Active Directory: Hardening & Post-Compromise Recovery Intermediate - 5 days - 2500€ HT
Description
For many organizations, Active Directory is the core of identity and access management. Its ubiquitous presence within information systems makes it a prime target for sophisticated cyberattacks and ransomware. Today, it is essential to make these infrastructures more resilient and to master the key post-intrusion steps to regain confidence in the system after an incident.
During this five-day training course, participants will acquire the skills necessary to defend and secure an Active Directory environment end-to-end. The program details the implementation of robust security mechanisms, the protection of directory control paths, and best practices in administration (Tiering model, LAPS, gMSA) to drastically reduce opportunities for compromise. Finally, a dedicated module prepares teams for the worst-case scenario: the presence of an attacker on the network and the methodology for regaining trust and cleaning the core of the information system.
-
5 days (35 hours)
-
Full Active Directory environment simulating an enterprise infrastructure
-
Defensive approach covering continuous hygiene, hardening, and post-incident response
Objectives
- Understand the internal security mechanisms of Windows and the anatomy of a compromise
- Audit and secure directory control paths and clean up permissions (ACL/ACE)
- Implement secure administration strategies (Tiering, PAW, JIT/JEA, LAPS)
- Deploy an advanced monitoring and auditing policy to detect malicious behavior
- Master the methodology for regaining trust after an intrusion and cleaning up a compromised Active Directory
Public and prerequisites
This training is designed for technical professionals responsible for the design, security maintenance, and monitoring of Active Directory infrastructures.
-
System and network administrators
-
Security architects
-
Members of security teams (Blue Team, SOC, CERT)
A solid understanding of Active Directory administration is required. Familiarity with PowerShell is a plus for confidently completing the practical auditing and configuration exercises.
Content
Day 1
Windows security architecture: security model, access token management, SID. Authentication mechanisms: NTLM vs. Kerberos in depth. Key concepts: how GPOs work, delegation. Anatomy of a compromise: Cyber Kill Chain (ransomware scenario), credential theft (LSASS dumping, SAM extraction), lateral movement techniques.
Day 2
Control paths: analysis and security (BloodHound/SharpHound), permission cleanup (ACL/ACE) on sensitive objects. Delegation of administration: principle of least privilege. Network services: securing DNS and DHCP, and disabling obsolete protocols (LLMNR/NetBIOS). Tiering model: concepts (Tier 0, 1, 2), deployment of administrative silos, Kerberos Armoring (FAST). Service accounts: implementation of Group Managed Service Accounts (gMSA) and protection against Kerberoasting.
Day 3
Administrative workstations: implementation of Privileged Access Workstations (PAWs). Privilege management: Just-in-Time (JIT) and Just-Enough Administration (JEA) administration, deployment of Local Administrator Password Solution (LAPS). Hybrid environments: cloud expansion (Entra ID), securing the Microsoft Entra Connect connector, understanding cloud-to-on-premises and on-premises-to-cloud attacks. Access control: implementation of Conditional Access and Multi-Facility Authentication (MFA) for critical roles.
Day 4
Visibility and Log Management: Advanced configuration of the Windows audit policy. Extended Monitoring: Deployment and configuration of Sysmon. Centralization: Analysis of critical logs and identification of essential Event IDs. Active Directory Hygiene: Auditing and compliance monitoring, regular verification of rights and privileges (PowerShell scripts), use of internal configuration analysis tools.
Day 5
Disaster scenario: Remediation Strategy methodology. Persistence analysis: tracking maintained access (WMI, scheduled tasks, backdoors). Recovery strategies: the concept of "AD failover" vs. "cleanup." AD cleanup: double password reset procedure (KRBTGT), attacker removal. Emergency hardening: creation and application of survival GPOs.
All the details regarding how the training is conducted are described on this page.