title: Windows Active Directory Hardening date: 2021-01-13 categories: [checklists]

tags: [windows, hardening, AD]

Windows Active Directory Hardening

NTLM Hardening

Enforce SMB Signing to prevents simple NTLM relaying attacks
Block NTLMv1 (can be set via GPO)
Enforce LDAP/S Signing to prevent NTLM relay in LDAP
Enforce EPA (to prevent NTLM relay on Web Servers)

Credential hardening

Disable LM hashes via GPO noLMHash

Domain Controler Hardening

Disable the printer spooler service (spoolsv.exe)
- Used for several exploits
- CVE-2021-1675
- CVE-2020-1048