The Vilkas Wire
Common Active Directory Misconfigurations That Still Lead to Domain Compromise
Sep 16, 2025 · By Ben Rollin

Active Directory has existed for decades, yet many of the same default/weak configurations continue to appear in penetration tests. These are not zero-days or obscure research techniques. They are well-known issues that attackers and red teams exploit year after year. Despite the availability of fixes, they continue to provide footholds and escalation paths in 2025. Many of these are repeat offenders year after year, as highlighted in our Top 10 Internal Penetration Test Findings of 2024 post.
This post highlights the ten most common defaults across client environments and four honorable mentions. We've directly observed each one during penetration testing and red team engagements. For each default, we will explain what it is, why it is dangerous, and how attackers use it in the real world.
Our Active Directory Security Hardening & Hygiene Checklist covers the most common issues we see during internal assessments and how to properly address them.
Top 10 AD Flaws - Quick Reference
Before we jump into the weeds, here is a quick reference table for an initial understanding or to refer back to later for a refresher:
| Issue | Why It Matters | Common Impact |
|---|---|---|
| LLMNR/NBT-NS | Broadcast spoofing with Responder | Credential theft and relay |
| Default ms-DS-MachineAccountQuota | Users can join machines by default | Attacker-controlled computer account for enumeration & attack, escalation paths |
| AD CS ESC1 | Insecure certificate enrollment | Domain privilege escalation via certificates |
| SMB Signing Not Enabled | Unsigned SMB traffic | SMB relay → privileged access |
| Weak Kerberos Authentication Configuration | Service tickets brute-forced offline | Kerberoasting to Domain Admin |
| SMB Null Session | Anonymous enumeration | Recon without authentication |
| Weak Password Policy | Short or simple passwords | Spray, brute force, account takeover |
| DNS Spoofing via IPv6 | Unused IPv6 exploited for DNS spoofing | Credential relaying and theft |
| AD ACL Misconfigurations | Excessive permissions in ACLs | Domain compromise via rights abuse |
| LDAP Signing Not Enforced | Unsigned LDAP binds | Relay attacks, unauthorized access |
Digging into the Top 10
1. LLMNR and NBT-NS Response Spoofing
- What it is: Legacy name resolution protocols that allow an attacker to respond to broadcast queries.
- Why it matters: Tools like Responder and Inveigh can capture and relay NTLM hashes.
- Impact: Initial footholds, credential relay, and sometimes domain admin in a single step.
- Remediation: Disable LLMNR and NBT-NS via Group Policy. Use DNS and mDNS where required.
2. Default Default ms-DS-MachineAccountQuota
- What it is: By default, authenticated users can join up to 10 machines to the domain.
- Why it matters: Attackers abuse this to create shadow computer accounts or enroll malicious systems.
- Impact: Allows domain enumeration and is the precursor for various attacks.
- Remediation: Set the ms-DS-MachineAccountQuota to 0 and delegate legitimate needs explicitly.
3. Active Directory Certificate Services (ESC1)
- What it is: Insecure certificate template configuration that allows arbitrary certificate enrollment.
- Why it matters: Attackers can request certificates that grant domain-level authentication for privileged accounts.
- Impact: Domain escalation through certificate abuse.
- Remediation: Audit AD CS templates and restrict enrollment rights.
4. SMB Signing Not Enabled
- What it is: SMB traffic is unsigned by default on workstations and servers.
- Why it matters: Enables SMB relay attacks.
- Impact: Credential relay leading to privileged access.
- Remediation: Require SMB signing via Group Policy on all systems.
5. Weak Kerberos Authentication Configuration (Kerberoasting)
- What it is: Service accounts with weak or guessable passwords exposed through Kerberos.
- Why it matters: Attackers can request service tickets and brute-force them offline.
- Impact: Privilege escalation and domain compromise.
- Remediation: Use long, complex passwords or group-managed service accounts. Monitor for Kerberos ticket requests. Disallow RC4 for Kerberos.
6. SMB Null Session
- What it is: Anonymous or null sessions permitted against domain controllers or servers.
- Why it matters: Enables anonymous enumeration of users, groups, and policies.
- Impact: Attackers gather reconnaissance without authentication. Inputs to a password spraying attack.
- Remediation: Disable null sessions and restrict anonymous access in security policies.
7. Weak Active Directory Password Policy
- What it is: Password length, complexity, and lockout policies that do not meet modern standards.
- Why it matters: Weak passwords are easy to spray or brute-force.
- Impact: Compromise of user and sometimes privileged accounts.
- Remediation: Enforce passwords in accordance with NIST best practices
8. DNS Spoofing via IPv6
- What it is: Windows systems default to enabling IPv6 even when unused.
- Why it matters: Attackers can respond to DNS requests on IPv6 with spoofed responses.
- Impact: Redirected traffic and credential theft.
- Remediation: Disable IPv6 where not in use or secure DNS settings.
9. Active Directory ACL Misconfiguration
- What it is: Excessive permissions in AD ACLs, often granting rights to modify critical objects.
- Why it matters: Attackers leverage BloodHound and similar tools to find paths to escalation.
- Impact: Full domain compromise from overlooked ACLs.
- Remediation: Regularly audit ACLs for misconfigurations and excessive delegation.
10. LDAP Signing Not Enforced
- What it is: Default setting allows unsigned LDAP binds.
- Why it matters: Susceptible to relay attacks and interception.
- Impact: Credential theft and unauthorized access.
- Remediation: Require LDAP signing through Group Policy and enforce LDAPS.
Honorable Mentions
AD CS ESC4
- Exploitable template misconfiguration allowing privilege escalation.
Weak Passwords Allowed for Privileged Accounts
- Service or admin accounts with weak passwords continue to appear.
KRBTGT Account Password Not Reset or Rotated
- Failure to reset KRBTGT after a compromise allows attackers to forge Golden Tickets indefinitely.
Administrative Password Reuse
- Shared or reused credentials between administrators and services increase risk.
Closing Thoughts
None of these findings are new. They are basic defaults or misconfigurations that organizations have known about for years. Yet they remain some of the most impactful paths to compromise that we encounter in penetration tests. The lesson is clear: fixing the basics matters. Attackers do not always need advanced exploits or novel research. They often succeed because environments leave the door open.
At Vilkas Cybersecurity, we continue to see these issues across industries and organizations of all sizes. Addressing them is one of the most effective ways to reduce real-world risk.
Our Active Directory Security Hardening & Hygiene Checklist covers the most common issues we see during internal assessments and how to properly address them.
Have a question about this article or a security challenge of your own?
Vilkas Cybersecurity helps organizations uncover and fix real-world exposures, not just theoretical ones. Fill out the form and we'll get back to you shortly.