Here's why Microsoft Active Directory security still demands CISO attention in 2026.
Active Directory (AD) was supposed to be on its way out by now. A decade of cloud migration and zero-trust initiatives should have reduced it to a footnote. Instead, it remains the identity backbone for the overwhelming majority of enterprises, and one of the most reliably exploited systems in modern threat campaigns.
This is not a legacy problem you can defer. It is an active, daily risk that most organizations manage with tools designed for a narrower version of the problem.
The case for AD's persistence is architectural, not sentimental. Thousands of enterprise applications depend on Kerberos, NTLM, and LDAP protocols that cloud directories do not natively support. Group Policy Objects (GPOs) govern device security baselines at a depth cloud-native management has not fully replicated. On-premises Public Key Infrastructure (PKI) and air-gapped environments anchor AD as a hard dependency.
Most large organizations therefore run hybrid environments where on-premises AD is the authoritative source, and cloud directories like Microsoft Entra ID are synchronized downstream. AD’s security posture directly determines the security posture of everything connected to it.
Attackers understand this better than most security programs do. In 2024, the Five Eyes intelligence alliance published a joint advisory cataloging 17 specific AD attack techniques in active use by ransomware operators and nation-state groups. Their conclusion was blunt: AD is persistently vulnerable due to permissive default settings, complex permission inheritance, legacy protocol support, and a widespread lack of tooling to diagnose what is actually configured.
Microsoft's 2024 Digital Defense Report documented 600 million identity attacks per day. CrowdStrike reported that 80% of their detections now involve identity-based techniques rather than malware, with the fastest observed breakout time from initial access to domain compromise under two minutes.
Modern AD attacks rarely involve exotic zero-days. They exploit misconfigurations that have existed for years, created inadvertently and never remediated.
“Kerberoasting” is the most widespread example. Any authenticated domain user can request a Kerberos service ticket for any service account with a registered Service Principal Name (SPN), take that ticket offline, and crack the password hash. Service accounts are routinely provisioned with weak, never-rotated passwords. CrowdStrike reported a 583% year-over-year increase in Kerberoasting in 2023. No special privileges are required.
Shadow administrators are accounts that hold admin-equivalent capabilities not through formal group membership, but through direct Access Control List (ACL) assignments on AD objects. An account with GenericAll rights on a Domain Admin object can reset that admin's password, delivering domain admin capability without appearing in any privileged group. They are invisible to standard monitoring and a recurring finding in incident response engagements.
Unconstrained Kerberos delegation, when applied to non-domain-controller systems, caches every authenticating user's full Ticket-Granting Ticket (TGT) in memory. Combined with coercion attacks that force a DC to authenticate to a compromised host, attackers can capture the DC's TGT and execute DCSync, extracting the entire domain credential database through legitimate protocol abuse, with no malware.
The Scattered Spider group behind the MGM Resorts breach and the 2025 Marks & Spencer attack, built a repeatable playbook from exactly these techniques: social engineering into help desk accounts, credential dumping, Kerberoasting, and DCSync for full domain takeover. The playbook works because the enabling misconfigurations are endemic.
Privileged Access Management (PAM) is necessary. But alone, it is not sufficient.
A core capability of PAM is vaulting credentials that have been deliberately enrolled and managing known privileged sessions. The vault by itself has no discovery mechanism for accounts it has not been told about, like service accounts provisioned outside the program, legacy accounts from acquisitions, or local admin accounts shared across hundreds of machines. These exist entirely outside vault governance.
Privilege also accumulates silently between access reviews. A quick fix grants a service account for temporary group access. The access is never revoked. A nested group inadvertently confers domain admin rights to hundreds of accounts; none of these events triggers a PAM alert. Most will not surface until the next quarterly review—if then.
The result is a structural gap: PAM secures a known, enrolled subset of privileged access while a growing shadow estate operates without governance. Customers, instead, need an identity security control plane, which extends PAM into a continuous model that connects visibility, risk analysis, and control in a single lifecycle.
Capabilities like identity security posture management (ISPM) make this a reality.
ISPM is the discipline built to close these gaps. Gartner identified it as a top IAM strategic priority in 2024–2025, alongside zero standing privilege. The concept matters more than the label.
ISPM delivers four things that PAM and Identity Governance and Administration (IGA) do not:
Continuous discovery of all identities and their effective permissions across the hybrid estate.
Posture analysis that surfaces misconfigured, over-privileged, and dormant accounts before attackers find them.
Risk prioritization that orders findings by exploitability and blast radius rather than treating all misconfigurations equally.
Remediation guidance with specific, actionable fixes that feed back into existing IAM, IGA, and PAM workflows.
The keyword here is continuous. IAM enforces access at the gate. IGA governs lifecycle events on quarterly cycles. PAM secures enrolled credentials, and ISPM detects posture drift in the intervals between governance events precisely where most exploitable conditions are created and persist undetected.
Enforce the tiered administration model. Microsoft's Enterprise Access Model separates Tier 0 (domain controllers, PKI), Tier 1 (servers, applications), and Tier 2 (workstations). Credentials from a higher tier must never touch lower-tier systems. A Domain Admin logging into a workstation leaves credentials in LSASS, available for extraction. Enforce via Authentication Policy Silos and dedicated Privileged Access Workstations (PAWs) for Tier 0.
Deploy Protected Users and Credential Guard. The Protected Users group disables NTLM, prevents Kerberos delegation, stops credential caching, and limits TGT lifetime to four hours. Windows Defender Credential Guard isolates credentials in hardware-backed memory inaccessible to tools like Mimikatz. Together, they neutralize Pass-the-Hash and Pass-the-Ticket attacks.
Eliminate unconstrained Kerberos delegation outside domain controllers. Any computer with TRUSTED_FOR_DELEGATION set is a domain compromise waiting to happen. Migrate all instances to Resource-Based Constrained Delegation (RBCD) and treat any new unconstrained delegation flag as a critical finding.
Replace SPN service accounts with Group Managed Service Accounts (gMSAs). User accounts with SPNs are Kerberoasting targets. gMSAs use 240-character auto-rotated passwords that are computationally infeasible to crack offline.
Audit AdminSDHolder and disable legacy protocols. AdminSDHolder ACL changes propagate to all protected groups every 60 minutes—an attacker who modifies it creates a persistent backdoor that survives most remediation. Alongside this: disable LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service), enforce SMB (Server Message Block) signing, and deploy LAPS (Local Administrator Password Solution) for unique local admin passwords on every domain-joined machine.
The bottom line
The misconfigurations that enable domain compromise are not exotic. They are the accumulated residue of operational shortcuts: a PasswordNotRequired flag never cleared after emergency provisioning, a service account "temporarily" granted Domain Admin two years ago, a nested group that inadvertently gave 400 users local admin on critical servers.
These are the specific conditions ransomware operators and nation-state actors search for systematically, using the same open-source tools that defenders can use to find them first.
You cannot remediate what you cannot see. You cannot prioritize without context. And you cannot maintain a defensible posture through quarterly reviews when the attack surface changes daily. That is the case for ISPM, and it's not going away.