Active Directory
Security

Executive Summary

This portfolio documents the design, implementation, and security hardening of a comprehensive Active Directory homelab environment. The project demonstrates enterprise-level cybersecurity skills including SIEM integration, attack path analysis, identity management, and security monitoring.

The lab was built to demonstrate practical competency in:

• Active Directory deployment and security hardening
• SIEM implementation using Splunk Enterprise
• Endpoint detection using Sysmon and Splunk Add-on for Sysmon
• Attack path visualization using BloodHound Community Edition
• Local Administrator Password Solution (LAPS) deployment
• PingCastle security assessment scoring
• WSL2, Docker, and containerized security tools

1.1 Lab Environment Summary

1.2 PingCastle Score Progression

Phase 1 — Active Directory Deployment & Baseline

2.1 Initial Setup

Windows Server 2025 was installed and configured as a Domain Controller for the ADForest.local domain. The following roles were installed:

• Active Directory Domain Services (AD DS)
• DNS Server
• Group Policy Management

2.2 Baseline PingCastle Assessment

PingCastle was used to establish a security baseline. Initial scan revealed a global score of 60 with multiple critical findings:

Phase 2 — Security Hardening

3.1 Password Policy

Default password policy was strengthened to meet enterprise standards:

Set-ADDefaultDomainPasswordPolicy -Identity 'ADForest.local' -MinPasswordLength 12

3.2 AD Recycle Bin

Enabled AD Recycle Bin to allow recovery of accidentally deleted objects:

Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'ADForest.local' -Confirm:$false

3.3 MachineAccountQuota

By default, any domain user can join up to 10 computers to the domain. This was disabled to prevent unauthorized domain joins:

Set-ADDomain -Identity 'ADForest.local' -Replace @{'ms-DS-MachineAccountQuota'='0'}

3.4 Schema Admins Cleanup

The built-in Administrator account was removed from Schema Admins. Schema Admins is one of the most powerful groups in AD — members can make irreversible forest-wide schema modifications:

Remove-ADGroupMember -Identity 'Schema Admins' -Members 'Administrator' -Confirm:$false

3.5 Account Delegation Protection

The Administrator account was protected against Kerberos delegation attacks:

Set-ADUser -Identity 'Administrator' -AccountNotDelegated $true

3.6 NTLMv1 Disabled

NTLMv1 is a legacy and insecure authentication protocol. It was disabled via both registry and GPO:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LmCompatibilityLevel' -Value 5

Set-GPRegistryValue -Name 'Default Domain Controllers Policy' -Key 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa' -ValueName 'LmCompatibilityLevel' -Type DWord -Value 5

3.7 Audit Policy

Comprehensive audit policy was configured to capture all security-relevant events:

3.8 AD Backup

Windows Server Backup was installed and a system state backup was configured:

Install-WindowsFeature -Name Windows-Server-Backup
# Create VHD for backup storage
diskpart /s backup_script.txt  # Creates 30GB VHD mounted as E:
wbadmin start systemstatebackup -backupTarget:E: -quiet

3.9 AES Encryption

Legacy RC4 Kerberos encryption was replaced with modern AES encryption:

# Enable AES for all user accounts
Get-ADUser -Filter {Enabled -eq $true} | Set-ADUser -KerberosEncryptionType AES128,AES256

# Enable AES for krbtgt account
Set-ADUser -Identity krbtgt -KerberosEncryptionType AES128,AES256

Phase 3 — LAPS Implementation

Windows LAPS (Local Administrator Password Solution) is built into Windows Server 2025. It automatically manages and rotates local administrator passwords on domain-joined computers, eliminating the risk of password reuse attacks.

4.1 LAPS Schema Extension

AD Schema was extended with LAPS attributes:

# Add Schema Admins temporarily for schema modification
Add-ADGroupMember -Identity 'Schema Admins' -Members 'SecAdmin'

# Extend schema with LAPS attributes
Update-LapsADSchema -Verbose

Schema attributes added:

• ms-LAPS-Password
• ms-LAPS-PasswordExpirationTime
• ms-LAPS-EncryptedPassword
• ms-LAPS-EncryptedPasswordHistory
• ms-LAPS-EncryptedDSRMPassword

# Remove from Schema Admins immediately after
Remove-ADGroupMember -Identity 'Schema Admins' -Members 'SecAdmin' -Confirm:$false

4.2 LAPS Computer Permissions

Set-LapsADComputerSelfPermission -Identity 'DC=ADForest,DC=local'

4.3 LAPS GPO Configuration

New-GPO -Name 'LAPS Policy' | New-GPLink -Target 'DC=ADForest,DC=local'

# Backup passwords to Active Directory
Set-GPRegistryValue -Name 'LAPS Policy' -Key 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS' -ValueName 'BackupDirectory' -Type DWord -Value 2

# Password age 30 days, minimum length 16 characters
Set-GPRegistryValue -Name 'LAPS Policy' -Key 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS' -ValueName 'PasswordAgeDays' -Type DWord -Value 30
Set-GPRegistryValue -Name 'LAPS Policy' -Key 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS' -ValueName 'PasswordLength' -Type DWord -Value 16

Phase 4 — Privileged Account Management

5.1 SecAdmin Account Creation

A dedicated administrative account was created following the principle of least privilege. The built-in Administrator account (RID-500) is a well-known attack target — creating a separate admin account reduces this risk:

New-ADUser -Name 'SecAdmin' -SamAccountName 'SecAdmin' -UserPrincipalName 'SecAdmin@ADForest.local' `
  -AccountPassword (ConvertTo-SecureString 'SecureP@ss123!' -AsPlainText -Force) `
  -Enabled $true -PasswordNeverExpires $false

Add-ADGroupMember -Identity 'Domain Admins' -Members 'SecAdmin'

# Mark as sensitive - cannot be delegated
Set-ADUser -Identity SecAdmin -AccountNotDelegated $true

5.2 BreakGlass Account (Emergency Recovery)

The built-in Administrator account was renamed to BreakGlass and disabled. This follows defence-in-depth principles — attackers expect 'Administrator' but find 'BreakGlass' disabled:

# Rename Administrator to BreakGlass
Rename-ADObject -Identity (Get-ADUser Administrator).DistinguishedName -NewName 'BreakGlass'

# Disable the account
Disable-ADAccount -Identity 'CN=BreakGlass,CN=Users,DC=ADForest,DC=local'

# Set complex emergency password
Set-ADAccountPassword -Identity 'CN=BreakGlass,CN=Users,DC=ADForest,DC=local' `
  -NewPassword (ConvertTo-SecureString 'Xk9#mP2$vL5@nQ8!' -AsPlainText -Force) -Reset

Phase 5 — Splunk SIEM Integration

Splunk Enterprise 10.2 was deployed as the SIEM solution. Despite being the free version (500 MB/day ingestion limit), it provides full SIEM functionality for the homelab environment.

6.1 Splunk Configuration

Windows Event Log collection was configured via inputs.conf (GUI editing restricted in free version):

[WinEventLog://Security]
index = wineventlog
disabled = false
start_from = oldest
current_only = 1
renderXml = false

[WinEventLog://System]
index = wineventlog
disabled = false
current_only = 1

[WinEventLog://Application]
index = wineventlog
disabled = false
current_only = 1

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = wineventlog
disabled = false
current_only = 1
renderXml = true
whitelist = 1,3,8,10,11,12,13,22

6.2 Sysmon Integration

Sysmon (System Monitor) v15.15 was installed and integrated with Splunk for deep endpoint visibility. Key challenge: Splunk returned errorCode=5 (Access Denied) when accessing Sysmon logs.

Resolution — Splunk service configured to run as LocalSystem:

sc.exe config Splunkd obj= 'LocalSystem'

Splunk Add-on for Sysmon (TA-microsoft-sysmon v5.0.0) was installed to enable proper field extraction and sourcetype recognition.

6.3 Data Collection Results

6.4 Key Security Searches

6.5 Splunk Dashboards Created

• AD Security Overview — Top Event Codes bar chart
• FailedLogonMonitor — Failed logons by account
• SysmonProcessMonitor — Top processes from Sysmon
• LogonActivityMonitor — Successful logon tracking

Phase 6 — BloodHound CE Attack Path Analysis

BloodHound Community Edition was deployed to visualize Active Directory attack paths — a critical tool for both offensive security (red team) and defensive security (blue team) operations.

7.1 Infrastructure

7.2 Deployment Process

Key challenge: Docker Desktop does not support Windows Server. Solution: WSL2 with Docker Engine on Ubuntu.

# Install WSL2 and Ubuntu
wsl.exe --install

# Install Docker Engine on Ubuntu
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

# Deploy BloodHound CE
wget -O docker-compose.yml 'https://raw.githubusercontent.com/SpecterOps/BloodHound/main/examples/docker-compose/docker-compose.yml'
docker compose up -d

7.3 SharpHound Data Collection

# Disable Defender temporarily
Set-MpPreference -DisableRealtimeMonitoring $true

# Run SharpHound collection
.\SharpHound.exe -c All --domain ADForest.local

7.4 Saved BloodHound Queries

Challenges & Resolutions

Planned Enhancements

9.1 TopTon Security Gateway (In Progress)

A TopTon mini PC (Intel N150, 33 GB DDR5) is being configured as an inline security gateway:

Software stack:

• Rocky Linux 9 — Base OS
• Suricata — Inline IPS (active threat blocking)
• OpenVPN — Secure remote access

9.2 Additional Planned Items

• BadBlood — Realistic AD test data population
• Network architecture diagram (draw.io)
• Wazuh SIEM — Open source alternative / complement to Splunk
• MITRE ATT&CK framework mapping
• Incident response playbook
• Attack simulation and detection validation

Skills Demonstrated