krbtgt
's password has been changed in the last 6 months to prevent Golden Ticket persistence attacks. From UNIX-like systems, this can be checked with Impacket's Get-ADUsers.py script.etype
is disabled for Kerberos to prevent overpass-the-hash and NTLMv1 capture and cracking to Silver Ticket attacks. This can be checked by attempting to obtain a TGT with an NT hash.Do not require Kerberos Pre-Authentication
allowing for ASREProast attacks, or make sure those account have strong password resistant to cracking.ServicePrincipalName
, hence vulnerable to Kerberoast, have a strong password, resistant to cracking.EXCHANGE WINDOWS PERMISSION
group having WriteDacl
permissions against the domain object allowing for DCSync.*
(wildcard) preventing powerful ADIDNS poisoning attacks. Preferably, this is a TXT
record.EDITF_ATTRIBUTESUBJECTALTNAME2
flag is not set). This prevents the corresponding domain escalation attack.