Domain Controller Hardening & Hybrid Identity Foundation

Project Objective

The objective of this project was to build and secure the identity core of the environment so it could safely support:

• enterprise Active Directory operations
• Tier-0 security controls
• audit-grade authentication logging
• hybrid identity synchronization with Microsoft Entra ID
• Hybrid Azure AD Join
• Microsoft Defender for Endpoint onboarding readiness
• identity-aware Zero Trust architecture
• later SIEM, SOAR, and IR integrations

This project was designed to ensure that the SOC lab had a hardened and explainable identity plane rather than an insecure default domain build.

Environment Overview

Domain Controller Role

• Hostname: CORP-DC01
• Domain: corp.saintvaltech.com
• Role: Primary Domain Controller
• Security Tier: Tier-0
• Organizational Unit: 01 - Domain Controllers

Identity Role in the Lab

The domain controller was the trust anchor for the broader environment and served as the foundation for:

• Active Directory identity services
• Kerberos-based authentication
• centralized account policy enforcement
• advanced audit generation for SIEM
• Microsoft Entra synchronization
• Hybrid Azure AD Join
• Microsoft Defender and Sentinel readiness
• future identity-aware automation and access control

This made the domain controller one of the most security-sensitive assets in the entire environment.

Architecture Role

The domain controller was positioned as the identity core of the SOC and enterprise lab. It was not treated as a generic server. It was treated as a Tier-0 system whose hardening decisions directly affect authentication trust, audit integrity, and downstream security operations.

Design Principles

• harden authentication protocols
• minimize legacy trust paths
• increase audit visibility
• protect privileged access boundaries
• enforce defensive defaults via GPO
• prepare for hybrid identity integration
• support future Microsoft security stack onboarding

Core Components Implemented

1. Domain Controller Security Baseline GPO

A dedicated GPO was created and linked to the Domain Controllers OU to enforce a consistent hardening baseline.

• GPO Name: GPO - Domain Controller Security Baseline
• Linked To: 01 - Domain Controllers
• Scope: Computer Configuration only

2. Kerberos Hardening

Kerberos policy was hardened to align with enterprise defensive standards and reduce weak authentication conditions.

• Enforce user logon restrictions → Enabled
• Maximum lifetime for service ticket → 600 minutes
• Maximum lifetime for user ticket → 10 hours
• Maximum lifetime for user ticket renewal → 7 days
• Maximum tolerance for computer clock synchronization → 5 minutes

Validation included klist to confirm expected ticket behavior and strong Kerberos usage.

3. NTLM Hardening

Legacy NTLM exposure was reduced significantly through local security policy controls.

• LAN Manager authentication level → Send NTLMv2 response only. Refuse LM & NTLM
• Restrict NTLM: Incoming NTLM traffic → Deny all accounts
• Restrict NTLM: Outgoing NTLM traffic → Deny all servers

4. LDAP Signing Enforcement

LDAP signing was required to prevent insecure directory communication.

• Domain controller: LDAP server signing requirements → Require signing

5. SMB Hardening

SMB security settings were enforced to require signed communications and reduce protocol abuse.

• Microsoft network client: Digitally sign communications (always) → Enabled
• Microsoft network client: Digitally sign communications (if server agrees) → Disabled
• Microsoft network server: Digitally sign communications (always) → Enabled
• Microsoft network server: Digitally sign communications (if client agrees) → Disabled

6. Advanced Audit Policy Configuration

Advanced audit policies were enabled to ensure high-fidelity security telemetry for SIEM and incident investigation.

• Account Logon
• Logon/Logoff
• Account Management
• DS Access
• Object Access
• Privilege Use
• Policy Change

Validation included auditpol /get /category:*.

7. PowerShell Logging

PowerShell logging was enabled to improve script visibility and support detection of administrative or malicious scripting activity.

• Turn on PowerShell Script Block Logging → Enabled
• Log script block invocation start/stop events → Enabled
• Turn on Module Logging → Enabled
• Included modules → *
• Turn on PowerShell Transcription → Enabled

8. User Rights Assignment / Tier-0 Lockdown

User rights were restricted to reduce unnecessary local and remote administrative pathways.

• Allow log on locally → Administrators only
• Allow log on through Remote Desktop Services → Administrators only
• Deny log on locally → Guests, Local account
• Deny log on through Remote Desktop Services → Guests, Local account, Local account and member of Administrators group

9. Windows Defender Firewall Baseline

The Domain Profile was configured with secure defaults.

• Firewall state → On
• Inbound connections → Block by default
• Outbound connections → Allow by default
• Log dropped packets → Yes
• Log successful connections → Yes

10. Azure AD Connect Sync

Once the domain controller baseline was stable, the identity environment was extended into Microsoft Entra ID.

• verified AD forest readiness
• validated Microsoft 365 tenant configuration
• installed Azure AD Connect using Express Mode
• enabled Password Hash Sync
• enabled Seamless SSO
• resolved browser authentication issues with alternate browser configuration
• triggered initial synchronization
• verified successful user sync into Entra ID

11. Hybrid Azure AD Join

After sync validation, Hybrid Azure AD Join was configured using Microsoft Entra Connect Sync.

• selected forest in Entra Connect
• configured Hybrid Microsoft Entra ID Join
• completed SCP configuration
• validated registration status on the domain controller

Validation included dsregcmd /status to confirm both domain join and Azure AD join state.

Validation & Verification

The hardening baseline was validated using multiple system and policy checks.

• gpupdate /force
• gpresult /r
• auditpol /get /category:*
• klist
• registry queries for LDAP, NTLM, and SMB
• PowerShell logging policy checks
• Get-ADSyncScheduler
• Start-ADSyncSyncCycle -PolicyType Initial
• dsregcmd /status

These checks confirmed that the GPO was applied correctly, the expected protocol and logging settings were active, and the on-prem to cloud identity path was functioning as intended.

Challenges Encountered

Authentication Flow and Sync Complexity

Hybrid identity is not a single-click process in practice. It required forest validation, tenant verification, sync scheduling checks, troubleshooting Azure AD Connect browser login behavior, and ensuring domain and UPN alignment.

Security vs Compatibility Decisions

Tightening NTLM, LDAP, and SMB security requires awareness of compatibility impact. These settings had to be chosen deliberately to avoid weakening the Tier-0 design while still supporting intended lab operations.

Tier-0 Documentation Burden

Because the domain controller supports future security tooling, its configuration had to be documented carefully enough that later Defender, Sentinel, and SOAR work could rely on it confidently.

Security & Operational Value

This project demonstrates practical capability in:

• Active Directory hardening
• Kerberos and NTLM security controls
• LDAP and SMB security enforcement
• advanced audit policy design
• PowerShell logging for detection visibility
• Tier-0 administrative restriction
• Windows firewall baseline configuration
• Azure AD Connect deployment
• Hybrid Azure AD Join validation
• identity-focused troubleshooting and verification

Operationally, this project matters because a SOC environment is only as trustworthy as its identity core. By hardening the domain controller and extending it into hybrid identity, the environment gained stronger authentication assurance, better audit telemetry, reduced legacy protocol risk, and readiness for Defender and Sentinel.

Outcome

This project transformed the domain controller from a basic lab system into a hardened Tier-0 identity platform with hybrid cloud integration. It established the authentication, auditing, and identity trust foundation required for the rest of the SaintValTech SOC portfolio.

It also created the conditions necessary for later onboarding of Microsoft Defender for Endpoint, Microsoft Sentinel workflows, Zero Trust access models, and identity-aware automation across the lab.