According to Microsoft, more than 90% of Fortune 1000 companies use Active Directory (AD) to manage access to their systems and data. It’s the central piece of most enterprise networks. Despite its importance, many organizations don’t secure it properly. That’s a serious problem.
Attackers target AD because it offers control over users, computers, and access rights. One successful breach can give them the keys to everything, from email servers to confidential business files. A single vulnerability in AD can cause millions in damage, not to mention reputational loss.
This article looks at the most common AD security gaps that can cost your organization big—and how to fix them before someone takes advantage.
Weak or Reused Passwords for Service Accounts
Service accounts are used to run applications and services within your network. But many of these accounts still use simple or reused passwords. That’s risky.
These accounts often have high privileges. If an attacker gets access to one, they can move through your network without much resistance. Kerberoasting attacks take advantage of weak service account passwords. Attackers request service tickets and try to crack them offline.
To fix this, every service account should have a strong, unique password. Longer passwords—at least 25 characters—make cracking much harder. Using group managed service accounts (gMSAs) is even better. They generate and manage strong passwords automatically, removing the need to remember or update them manually.
No Monitoring of Kerberos Ticket Activity
Most organizations don’t keep track of Kerberos ticket requests. That’s a major weakness. If attackers request a large number of tickets in a short time, it could mean they’re trying to carry out a Kerberoasting attack. Without proper monitoring, you won’t catch this until it’s too late.
A strong Kerberoasting attack defense includes watching for unusual service ticket behavior. When someone requests multiple tickets for different services, that should raise a flag. Even basic monitoring tools can help you spot this early and take action before damage spreads.
Start by enabling audit logs for ticket activity. Set alerts for patterns that suggest abuse. Good logging and fast response are key parts of any kerberoasting attack defense plan.
Overprivileged Admin Accounts Are a Hidden Threat
It’s common for IT teams to give users more access than they need. Admin accounts often end up with full rights across systems. That’s dangerous.
If an attacker compromises one of these accounts, they can access sensitive data, change security settings, and cover their tracks. This makes it harder to detect the breach and stop the damage.
Organizations should review their admin roles and reduce permissions. Every account should only have the access it needs to perform its job. This is called the principle of least privilege. It’s a simple rule that can stop a lot of attacks before they start.
Outdated Encryption Like RC4 Still in Use
RC4 is an old encryption algorithm that’s no longer secure. But many AD environments still allow it because older systems depend on it. That’s a problem.
Kerberoasting attacks rely on weak encryption. If a service ticket uses RC4, it’s easier for attackers to crack the password hash. Once they do, they gain access to the service account and whatever it can reach.
The fix is clear. Disable RC4 wherever you can. This change needs careful planning, especially if legacy apps are involved. But the security benefits are worth the effort. Stronger encryption makes it harder for attackers to break in and stay hidden.
Unconstrained Delegation Still Lurking in Settings
Unconstrained delegation lets a service act on behalf of users without limits. It’s a legacy feature that still exists in many AD environments. Unfortunately, it’s a favorite target for attackers.
When enabled, unconstrained delegation allows a compromised system to impersonate any user who connects to it. That includes admins. Once that happens, attackers can move deeper into your network without setting off alarms.
The best approach is to replace this with constrained delegation or resource-based delegation. These options offer tighter control and reduce the chance of abuse. If you’re still using unconstrained delegation, it’s time to change.
Unmonitored SPNs Open the Door to Attacks
Service Principal Names (SPNs) identify services in Active Directory. They help Kerberos know which account is linked to which service. But when SPNs are not reviewed often, they become an easy target.
Attackers look for SPNs linked to accounts with weak passwords or unnecessary privileges. These are the perfect setup for a Kerberoasting attack. If the wrong SPN is exposed, it can give an attacker access to a sensitive part of your network.
You should regularly audit SPNs. Remove any that are no longer needed. Check if they’re tied to privileged accounts. Use tools to identify and clean up unused or risky entries. Keeping SPNs in check lowers the risk of compromise.
No Baseline Means Missed Warning Signs
Knowing what normal looks like is key to spotting threats. Without a baseline for user and system behavior, it’s easy to miss unusual activity. And attackers rely on that.
For example, if an account that usually logs in once a day suddenly requests twenty Kerberos tickets, that’s a red flag. But if you don’t know the usual pattern, you won’t see it as a threat.
Use behavior monitoring tools to build profiles for your users and systems. These tools help you catch strange activity quickly. Even basic tracking can make a big difference. A small investment in monitoring can save you from a big breach.
Inactive Accounts Are Easy Entry Points
Stale accounts—those that belong to former employees or unused services—are a common gap in AD security. These accounts often stay active far longer than they should. And attackers know it.
Once inside your network, an attacker will scan for these accounts. If they find one with high privileges or no password expiration, it becomes a tool for deeper access. Since no one uses these accounts anymore, their activity often goes unnoticed.
Set up a routine to identify and remove inactive accounts. Disable them first, then delete them once confirmed. Keep your AD clean and current. It reduces the number of targets an attacker can use.
Active Directory is at the heart of your IT environment. If it’s not secure, everything else is at risk. Many organizations don’t realize how small missteps—like an old account or a weak password—can turn into big security problems.
You don’t need a massive budget or advanced tools to close these gaps. A clear plan, regular reviews, and smart policies can protect your AD from most attacks. Focus on what you control: account management, monitoring, and staying current.
Fixing these issues today can save you from a costly breach tomorrow. Don’t wait for damage to happen. Take action before it does.
