BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Active Directory and Windows Security/AD Defense and Monitoring
45 minAdvanced

AD Defense and Monitoring

After this lesson, you will be able to: Apply AD defenses: the tiered administration model, Protected Users, Credential Guard, disabling NTLM where possible, and monitoring key Windows Event IDs.

The defensive payoff. This lesson covers the controls that break the attacks from earlier: tiered administration, the Protected Users group, Credential Guard, disabling NTLM, and monitoring the Windows Event IDs that reveal AD attacks.

Prerequisites:BloodHound and Attack Paths

Tiered administration

The single most impactful AD defense is the tiered administration model: separate accounts and login boundaries for Tier 0 (domain controllers and identity systems), Tier 1 (servers), and Tier 2 (workstations). A Domain Admin should never log into a workstation, because doing so exposes their credentials in that machine's memory for an attacker to steal. Tiering ensures privileged credentials are only ever used on systems of equal trust, which cuts most lateral-movement-to-domain-dominance paths.

Protected Users and Credential Guard

The Protected Users security group hardens its members: their credentials are not cached the same way, NTLM and weaker Kerberos options are disabled for them, reducing exposure to Pass-the-Hash and ticket theft. Credential Guard uses virtualization-based security to isolate credentials (the LSASS secrets) so that even malware with admin rights on a machine cannot extract them with tools like Mimikatz. Together they make stealing privileged credentials from memory much harder.

Disabling NTLM and hardening service accounts

Disable NTLM where possible (it enables Pass-the-Hash) and monitor where it is still used so you can phase it out. Replace weak service-account passwords with Group Managed Service Accounts (gMSAs), which use long, automatically-rotated passwords that defeat Kerberoasting. Enforce pre-authentication on all accounts to kill AS-REP Roasting. Protect and monitor the krbtgt account, and rotate its key (twice) on any suspected compromise.

Monitoring key Windows Event IDs

Detection matters because prevention is never perfect. Key event IDs: 4624 (successful logon) and 4625 (failed logon) for unusual patterns; 4768 (TGT requested) and 4769 (service ticket requested) for Kerberoasting spikes; 4720/4728/4732 for account and privileged-group changes; and events around krbtgt and DC changes. Feed these into a SIEM with alerting (the Incident Response subtrack covers SIEM) so Kerberoasting bursts, anomalous logons, and privilege escalations are caught.

Quick Check

Why should a Domain Admin never log into a regular workstation?

Pick one.

Common mistakes only experienced defenders catch

Letting Domain Admins log into workstations (the classic fatal mistake). Leaving service accounts with weak static passwords instead of gMSAs. Not enforcing pre-authentication. Keeping NTLM enabled everywhere. Collecting event logs but never alerting on 4769 spikes or privileged-group changes. Rotating krbtgt only once. Treating prevention as complete without detection.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←BloodHound and Attack Paths
Back to Active Directory and Windows Security
Active Directory Security Job Readiness→