How to design AD for Zero Trust: Practical first steps

Step 1: Establish an AD Zero Trust Baseline

What to do

• Inventory privileged groups (Domain Admins, Enterprise Admins, Schema Admins, Backup Operators, Account Operators, Print Operators) and all nested memberships.
• Enumerate all service accounts, their SPNs, password ages, and interactive logon rights.
• Map protocol usage (NTLMv1/v2, Kerberos, LDAP/LDAPS, SMB signing).
• Capture DC health metrics and replication status.
• Record admin workflows: where admins log on, jump hosts, and toolsets used.

Why it matters

You cannot reduce risk you cannot see. Baselines reveal toxic combinations: standing Domain Admins, interactive logons on Tier-2 devices, or NTLM used by critical apps.

Pro tips

• Use PowerShell to extract group nesting and stale accounts; export to CSV and review with security and app owners.
• Tag each finding with “Tier-0/Tier-1/Tier-2” to prioritize. If nested group paths are a blind spot, use this as a reference: Auditing nested group memberships.

Step 2: Tier Your Assets and Identities

What to do

• Implement a 3-Tier model:
• Tier-0: DCs, PKI, identity systems, federation, directory synchronization.
• Tier-1: Server workloads and management tooling.
• Tier-2: User workstations and VDI.
• Create separate admin accounts per tier (no cross-tier logon).
• Build Privileged Access Workstations (PAWs) for Tier-0/1 admins.

Why it matters

Tiering prevents credential theft on a workstation from compromising domain controllers. It enforces natural blast-radius boundaries.

Pro tips

• Use GPO logon restrictions to enforce where privileged accounts can authenticate.
• Consider dedicated management forests or hardened jump servers for Tier-0.
• If you’re redesigning OU structure to make tiering and delegation durable (and audit-friendly), see How to design OU for rock-solid RBAC.

Tiering at a glance

Step 3: Enforce Strong Authentication and MFA

What to do

• Require MFA for all privileged operations and remote admin paths.
• Enable smartcard/credential guard or phishing-resistant factors where feasible.
• Enforce Kerberos preauthentication and disable anonymous binds.
• For LDAPS, use valid server certificates and require signing.

Why it matters

Zero Trust depends on robust, verifiable signals. MFA breaks many commodity attack chains.

Pro tips

• Start with Tier-0 and Tier-1. Expand to break-glass accounts with strict storage and periodic validation.
• Audit RDP, WinRM, and PSRemoting to ensure MFA or equivalent strong auth paths. (If you’re revisiting the fundamentals of how auth and authorization differ in AD, this is handy: Authentication vs authorization process.)

Step 4: Minimize Standing Privilege (JIT + JEA)

What to do

• Remove permanent membership in Domain Admins and other powerful groups.
• Implement Just-in-Time (JIT) access: grant admin roles only for the task window.
• Use Just Enough Administration (JEA) to constrain what privileged sessions can do.
• Introduce role-based access control (RBAC) for common tasks.

Why it matters

An attacker cannot reuse privileges that do not exist outside a short window. Reducing “standing” rights sharply limits impact.

Pro tips

• Time-box elevation to hours, not days.
• Log all elevations; alert on elevations outside change windows.
• If you use Entra / Azure AD, JIT patterns often map cleanly to PIM workflows—useful for hybrid programs: How to manage privileged access (PIM).

Step 5: Harden Protocols and Domain Controllers

What to do

• Disable LM/NTLMv1; restrict NTLM; require SMB signing; prefer Kerberos.
• Enforce LDAP signing and channel binding; require LDAPS for applications.
• Harden DCs: minimal roles, reduced attack surface (disable unused services), and audited local rights.
• Keep DCs fully patched; isolate internet and email access from Tier-0.

Why it matters

Credential relay, downgrade, and replay attacks thrive on weak protocol settings. DCs must be the hardest target in your environment.

Pro tips

• Test LDAP signing in the lab before production; inventory apps that still use simple binds.
• Monitor for NTLM traffic spikes; they often reveal legacy systems.
• If your team needs shared language around NTLM vs Kerberos tradeoffs while planning restrictions, link this internally: NTLM and Kerberos protocols explained.

Step 6: Segment Administration and Sessions

What to do

• Enforce no admin logon to Tier-2 devices with Tier-0/1 credentials.
• Use PAWs or hardened jump hosts with strict inbound/outbound rules.
• Isolate management networks using firewall rules and admin-only VLANs.

Why it matters

Most compromises begin on endpoints. Session isolation prevents stolen tokens or credentials from reaching high-value targets.

Pro tips

• Block copy/paste and internet from PAWs; log keystrokes and sessions for Tier-0 operations.
• Tag management subnets; apply additional IDS/IPS scrutiny.

Step 7: Secure Service Accounts and Secrets

What to do

• Replace traditional service accounts with gMSA (Group Managed Service Accounts) where possible.
• Rotate all remaining service account passwords frequently; remove interactive logon rights.
• Store secrets in a vault; remove passwords from scripts and GPO preferences.
• Validate SPNs to prevent Kerberoasting opportunities.

Why it matters

Service accounts often hold excessive privilege and never change passwords—prime targets for attackers.

Pro tips

• Use constrained delegation rather than unconstrained; audit TrustedToAuthForDelegation.
• Alert on AS-REP roasting indicators (accounts without preauth).
• For a practical gMSA starting point (and why it reduces risk operationally), see: Configure gMSA (step-by-step).

Step 8: Govern Endpoints and GPOs

What to do

• Standardize baseline GPOs: credential guard, LSASS protection, PowerShell logging, device control, and attack surface reduction rules.
• Remove Local Admin rights for users; deploy Windows LAPS to randomize local passwords.
• Sign and control logon scripts; eliminate legacy startup scripts with embedded secrets.

Why it matters

Endpoints are the largest attack surface. Strong baselines reduce the chance a compromised workstation can pivot.

Pro tips

• Back up and version GPOs; document settings in readable change logs.
• Use WMI filters and security groups to target GPOs by tier (see: GPO security filtering and WMI filtering).
• If you’re rolling out LAPS for the first time (or standardizing it domain-wide), this walkthrough helps: How to install and set up Microsoft LAPS.

Step 9: Monitor, Log, and Continuously Verify

What to do

• Forward DC security logs to a SIEM. Monitor admin group changes, elevation events, and authentication anomalies.
• Track KPIs: number of standing Domain Admins, NTLM traffic volume, MFA coverage, stale privileged accounts, and time-to-revoke elevated rights.
• Continuously validate configuration drift using scripts or desired state configuration.

Why it matters

Zero Trust is not a switch; it is a loop. You must observe, measure, and correct.

Pro tips

• Create detections for new SPNs, changes to GPOs linked to Tier-0 OUs, and failed LDAPS binds.
• Review KPIs monthly; publish a simple scorecard to executives.