---
title: Windows Active Directory Hardening
categories: [checklists]
tags: [windows, hardening, AD]
---

# Windows Active Directory Hardening


## NTLM Hardening

* [ ] Enforce SMB Signing to prevents simple NTLM relaying attacks
* [ ] Block NTLMv1 (can be set via GPO)
* [ ] Enforce LDAP/S Signing to prevent NTLM relay in LDAP
* [ ] Enforce EPA (to prevent NTLM relay on Web Servers)

## Credential hardening

* [ ] Disable LM hashes via GPO noLMHash