Active Directory Security and Security Hardening with Jordan Drysdale and Kent Ickler

This hands-on course is built for defenders who want to understand, audit, and harden AD from the inside out. Students will work directly in a lab environment to identify misconfigurations, analyze attack paths, implement defensive controls, and apply industry best practices to reduce risk.

From initial domain controller promotion through deception technologies, AD enumeration, privilege auditing, authentication hardening, and continuous validation, students will build a practical skillset to secure Active Directory at scale. The labs are real-world, gritty, and tailored for defenders who want to learn how attackers think, and how to stop them.

WHO SHOULD ATTEND

This course is ideal for system administrators, security engineers, Blue Teamers, and IT professionals responsible for maintaining and defending Windows enterprise environments. If you manage AD, or if you’re on the hook for securing it, this course is for you. Familiarity with Windows Server and Active Directory basics is helpful but not required.

KEY TAKEAWAYS

• Deep understanding of AD attack paths and how to proactively prevent them.
• Practical use of tools like PingCastle, Purple Knight, PowerShell, and built-in Microsoft utilities.
• Strategies to apply least privilege, secure authentication, and reduce lateral movement opportunities.
• Framework for building an AD environment that’s secure, auditable, and defensible.
• Grasp the fundamental concepts of Active Directory, including its structure (domains, trees, forests) and components (users, groups, organizational units)
• Learn best practices for managing user accounts and groups, including the principle of least privilege and the importance of regular audits.
• Understand the significance of strong password policies, including complexity requirements, expiration, and account lockout settings.
• Familiarize yourself with authentication methods used in AD, such as Kerberos and NTLM, and their respective security implications.
• Explore how to implement effective access control measures, including the use of Access Control Lists (ACLs) and Role-Based Access Control (RBAC)
• Understand the importance of monitoring AD for suspicious activities and how to configure auditing to track changes and access.
• Identify common threats to AD, such as privilege escalation, pass-the-hash attacks, and how to implement countermeasures
• Emphasize the importance of keeping AD and its components updated with the latest security patches to mitigate vulnerabilities.
• Familiarize yourself with best practices for hardening AD, such as minimizing the attack surface, disabling unnecessary services, and securing domain controllers. 
• Engage in practical exercises to reinforce learning, such as configuring security settings, implementing GPOs, and conducting audits.
• Identify additional resources, such as documentation, forums, and communities, for ongoing education and support in AD security.

APPLICABLE BUSINESS SKILLS

AUDIENCE SKILL LEVEL

This course is designed for technical professionals with at least a foundational understanding of Windows Server and Active Directory. Participants should be comfortable using command-line tools and exploring systems independently. No prior security training is required, but basic knowledge of how AD works will accelerate learning.

Syllabus

Domain Population

• BadBlood

AD Enumeration/ Recon

• BloodHound
• PlumHound

Baseline Auditing: 

• Policy review
• Password policy
• Kerberos Ticketing Settings
• Service Principal Names

Deception Technologies

Accounts and Privileges

• Identify privileged accounts
• Excessive permissions
• Stale objects

GPO Auding

• Insecure GPO settings, GPO linking / inheritance
• LSDOU, permissions structures

Lateral Movement; Attack Path Analysis (BloodHound)

• Local admin reuse/spray
• Unconstrained delegation
• Admin-to-admin paths

Data governance

• Data classification
• Data control
• File Server Resource Manager

ADCS

• Auditing and Best Practices

Authentication Hardening

• Signing
• NTLM / Kerberos
• SMB message integrity
• LDAP channel binding

Endpoint Hardening

• Browsers
• Software control
• WSUS / SCCM / MECM

Log Collection and Monitoring

• Enable effective Logging

Defensive Hardening / Best Practices

• Admin tiering – red forest
• Just enough admin
• LAPS
• Least Privilege

Network engineering

• Firewalls
• Forest structure

Continuous Security 

• Auditing

Blue Team Summit (Aug 28th – Aug 29th, 2025)

• August 28th – 9:00 AM to 6:00 PM EDT
• August 29th – 9:00 AM to 6:00 PM EDT

FAQ

Q: Is this course focused on red team or blue team skills?

A: This course is blue team focused and grounded in understanding red team tactics. You’ll learn how attackers operate in AD and how to proactively shut them down.

Q: Is this course beginner-friendly?

A: While we cover foundational concepts, this is a fast-paced, hands-on class. Prior experience with Windows Server or Active Directory will help.

Q: Will I receive lab access after the course?

A: Yes. Students will receive temporary post-class lab access to continue practicing on their own time.

Students will receive instructions to build and maintain their own lab environment on their own pay as you go Azure subscription.

Q: What tools are covered in the course?

A: PingCastle, Purple Knight, BloodHound, PowerShell, Microsoft LAPS, GPO analysis tools, deception frameworks, and native Windows administrative tools.

System Requirements

To participate in the lab and exercises, students will need:

A laptop with:

• At least 8GB RAM (16GB recommended)
• A modern, multi-core CPU
• Windows 10/11, macOS, or Linux (with virtualization enabled)
• A reliable internet connection (10 Mbps or higher)
• Administrative access on the system (to run virtual machines or lab VPN client)

STUDENT PROVIDED RESOURCES

Students will need an Azure Pay-As-You-Go subscription that uses the student’s own credit card.

STUDENT KNOWLEDGE REQUIREMENTS

Before attending, students should ideally have:

• Prior exposure to AD security issues or Blue Team responsibilities is a plus.
• A working knowledge of Active Directory concepts such as domains, users, groups, GPOs, and organizational units
• Basic experience navigating Windows Server and PowerShell
• General familiarity with IT administration, security, or incident response roles