarterby arrangement

In total, a complete hardening project typically runs between €25,000 and €60,000 in one-time consulting fees, 40 to 80 person-days of in-house effort over six to nine months, and €8,000 to €35,000 in annual license costs. Compared to the typical ransomware loss — the Allianz Risk Barometer 2025 cites an average of €1.8 million per incident in the German mid-market — this investment is modest and is generally recouped within the first prevented incident.

Quick Wins: What Can Be Done in Two to Four Weeks

Not every company can begin with a multi-month hardening project. Three quick wins can in our experience be implemented within two to four weeks and eliminate the majority of exploitable privilege paths.

Those who consistently implement these five quick wins will measurably raise the security level of their AD environment in four to six weeks — without new license costs, without architectural overhaul, and without disrupting day-to-day operations.

When External Support Makes Sense

Some mid-market companies have strong Microsoft specialists in-house and can handle most of the hardening internally. In this case, external help is most valuable for three tasks: first, an independent baseline assessment at the start that reveals typical blind spots; second, coaching during the initial tiering rollout, because many detail decisions at this stage determine long-term success; third, an annual external review, because internal teams become blind to their own architectural decisions after a few months.

Companies without dedicated identity specialists should plan the bulk of the project with an external partner and designate an internal team member as product owner who learns alongside and takes over ongoing maintenance after completion. This significantly shortens the project and ensures sustainability. A concrete example from a recent engagement: at a German plant engineering company with just under 900 employees, a three-month hardening project reduced the number of exploitable privilege paths — measured with an industry-standard tool — from over 1,400 to fewer than 50, at a one-time consulting investment of approximately €42,000. Also see our practical experience on hybrid cloud migration for a mid-market company, where AD hardening was planned as an integral part.

Those with NIS2 or ISO 27001 as compliance drivers should embed AD hardening in the broader framework. Our clusters on NIS2 Directive for Mid-Market Companies, ISO 27001 Certification Costs, and the GDPR IT Security Checklist explain the respective integration in detail. For the overall strategy, we refer back to our pillar page Cybersecurity for Mid-Market Companies.

Frequently Asked Questions

Why is Active Directory the most common entry vector for ransomware in mid-market companies?

Active Directory consolidates the logins, permissions, and file access of all Windows servers and workstations in virtually every mid-market company. Whoever takes control of the central identity management effectively controls the entire organization. This is precisely why ransomware actors and their affiliate programs focus on this component — it is the only way to cause widespread damage in an acceptable timeframe. Studies by the BSI and Allianz security insurance show that over 80 percent of serious ransomware incidents in Germany in 2024 and 2025 involved the loss of domain control.

What is the account tiering model and why is it so effective?

The tiering model is Microsoft's standard recommendation for separating administrative access levels. Tier 0 covers domain controllers and identity systems, Tier 1 all application servers, Tier 2 all workstations and end-user devices. Administrators of a higher tier must never log on to devices of a lower tier. A compromised workstation can then no longer serve as a stepping stone for taking over higher-level administrative accounts. The model is the most effective organizational protection layer and costs virtually nothing beyond discipline and training.

What is LAPS and why is it considered a mandatory hardening measure?

LAPS (Local Administrator Password Solution, integrated as Windows LAPS since Windows 11 and Server 2022) ensures that every machine has a different, regularly auto-rotated local administrator password. Without LAPS, practically all workstations in practice share the same password. A single compromised workstation then opens access to all others. With LAPS, this lateral movement through the network is effectively blocked. The measure is free, Microsoft-native, and is considered state of the art under BSI IT-Grundschutz.

Which monitoring products are recommended for AD monitoring in mid-market companies?

Four vendor categories are common: Microsoft Defender for Identity (formerly Azure ATP) as the Microsoft-native solution, Tenable Identity Exposure for static configuration assessment and privilege path analysis, Semperis Directory Services Protector with a focus on post-incident recovery, and Quest Change Auditor as a classic audit solution. For mid-market companies with Microsoft 365 licenses, Defender for Identity is the fastest entry point. Specialized platforms like Tenable or Semperis are worthwhile at higher maturity levels or in regulated industries.

What does complete hardening cost in a mid-market company?

For a typical environment with one to three domains and 200 to 1,500 employees, one-time consulting costs with an external partner range from €25,000 to €60,000, depending on maturity and the number of sites. In-house effort adds up to 40 to 80 person-days over six months. Annual license costs for monitoring tools range from €8,000 to €35,000. Compared to the typical damage from a ransomware incident — the Allianz Risk Barometer 2025 cites an average of €1.8 million per incident in the German mid-market — this investment is modest.

Which quick wins can be implemented in the short term?

Three measures work very quickly and cost little: first, a complete inventory of all accounts with Domain Admin rights and reduction to typically three to five accounts; second, an audit of all service accounts including identification of outdated or unused entries; third, cleanup of inactive user accounts older than 90 days. These three quick wins typically eliminate 60 to 70 percent of exploitable privilege paths without any software investment and can be completed in two to four weeks.

Ready to take your Active Directory security to the next level?

Let's talk for 30 minutes, no commitment required. We'll walk through the most important hardening controls with you, identify the biggest gaps in your current AD landscape, and provide an honest assessment — in-house or with external support — and a realistic roadmap for the next six to nine months.

Schedule a 30-minute conversation
Martin Keller
Martin Keller · Backend & Cloud Architect · Reepa Solutions

IT security and cloud architect with over ten years of experience. Develops Reepa Security with his team — an offensive audit platform for mid-market companies. Writes regularly on identity security, AD hardening, NIS2, and GDPR compliance.

Reviewed: 22 May 2026 · More about Martin

More from our Knowledge Hubs

🛡
Security
Cybersecurity
15 articles →
🧠
Artificial Intelligence
AI for Business
15 articles →
Infrastructure
Cloud & DevOps
15 articles →
💻
Development
Software Development
15 articles →