Client Overview

A large manufacturing firm operating across 8 plants with over 3,000 employees relied heavily on Active Directory for identity management, access control, and Group Policy enforcement. Their AD environment had been in place for over a decade, with multiple domain controllers, organisational units, and Group Policy Objects accumulated over time. A recent ransomware incident at a peer organisation prompted the board to commission a thorough AD security audit.

Challenge

The AD environment had grown organically with minimal security hardening. Multiple administrators had configured GPOs over the years without a centralised review process. Service accounts with excessive privileges existed across the domain. The IT team suspected stale accounts and orphaned objects but lacked visibility into the actual risk exposure. They needed an independent assessment to identify and prioritise AD security weaknesses.

Our Approach

Codesecure conducted a comprehensive Active Directory security audit covering the following areas:

• Domain enumeration and trust relationship mapping across the multi-domain forest
• Kerberoasting attack simulation to identify service accounts with weak or crackable passwords
• Pass-the-Hash and Pass-the-Ticket attack path analysis
• GPO security review — password policies, account lockout settings, audit policies, and software restriction configurations
• Privileged account audit — Domain Admins, Enterprise Admins, Schema Admins, and delegated permissions
• Stale account identification — inactive user accounts, disabled but not deleted accounts, and service accounts with non-expiring passwords
• LDAP signing and channel binding configuration review
• AdminSDHolder and SDProp abuse detection
• Detailed remediation roadmap with prioritised action items

Results

We identified 34 findings — 5 critical, 13 high, and 16 medium severity.

Critical findings included:

• 12 service accounts vulnerable to Kerberoasting with passwords that were cracked within minutes
• A GPO granting local admin rights to all domain users on specific OUs
• Domain Admin credentials cached on a workstation in the engineering department
• LDAP signing not enforced allowing credential interception
• 847 stale user accounts with active credentials including 23 with elevated privileges

The client implemented our tiered remediation roadmap, addressing critical findings immediately and completing all high-priority items within the agreed timeframe.

Conclusion

Active Directory remains the backbone of enterprise identity management, and a compromised AD can lead to complete domain takeover. This assessment helped the client understand their actual risk exposure and implement hardening measures that significantly reduced their attack surface. Contact Codesecure for a comprehensive AD security audit.