What is Windows LAPS and why do I need it?

Windows LAPS (Local Administrator Password Solution) automatically generates unique, random local admin passwords for each domain-joined computer and stores them securely in Active Directory. Without LAPS, organisations typically use the same local admin password on every machine, meaning one compromised password gives an attacker local admin on every computer in the domain.

What is the tiered access model in Active Directory?

The tiered access model separates administrative privileges into three tiers: Tier 0 (domain controllers and AD infrastructure), Tier 1 (member servers and applications), and Tier 2 (workstations and user devices). Administrators at each tier have separate accounts and can only manage resources within their tier, preventing credential theft from spreading across the entire domain.

What are the first things to harden on a Windows Server domain?

Deploy LAPS for unique local admin passwords, disable legacy protocols (NTLM v1, SMB v1, LLMNR, NetBIOS), enable Credential Guard on domain controllers, configure Windows Firewall to restrict lateral movement, enable advanced audit policies for logon events and privilege use, and implement a tiered access model separating admin accounts by privilege level.

What is Credential Guard and how does it protect against attacks?

Credential Guard uses virtualisation-based security to isolate NTLM hashes and Kerberos tickets in a protected memory space that even local administrators cannot access. This blocks pass-the-hash and pass-the-ticket attacks where an attacker extracts cached credentials from memory (using tools like Mimikatz) to move laterally across the network.

How do attackers compromise an Active Directory domain?

A common attack path: phish a user for initial access, escalate to local admin (unpatched vulnerability or weak local admin password), extract cached credentials from memory (pass-the-hash), move laterally to a server with domain admin cached credentials, dump the AD database (ntds.dit) from a domain controller. LAPS, Credential Guard, and tiered access each break a step in this chain.

Windows Security Hardening: LAPS, Tiered Access & Defense in Depth

You’ve built your domain. Users are logging in, Group Policy is applying, DNS is resolving. Now the question: how do you stop it from being compromised?

Security hardening is where junior admins become senior admins. Anyone can follow a wizard. Understanding attack vectors, implementing defense in depth, and knowing what to monitor – that’s what makes you valuable.

What you’ll learn:

Windows security architecture basics
Essential hardening steps
Credential protection and tiered access
Monitoring and auditing
Common attack vectors and defenses

Career Value: Security expertise is the highest-paid skill in IT infrastructure. Understanding attack chains, implementing LAPS and tiered access, and configuring proper auditing are what separate GBP 45k sysadmins from GBP 70k+ security engineers. This knowledge is directly applicable to certifications like MCSE, SC-200, and OSCP.

Defense in Depth: Multiple layers of security protect your environment

Quick Reference

Concept	What It Is	Remember
LAPS	Local Admin Password Solution	Unique local admin password per machine
Credential Guard	Isolates credentials in hypervisor	Prevents mimikatz-style attacks
PAW	Privileged Access Workstation	Dedicated machine for admin tasks
Tiered Access	Separate admin accounts by level	Tier 0 for DCs, Tier 1 for servers, etc.
SIEM	Security Information Event Management	Centralized log analysis
Kerberoasting	Attack to crack service account passwords	Use long, complex service account passwords

The Attack Surface

How Attackers Think

Understanding attacks helps you defend:

Initial Access – Phishing, exposed RDP, vulnerable services
Credential Theft – Mimikatz, LSASS dumps, cached credentials
Lateral Movement – Using stolen creds to access other systems
Persistence – Backdoors, scheduled tasks, registry modifications
Privilege Escalation – Local admin to Domain Admin
Domain Dominance – Golden Ticket, DCSync, full compromise

Your hardening should address each stage.

The 5-Minute Domain Compromise

In a poorly configured environment:

1. Phish a user (any user)
2. Run mimikatz to dump local admin hash
3. Local admin hash is the same everywhere (image deployed)
4. Pass-the-hash to another machine
5. Find Domain Admin logged in somewhere
6. Dump their credentials
7. Game over

This entire attack can happen in minutes. Let’s prevent it.

Essential Hardening Steps

1. Unique Local Admin Passwords (LAPS)

Problem: Same local admin password on every machine = one compromise = all compromised.

Solution: Microsoft LAPS randomizes local admin passwords and stores them in AD.

Installation:

# Install LAPS on management machine
Install-WindowsFeature -Name GPMC

# Download and install LAPS MSI from Microsoft
# Then extend AD schema
Import-Module AdmPwd.PS
Update-AdmPwdADSchema

# Set permissions for password retrieval
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Workstations,DC=yourdomain,DC=local"
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Workstations,DC=yourdomain,DC=local" -AllowedPrincipals "IT-Admins"

Deploy via GPO:

Computer Configuration → Administrative Templates → LAPS
- Enable local admin password management: Enabled
- Password Settings: 14+ characters, complexity enabled

Retrieve password:

Get-AdmPwdPassword -ComputerName "WORKSTATION01"

2. Disable Legacy Protocols

Disable SMBv1:

# Check status
Get-SmbServerConfiguration | Select EnableSMB1Protocol

# Disable
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Remove feature entirely
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Disable LLMNR and NetBIOS:

LLMNR and NetBIOS enable man-in-the-middle attacks on local networks.

GPO: Computer Configuration → Administrative Templates → Network → DNS Client
- Turn off multicast name resolution: Enabled

NetBIOS – disable per adapter or via DHCP option 001/002.

3. Credential Guard

Credential Guard uses virtualization to isolate credentials:

# Check if hardware supports it
Get-ComputerInfo | Select-Object DeviceGuardSecurityServicesRunning

# Enable via GPO
# Computer Configuration → Administrative Templates → System → Device Guard
# Turn on Virtualization Based Security: Enabled
# Credential Guard Configuration: Enabled with UEFI lock

Requirements:

UEFI with Secure Boot
64-bit Windows 10/11 Enterprise or Server 2016+
Virtualization extensions (VT-x/AMD-V)

4. Windows Firewall

Don’t disable Windows Firewall. Configure it:

# Enable firewall on all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# Block inbound by default
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow

# Allow specific management traffic
New-NetFirewallRule -DisplayName "Allow RDP from Admin Subnet" `
    -Direction Inbound -Protocol TCP -LocalPort 3389 `
    -RemoteAddress 192.168.10.0/24 -Action Allow

5. Audit Policies

You can’t detect attacks you’re not logging:

# Via GPO: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy

# Critical audit policies:
# Account Logon → Credential Validation: Success, Failure
# Account Management → Security Group Management: Success
# Account Management → User Account Management: Success, Failure
# Logon/Logoff → Logon: Success, Failure
# Logon/Logoff → Special Logon: Success
# Object Access → File Share: Success, Failure
# Policy Change → Audit Policy Change: Success
# Privilege Use → Sensitive Privilege Use: Success, Failure

Tiered Access Model

The Concept

Microsoft’s tiered model separates admin access:

Tier 0 – Domain Controllers

Highest privilege
Separate admin accounts for DC access only
Never used to log into workstations

Tier 1 – Servers

Server admin accounts
Can’t access Tier 0
Never used on workstations

Tier 2 – Workstations

Helpdesk, standard IT support
Can’t access servers or DCs

Implementation

Create separate admin accounts:

jsmith           - Normal user account
jsmith-t2        - Workstation admin
jsmith-t1        - Server admin
jsmith-t0        - DC admin (only for senior admins)

Enforce with GPO:

Block Tier 0 accounts from workstations:

Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
- Deny log on locally: Add Tier 0 admin groups
- Deny log on through Remote Desktop: Add Tier 0 admin groups

Privileged Access Workstations (PAW)

For Tier 0 and Tier 1 work, use dedicated machines:

Clean install – No user software, browsing, email
Hardened – Maximum GPO restrictions
Physical security – Locked office, no remote access
Monitored – Enhanced logging

In practice, many organizations use jump servers as a PAW equivalent.

Password Policies

Domain Password Policy

GPO: Default Domain Policy → Computer Configuration → Windows Settings →
Security Settings → Account Policies → Password Policy

Minimum length: 14 characters (or longer)
Complexity: Enabled
Maximum age: 90 days (or never - use MFA instead)
History: 24 passwords

Fine-Grained Password Policies

Different policies for different groups:

# Create password settings object
New-ADFineGrainedPasswordPolicy -Name "Service Accounts - Long Passwords" `
    -Precedence 10 `
    -MinPasswordLength 25 `
    -MaxPasswordAge "00:00:00" `
    -PasswordHistoryCount 24 `
    -ComplexityEnabled $true

# Apply to group
Add-ADFineGrainedPasswordPolicySubject -Identity "Service Accounts - Long Passwords" `
    -Subjects "SVC-Accounts"

Service Account Security

Service accounts are prime targets:

Use Group Managed Service Accounts (gMSA) – AD manages password
Long passwords – 25+ characters
Minimal permissions – Only what’s needed
No interactive logon – Deny logon locally

# Create gMSA
New-ADServiceAccount -Name "gMSA-SQL" `
    -DNSHostName "gmsa-sql.yourdomain.local" `
    -PrincipalsAllowedToRetrieveManagedPassword "SQL-Servers"

Common Attacks and Defenses

Pass-the-Hash

Attack: Attacker captures password hash, uses it to authenticate without knowing password.

Defenses:

LAPS (unique local admin passwords)
Credential Guard
Disable NTLM where possible
Tiered access model

Kerberoasting

Attack: Request service tickets, crack them offline to reveal service account passwords.

Defenses:

Long service account passwords (25+)
Use gMSA where possible
Monitor for mass ticket requests
AES encryption only (disable RC4)

# Force AES only for service account
Set-ADUser -Identity "svc-sqlserver" -KerberosEncryptionType AES256

DCSync

Attack: Attacker with replication rights requests password hashes from DC.

Defenses:

Audit replication permission holders
Remove unnecessary replication rights
Monitor for DCSync events (Event ID 4662)

# Find accounts with DCSync rights
Get-ADUser -Filter * -Properties * | Where-Object {
    ($_.ObjectSID -eq "S-1-5-21-*-516") -or
    ($_.ObjectSID -eq "S-1-5-21-*-519")
}

Golden Ticket

Attack: With KRBTGT hash, attacker can forge any Kerberos ticket.

Defenses:

Change KRBTGT password twice (immediately resets all tickets)
Protect Tier 0 rigorously
Monitor for suspicious Kerberos activity

# Reset KRBTGT (do twice, with replication time between)
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString "RandomPassword1!" -AsPlainText -Force)
# Wait for replication
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString "RandomPassword2!" -AsPlainText -Force)

Monitoring and Detection

Critical Events to Monitor

Event ID	What It Means	Priority
4624	Successful logon	Medium
4625	Failed logon	High
4648	Explicit credential logon	High
4672	Special privileges assigned	High
4720	User account created	High
4728/4732/4756	User added to security group	High
4768	Kerberos TGT requested	Medium
4769	Kerberos service ticket requested	Medium (mass = High)
7045	New service installed	High

Setting Up Basic Monitoring

Event Log Forwarding:

# On collector server
wecutil qc

# Create subscription
wecutil cs subscription.xml

PowerShell Log Analysis:

# Find failed logons in last 24 hours
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4625
    StartTime = (Get-Date).AddDays(-1)
} | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='Source';E={$_.Properties[19].Value}}

SIEM Integration

For proper monitoring, forward logs to a SIEM:

Splunk – Industry standard, expensive
Microsoft Sentinel – Cloud-native, Azure-integrated
Wazuh – Open source, capable
Elastic SIEM – Open source, flexible

Hardening Checklist

Immediate (Do Now)

Deploy LAPS
Disable SMBv1
Enable Windows Firewall everywhere
Configure audit policies
Review Domain Admins group membership

Short-Term (This Month)

Implement tiered access model
Create separate admin accounts
Deploy Credential Guard where possible
Disable LLMNR and NetBIOS
Review service account permissions

Medium-Term (This Quarter)

Set up log forwarding/SIEM
Implement gMSA for service accounts
Deploy PAWs for Tier 0 access
Conduct password audit
Review GPO security settings

Interview Questions

Q1: “An attacker has compromised a workstation. How do you limit their ability to move laterally?”

Good Answer: “First, unique local admin passwords via LAPS prevents hash reuse across machines. Second, tiered access ensures admin credentials for servers and DCs are never present on workstations. Third, Windows Firewall should block workstation-to-workstation SMB. Fourth, disable legacy protocols like LLMNR that enable credential capture. Finally, Credential Guard prevents credential dumping from memory on protected machines.”

Q2: “What’s the first thing you’d check if you suspected AD compromise?”

Good Answer: “I’d immediately check who’s in Domain Admins and Enterprise Admins – attackers often add accounts or nested groups. Then I’d look at recent changes: new users, group modifications, GPO changes. I’d check for signs of DCSync by reviewing who has replication permissions. And I’d examine authentication logs for anomalies – logons at odd hours, from unexpected locations, or using service accounts interactively.”

Q3: “Explain how you’d implement a tiered access model.”

Good Answer: “Tiered access separates admin accounts by what they can access. Tier 0 accounts for DCs only, Tier 1 for member servers, Tier 2 for workstations. I’d create separate accounts for each admin at each tier they need – so my DC admin account is different from my server admin account. Then I enforce with GPO: block Tier 0 accounts from logging into anything except DCs. This way, if an attacker compromises my workstation creds, they can’t pivot to domain dominance.”

Career Application

On your resume:

“Implemented LAPS across 500+ endpoints, eliminating shared local admin password risk”
“Deployed tiered access model reducing lateral movement attack surface”
“Configured advanced audit policies and SIEM integration for security monitoring”
“Hardened AD environment against common attack vectors including Pass-the-Hash and Kerberoasting”

Demonstrate:

Understanding of attack techniques
Knowledge of defense-in-depth
Ability to balance security with usability
Familiarity with monitoring and detection

Resources

Microsoft Security Baselines:

Download from Microsoft Security Compliance Toolkit
Provides GPO templates for secure configuration

CIS Benchmarks:

Industry-standard hardening guides
Free for personal use

Attack References:

MITRE ATT&CK framework
Red team tool documentation (know what attackers use)

Series Summary

Over these six posts, you’ve learned:

Windows Server Basics – Editions, Server Manager, Core vs GUI
Active Directory – Forests, domains, OUs, users, groups
PowerShell – Automation for everything
Group Policy – Centralized configuration management
Networking – DNS and DHCP integration with AD
Security – Protecting it all

These skills form the foundation of enterprise Windows administration. Every environment you walk into will use these technologies. Master them, and you’ll always be valuable.

Next Steps

Next series: Automation Fundamentals – Automate your administration
Related: Azure Identity – Cloud extension of AD concepts
Practice: Build a lab, attack it, defend it. Nothing teaches security like trying to break it.

Security is a process, not a product. You’re never done hardening – you’re always improving. Now go secure something.

Windows Fundamentals Series

Part 6 of 6

Previous: Windows Networking | Next: Series Complete – See Automation Fundamentals

ReadTheManualTech

ReadTheManual is run, written and curated by Eric Lonsdale.

Eric has over 20 years of professional experience in IT infrastructure, cloud architecture, and cybersecurity, but started with PCs long before that.

He built his first machine from parts bought off tables at the local college campus, hoping they worked. He learned on BBC Micros and Atari units in the early 90s, and has built almost every PC he’s used between 1995 and now.

From helpdesk to infrastructure architect, Eric has worked across enterprise datacentres, Azure environments, and security operations. He’s managed teams, trained engineers, and spent two decades solving the problems this site teaches you to solve.

ReadTheManual exists because Eric believes the best way to learn IT is to build things, break things, and actually read the manual. Every guide on this site runs on infrastructure he owns and maintains.

Enjoyed this guide?

New articles on Linux, homelab, cloud, and automation every 2 days. No spam, unsubscribe anytime.