Active Directory Security and Security Hardening with Jordan Drysdale and Kent Ickler
Overview
- Course Length: 16 hours
- Support from expert instructors
- Includes certificate of completion
- 12 months access to Cyber Range
Active Directory is the backbone of most enterprise environments, and it’s a prime target for attackers.
This hands-on course is built for defenders who want to understand, audit, and harden AD from the inside out. Students will work directly in a lab environment to identify misconfigurations, analyze attack paths, implement defensive controls, and apply industry best practices to reduce risk.
From initial domain controller promotion through deception technologies, AD enumeration, privilege auditing, authentication hardening, and continuous validation, students will build a practical skillset to secure Active Directory at scale. The labs are real-world, gritty, and tailored for defenders who want to learn how attackers think, and how to stop them.
WHO SHOULD ATTEND
This course is ideal for system administrators, security engineers, Blue Teamers, and IT professionals responsible for maintaining and defending Windows enterprise environments. If you manage AD, or if you’re on the hook for securing it, this course is for you. Familiarity with Windows Server and Active Directory basics is helpful but not required.
KEY TAKEAWAYS
- Deep understanding of AD attack paths and how to proactively prevent them.
- Practical use of tools like PingCastle, Purple Knight, PowerShell, and built-in Microsoft utilities.
- Strategies to apply least privilege, secure authentication, and reduce lateral movement opportunities.
- Framework for building an AD environment that’s secure, auditable, and defensible.
- Grasp the fundamental concepts of Active Directory, including its structure (domains, trees, forests) and components (users, groups, organizational units)
- Learn best practices for managing user accounts and groups, including the principle of least privilege and the importance of regular audits.
- Understand the significance of strong password policies, including complexity requirements, expiration, and account lockout settings.
- Familiarize yourself with authentication methods used in AD, such as Kerberos and NTLM, and their respective security implications.
- Explore how to implement effective access control measures, including the use of Access Control Lists (ACLs) and Role-Based Access Control (RBAC)
- Understand the importance of monitoring AD for suspicious activities and how to configure auditing to track changes and access.
- Identify common threats to AD, such as privilege escalation, pass-the-hash attacks, and how to implement countermeasures
- Emphasize the importance of keeping AD and its components updated with the latest security patches to mitigate vulnerabilities.
- Familiarize yourself with best practices for hardening AD, such as minimizing the attack surface, disabling unnecessary services, and securing domain controllers.
- Engage in practical exercises to reinforce learning, such as configuring security settings, implementing GPOs, and conducting audits.
- Identify additional resources, such as documentation, forums, and communities, for ongoing education and support in AD security.
APPLICABLE BUSINESS SKILLS
Risk mitigation planning for Windows infrastructure
Security configuration management across enterprise Active Directory deployments
Alignment of technical AD controls with compliance and governance requirements
Cross-functional communication between IT, security, and compliance teams
Enhancing incident response capabilities through AD visibility and audit readiness
Strategic implementation of least privilege and access governance models
AUDIENCE SKILL LEVEL
This course is designed for technical professionals with at least a foundational understanding of Windows Server and Active Directory. Participants should be comfortable using command-line tools and exploring systems independently. No prior security training is required, but basic knowledge of how AD works will accelerate learning.
Syllabus
Domain Population
- BadBlood
AD Enumeration/ Recon
- BloodHound
- PlumHound
Baseline Auditing:
- Policy review
- Password policy
- Kerberos Ticketing Settings
- Service Principal Names
Deception Technologies
Accounts and Privileges
- Identify privileged accounts
- Excessive permissions
- Stale objects
GPO Auding
- Insecure GPO settings, GPO linking / inheritance
- LSDOU, permissions structures
Lateral Movement; Attack Path Analysis (BloodHound)
- Local admin reuse/spray
- Unconstrained delegation
- Admin-to-admin paths
Data governance
- Data classification
- Data control
- File Server Resource Manager
ADCS
- Auditing and Best Practices
Authentication Hardening
- Signing
- NTLM / Kerberos
- SMB message integrity
- LDAP channel binding
Endpoint Hardening
- Browsers
- Software control
- WSUS / SCCM / MECM
Log Collection and Monitoring
- Enable effective Logging
Defensive Hardening / Best Practices
- Admin tiering – red forest
- Just enough admin
- LAPS
- Least Privilege
Network engineering
- Firewalls
- Forest structure
Continuous Security
- Auditing
Blue Team Summit (Aug 28th – Aug 29th, 2025)
- August 28th – 9:00 AM to 6:00 PM EDT
- August 29th – 9:00 AM to 6:00 PM EDT
FAQ
Q: Is this course focused on red team or blue team skills?
A: This course is blue team focused and grounded in understanding red team tactics. You’ll learn how attackers operate in AD and how to proactively shut them down.
Q: Is this course beginner-friendly?
A: While we cover foundational concepts, this is a fast-paced, hands-on class. Prior experience with Windows Server or Active Directory will help.
Q: Will I receive lab access after the course?
A: Yes. Students will receive temporary post-class lab access to continue practicing on their own time.
Students will receive instructions to build and maintain their own lab environment on their own pay as you go Azure subscription.
Q: What tools are covered in the course?
A: PingCastle, Purple Knight, BloodHound, PowerShell, Microsoft LAPS, GPO analysis tools, deception frameworks, and native Windows administrative tools.
System Requirements
To participate in the lab and exercises, students will need:
A laptop with:
- At least 8GB RAM (16GB recommended)
- A modern, multi-core CPU
- Windows 10/11, macOS, or Linux (with virtualization enabled)
- A reliable internet connection (10 Mbps or higher)
- Administrative access on the system (to run virtual machines or lab VPN client)
STUDENT PROVIDED RESOURCES
Students will need an Azure Pay-As-You-Go subscription that uses the student’s own credit card.
STUDENT KNOWLEDGE REQUIREMENTS
Before attending, students should ideally have:
- Prior exposure to AD security issues or Blue Team responsibilities is a plus.
- A working knowledge of Active Directory concepts such as domains, users, groups, GPOs, and organizational units
- Basic experience navigating Windows Server and PowerShell
- General familiarity with IT administration, security, or incident response roles
Live Training
- Collaborative interaction with Instructor and fellow students through the Antisyphon Discord class channel
- Access to course slides for future reference
- Tips, tools, and techniques that can be applied immediately upon returning to work
- Strengthen your skills by solving challenges within the Antisyphon Cyber Range
- Become part of a community driven to educate and share knowledge
