---
title: Windows Active Directory Hardening
date: 2021-01-13
categories: [checklists]
tags: [windows, hardening, AD]
---

# Windows Active Directory Hardening


## NTLM Hardening

* [ ] Enforce SMB Signing to prevents simple NTLM relaying attacks
* [ ] Block NTLMv1 (can be set via GPO)
* [ ] Enforce LDAP/S Signing to prevent NTLM relay in LDAP
* [ ] Enforce EPA (to prevent NTLM relay on Web Servers)

## Credential hardening

* [ ] Disable LM hashes via GPO noLMHash

## Domain Controler Hardening

* [ ] Disable the printer spooler service (`spoolsv.exe`)
    - Used for several exploits
    - CVE-2021-1675
    - CVE-2020-1048