Active Directory (AD) is the identity backbone for most Indian enterprises, and it is also the single most valuable target in a ransomware playbook. Once an attacker compromises a workstation, the real objective is rarely that machine — it is Domain Admin. From there, one attacker can encrypt every server, endpoint, and backup share the domain controls in a single push. Kerberoasting, unconstrained delegation, stale privileged accounts, and weak service-account passwords are the four weaknesses attackers exploit most often to get there, and a tiered administrative model with privileged access controls is the practical fix.
Why Active Directory Is the Crown Jewel in Ransomware Attacks
AD is not just a directory of usernames — it is the trust fabric that decides who can log into what, run what, and read what across an entire enterprise network. Compromise AD and you do not need to compromise every individual system; you inherit authority over all of them at once. This is precisely why post-incident reports from ransomware investigations consistently describe the same arc: initial foothold on an endpoint, credential theft, lateral movement, privilege escalation inside AD, then mass deployment of ransomware via Group Policy or domain-trusted admin tooling.
For Indian enterprises this matters because AD deployments here often carry more historical baggage than greenfield cloud identity setups — decades-old domains, service accounts nobody remembers the purpose of, and delegation rights granted for a one-time migration project years ago that were never revoked. Attackers do not need a zero-day to abuse any of this. They need default configurations, patience, and a handful of well-known techniques.
The Attack Path: From Phished Workstation to Domain-Wide Ransomware
The typical AD compromise chain follows a predictable sequence, which is exactly why it is defensible if you break any single link.
Every stage in that red chain is a stage where a control that already exists in Windows Server — just usually unconfigured — can stop the attacker cold. That is the core argument for AD hardening: it is not about buying new tools, it is about correctly configuring the ones already licensed.
The Five Most Common AD Weaknesses
1. Kerberoasting
Kerberoasting abuses a legitimate Kerberos feature: any authenticated domain user can request a service ticket for any account with a Service Principal Name (SPN), and that ticket is encrypted with the service account's password hash. If the attacker takes that ticket offline, they can brute-force or dictionary-attack the password without triggering any lockout policy or alert, because the request itself is normal domain activity. Service accounts are notorious for old, non-rotating, non-complex passwords set up once during an application deployment and never touched again — making them the easiest hashes to crack offline.
2. Unconstrained Delegation
Unconstrained delegation lets a server impersonate any user who authenticates to it, including Domain Admins, without limiting what that impersonation can be used for. It was designed for legacy multi-tier application scenarios but is frequently left enabled on servers that no longer need it. If an attacker compromises a server configured this way and a privileged account ever logs into it — even for routine maintenance — the attacker can extract that admin's ticket-granting ticket and impersonate them anywhere in the domain.
3. Stale Privileged Accounts
Every AD environment we assess accumulates accounts that were once legitimately privileged: a departed contractor, a decommissioned application's service account, a temporary escalation for a migration that was never rolled back. These accounts are dangerous precisely because nobody is watching them — no one notices unusual login times, unusual source hosts, or unusual query patterns on an account the business has forgotten exists.
4. Weak Service-Account Passwords
Service accounts are configured once, rarely rotated, and often excluded from the same complexity and expiry policies applied to human users because "rotating it might break the application." That operational excuse is exactly what turns them into the softest target for Kerberoasting and credential-stuffing attempts alike.
5. No Administrative Tiering
The single largest structural weakness is the absence of a tiered admin model. When the same Domain Admin credential is used to manage a workstation, a file server, and the domain controller itself, a single compromised workstation login is one hop away from full domain compromise. Flat administrative structures are the reason the attack path above is so short in practice.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanCommon Weaknesses Found in Assessments
The DPDP and Regulatory Context
Active Directory compromise is not just an availability problem — it is a data protection problem. If AD is the control plane for who can access every file server and database in the enterprise, a domain compromise is functionally a compromise of every dataset behind it, personal data included. Under India's Digital Personal Data Protection (DPDP) Act, 2023, a failure to implement reasonable security safeguards that leads to a personal data breach carries meaningful regulatory exposure. Enterprises building a DPDP compliance program should treat identity infrastructure hardening as a prerequisite, not an afterthought — see our DPDP compliance service for how identity controls map to statutory safeguard obligations.
A Practical Hardening Path
Hardening AD is not a single project; it is a sequence of structural changes that compound. The order matters because some controls depend on others being in place first.
| Control | What It Stops | Implementation Effort |
|---|---|---|
| Tiered admin model (Tier 0/1/2) | Lateral movement from low-tier to Domain Admin | High — requires role mapping across IT |
| Privileged Access Workstations (PAWs) | Credential theft from admin logins on regular endpoints | Medium — dedicated hardware/VDI for admin tasks |
| Service account password rotation + gMSA | Kerberoasting, offline password cracking | Medium — migrate to Group Managed Service Accounts |
| Remove unconstrained delegation | Ticket-granting-ticket theft from privileged logins | Low-Medium — audit and reconfigure to constrained/resource-based delegation |
| Privileged account lifecycle review | Stale accounts retaining domain rights | Low — recurring quarterly access review |
| LAPS (Local Administrator Password Solution) | Pass-the-hash lateral movement via shared local admin passwords | Low — native Microsoft tooling |
| Monitoring for anomalous Kerberos ticket requests | Early Kerberoasting detection | Medium — requires SIEM/EDR tuning |
Where Automated Assessment Fits
Manual AD reviews are valuable but slow and easy to defer. Automated vulnerability assessment and penetration testing that specifically enumerates Kerberoastable accounts, unconstrained delegation paths, and stale privileged group memberships gives security and IT teams a continuously updated attack-path map instead of a point-in-time audit that ages out within weeks. Bachao.AI, built by Dhisattva AI Pvt Ltd, is an automated VAPT platform designed to surface exactly this class of identity misconfiguration alongside network and application findings, so AD hardening becomes part of a routine assessment cycle rather than a standalone annual project — delivered, where a regulated engagement requires it, with a CERT-In empanelled partner. Review recurring findings and prioritization guidance on the blog, or start with a free VAPT scan to see where your own AD attack paths stand today.
Frameworks such as the CIS Microsoft Windows Server Benchmarks and the NIST SP 800-53 access control family both codify tiered privilege and least-privilege service account management as baseline expectations — not advanced hardening. Indian enterprises aligning to DSCI or MeitY guidance on cyber hygiene will find AD tiering referenced as foundational rather than optional.
Building the Habit, Not Just the Project
The organizations that stay hard to compromise are the ones that treat privileged account review as a recurring quarterly discipline, not a one-time cleanup after an audit finding. Stale accounts and delegation creep reappear within months of any cleanup if there is no owner responsible for reviewing new grants. Pair the technical controls in the table above with a named owner and a recurring calendar cadence, and the AD attack path stops being a single point of catastrophic failure and starts being what it should be: one control layer among several, none of which alone can hand an attacker the entire domain.