Active Directory is the most attacked system in enterprise environments — and the primary control for HIPAA access management and ISO 27001 A.8.2. We find the attack paths before adversaries do and give you the evidence your auditor needs.
The techniques that let attackers go from a standard user to Domain Admin in hours.
Extracting service account credentials from Active Directory's Kerberos implementation.
Reusing captured NTLM hashes for lateral movement without cracking passwords.
Simulating a domain controller to extract password hashes for privileged accounts.
Exploiting improperly configured AD domain trusts to escalate privileges cross-domain.
Moving through the network using SMB shares with default or reused credentials.
Service accounts with delegation enabled that allow impersonation of any user.
Separate admin accounts for Tier 0 (Domain Controllers), Tier 1 (Servers), and Tier 2 (Workstations) to contain lateral movement.
Dedicated, hardened workstations for privileged admin tasks — required by ISO 27001 A.8.2.
Segment flat networks into zones — workstations, servers, DMZ, management — with enforced inter-zone ACLs.
Disable NTLMv1, enforce SMB signing, restrict NTLM relay opportunities — closes Kerberoasting and pass-the-hash paths.
Enable detailed audit policies (logon, account management, object access) and forward to SIEM for HIPAA audit log requirements.
Deploy Local Administrator Password Solution (LAPS), disable local admin re-use, restrict RDP and SMB scope with host-based firewalls.
Every finding is tagged to the specific control reference your auditor will verify.
A.8.2Privileged access rights — AD admin account management
A.8.20Networks security — segmentation and access controls
A.8.21Security of network services
A.8.22Segregation of networks
§164.312(a)(1)Access control — unique user identification in AD
§164.312(a)(2)(iv)Encryption and decryption of ePHI in transit
§164.308(a)(3)Workforce access management via directory services
PR.AC-3Remote access managed via network segmentation
PR.AC-4Access permissions managed with least-privilege
PR.PT-4Communications and control networks protected
Audit-Ready Evidence
Accepted by ISO 27001 certification bodies
ISO 27001 Annex A 8.20–8.22 requires documented evidence of network security controls. Our report provides network diagrams, segmentation evidence, and remediation proof that satisfies Stage 2 auditor requirements.
After remediation, we re-test the same scope and issue a signed attestation letter. Most certification bodies and HIPAA auditors accept this as evidence of control effectiveness.
Book a Scoping CallWe review your Active Directory configuration for misconfigurations, over-privileged accounts, insecure delegation settings, and attack paths an adversary could use for lateral movement or privilege escalation. This includes running BloodHound-style path analysis against your AD graph.
ISO 27001:2022 Annex A 8.2 (privileged access rights), 8.20 (networks security), 8.21 (network services), and 8.22 (network segregation) all require documented controls. Our engagement produces the evidence your Stage 2 auditor needs to close these.
AD & network security review includes both assessment (identifying misconfigurations) and simulated exploitation (validating that attack paths work). It can be scoped as a standalone engagement or combined with a full penetration test.
For the assessment phase, yes — read access to AD is required for configuration review. For the exploitation phase, we start from a standard domain user account and attempt to escalate, which more accurately reflects a real attack scenario.
HIPAA §164.312(a)(1) requires access controls — Active Directory is the primary mechanism for controlling who can access ePHI systems. Ensuring AD is properly hardened is a direct requirement, and our report provides the documented evidence for your HIPAA audit.
Most ransomware deployments begin with a compromised AD account. Know your attack surface and close it.
Get an AD Security Review