Skip to main content

The Vilkas Wire

Common Active Directory Misconfigurations That Still Lead to Domain Compromise

Sep 16, 2025 · By Ben Rollin

Active DirectoryDefender Tips
Top 10 AD Flaws 2025

Active Directory has existed for decades, yet many of the same default/weak configurations continue to appear in penetration tests. These are not zero-days or obscure research techniques. They are well-known issues that attackers and red teams exploit year after year. Despite the availability of fixes, they continue to provide footholds and escalation paths in 2025. Many of these are repeat offenders year after year, as highlighted in our Top 10 Internal Penetration Test Findings of 2024 post.

This post highlights the ten most common defaults across client environments and four honorable mentions. We've directly observed each one during penetration testing and red team engagements. For each default, we will explain what it is, why it is dangerous, and how attackers use it in the real world.

Our Active Directory Security Hardening & Hygiene Checklist covers the most common issues we see during internal assessments and how to properly address them.


Top 10 AD Flaws - Quick Reference

Before we jump into the weeds, here is a quick reference table for an initial understanding or to refer back to later for a refresher:

IssueWhy It MattersCommon Impact
LLMNR/NBT-NSBroadcast spoofing with ResponderCredential theft and relay
Default ms-DS-MachineAccountQuotaUsers can join machines by defaultAttacker-controlled computer account for enumeration & attack, escalation paths
AD CS ESC1Insecure certificate enrollmentDomain privilege escalation via certificates
SMB Signing Not EnabledUnsigned SMB trafficSMB relay → privileged access
Weak Kerberos Authentication ConfigurationService tickets brute-forced offlineKerberoasting to Domain Admin
SMB Null SessionAnonymous enumerationRecon without authentication
Weak Password PolicyShort or simple passwordsSpray, brute force, account takeover
DNS Spoofing via IPv6Unused IPv6 exploited for DNS spoofingCredential relaying and theft
AD ACL MisconfigurationsExcessive permissions in ACLsDomain compromise via rights abuse
LDAP Signing Not EnforcedUnsigned LDAP bindsRelay attacks, unauthorized access

Digging into the Top 10


1. LLMNR and NBT-NS Response Spoofing

  • What it is: Legacy name resolution protocols that allow an attacker to respond to broadcast queries.
  • Why it matters: Tools like Responder and Inveigh can capture and relay NTLM hashes.
  • Impact: Initial footholds, credential relay, and sometimes domain admin in a single step.
  • Remediation: Disable LLMNR and NBT-NS via Group Policy. Use DNS and mDNS where required.

2. Default Default ms-DS-MachineAccountQuota

  • What it is: By default, authenticated users can join up to 10 machines to the domain.
  • Why it matters: Attackers abuse this to create shadow computer accounts or enroll malicious systems.
  • Impact: Allows domain enumeration and is the precursor for various attacks.
  • Remediation: Set the ms-DS-MachineAccountQuota to 0 and delegate legitimate needs explicitly.

3. Active Directory Certificate Services (ESC1)

  • What it is: Insecure certificate template configuration that allows arbitrary certificate enrollment.
  • Why it matters: Attackers can request certificates that grant domain-level authentication for privileged accounts.
  • Impact: Domain escalation through certificate abuse.
  • Remediation: Audit AD CS templates and restrict enrollment rights.

4. SMB Signing Not Enabled

  • What it is: SMB traffic is unsigned by default on workstations and servers.
  • Why it matters: Enables SMB relay attacks.
  • Impact: Credential relay leading to privileged access.
  • Remediation: Require SMB signing via Group Policy on all systems.

5. Weak Kerberos Authentication Configuration (Kerberoasting)

  • What it is: Service accounts with weak or guessable passwords exposed through Kerberos.
  • Why it matters: Attackers can request service tickets and brute-force them offline.
  • Impact: Privilege escalation and domain compromise.
  • Remediation: Use long, complex passwords or group-managed service accounts. Monitor for Kerberos ticket requests. Disallow RC4 for Kerberos.

6. SMB Null Session

  • What it is: Anonymous or null sessions permitted against domain controllers or servers.
  • Why it matters: Enables anonymous enumeration of users, groups, and policies.
  • Impact: Attackers gather reconnaissance without authentication. Inputs to a password spraying attack.
  • Remediation: Disable null sessions and restrict anonymous access in security policies.

7. Weak Active Directory Password Policy

  • What it is: Password length, complexity, and lockout policies that do not meet modern standards.
  • Why it matters: Weak passwords are easy to spray or brute-force.
  • Impact: Compromise of user and sometimes privileged accounts.
  • Remediation: Enforce passwords in accordance with NIST best practices

8. DNS Spoofing via IPv6

  • What it is: Windows systems default to enabling IPv6 even when unused.
  • Why it matters: Attackers can respond to DNS requests on IPv6 with spoofed responses.
  • Impact: Redirected traffic and credential theft.
  • Remediation: Disable IPv6 where not in use or secure DNS settings.

9. Active Directory ACL Misconfiguration

  • What it is: Excessive permissions in AD ACLs, often granting rights to modify critical objects.
  • Why it matters: Attackers leverage BloodHound and similar tools to find paths to escalation.
  • Impact: Full domain compromise from overlooked ACLs.
  • Remediation: Regularly audit ACLs for misconfigurations and excessive delegation.

10. LDAP Signing Not Enforced

  • What it is: Default setting allows unsigned LDAP binds.
  • Why it matters: Susceptible to relay attacks and interception.
  • Impact: Credential theft and unauthorized access.
  • Remediation: Require LDAP signing through Group Policy and enforce LDAPS.

Honorable Mentions

AD CS ESC4

  • Exploitable template misconfiguration allowing privilege escalation.

Weak Passwords Allowed for Privileged Accounts

  • Service or admin accounts with weak passwords continue to appear.

KRBTGT Account Password Not Reset or Rotated

  • Failure to reset KRBTGT after a compromise allows attackers to forge Golden Tickets indefinitely.

Administrative Password Reuse

  • Shared or reused credentials between administrators and services increase risk.

Closing Thoughts

None of these findings are new. They are basic defaults or misconfigurations that organizations have known about for years. Yet they remain some of the most impactful paths to compromise that we encounter in penetration tests. The lesson is clear: fixing the basics matters. Attackers do not always need advanced exploits or novel research. They often succeed because environments leave the door open.

At Vilkas Cybersecurity, we continue to see these issues across industries and organizations of all sizes. Addressing them is one of the most effective ways to reduce real-world risk.

Our Active Directory Security Hardening & Hygiene Checklist covers the most common issues we see during internal assessments and how to properly address them.


Have a question about this article or a security challenge of your own?

Vilkas Cybersecurity helps organizations uncover and fix real-world exposures, not just theoretical ones. Fill out the form and we'll get back to you shortly.

Loading form…