Active Directory · Identity Security · Bremen
Active Directory Hardening & Secure Operations Securing organically grown infrastructures –Enterprise Access Model, GPO baselines & AD cleanup.
Historically grown, barely documented, everyone in the Domain Admins group – this is the biggest security risk in mid-sized networks. I clean up your Active Directory structure, implement the Microsoft Enterprise Access Model, and harden your policies (GPOs). Ensuring an attack cannot spread through your entire organisation and you confidently meet the strict requirements of your cyber insurance and NIS2.
Free initial consultation (30 minutes)
How vulnerable is the core of your IT, really?
Four critical questions for executives and IT leadership. If you answer "No" or "Don't know" here, your company is defenseless in the event of an attack.
Can a compromised office PC lead to a complete takeover of your IT?
Ransomware attackers hunt for the "Domain Controller". If your IT admins read emails with the same accounts they use to manage servers, a single phishing click is enough to encrypt the entire company (including backups).
Are your Group Policy Objects (GPOs) auditable and hardened to standards?
Historically grown infrastructures are full of legacy issues and contradictions. Without a clean security baseline (e.g., CIS standards), you lack the foundation to prove the "state of the art" to cyber insurers and regulators in an emergency.
Do service accounts for ERP or backups have unlimited admin rights?
Often, accounts with "Domain Admin" rights and passwords that never expire are created for software services. For professional attackers, such accounts are an easy target to silently take control of your network.
Would you notice if an attacker had already been active undetected in your AD environment for weeks?
Professional attackers typically move laterally through a network for weeks after the initial compromise. I implement a solid audit framework: structured AD event logs, clearly defined event filters, and a documented detection baseline – so your IT team has the foundation to detect anomalous activity early.
A single compromised account is enough for a total loss
In an unmaintained Active Directory environment, the question is not if, but when an attack escalates. Ransomware groups systematically exploit exactly these structural weaknesses.
Total failure through ransomware
Ransomware operators don't encrypt immediately. They learn your environment. In a flat AD structure, a single compromised account is enough to gain Domain Admin privileges and destroy all systems in a single night.
Liability & NIS2 Compliance
Management is personally liable for the "state of the art". An AD environment without an access concept (tiering) and without hardened GPOs no longer meets what regulators and courts accept as sufficient today.
Loss of cyber insurance
Insurers and auditors explicitly demand concepts for privileged accounts, clean patch management, and AD hardening. Without solid documentation, you risk your insurance coverage – exactly when you need it.
How I structure and secure the core of your IT
No theoretical concept for the drawer. I use proven Microsoft security standards to structurally prevent an attack from spreading – and to contain the potential damage to the smallest possible scope.
Enterprise Access Model (EAM)
Tiering · Strict Identity Separation
I dismantle flat permission structures and implement the modern Microsoft Enterprise Access Model (Tiering). We strictly separate identities into three tiers: crown jewels/AD, servers, and clients – so that a compromised account at one level does not automatically endanger the others.
Dedicated Admin Accounts & PAW
Dedicated Admin Accounts · Isolated Devices
Admins receive dedicated accounts for each tier. For access to the critical AD infrastructure, we establish highly secure workstations used exclusively for administrative tasks – physically and logically separated from normal day-to-day office use.
GPO Baselines & Legacy Cleanup
CIS Benchmarks · MS Security Baseline
I clean up your GPO chaos and introduce a structured, documented security baseline. Outdated, insecure protocols are systematically disabled to massively reduce the attack surface.
Password Protection (LAPS)
Windows LAPS · Credential Guard
The same local admin password on every machine is a deadly risk. I set up Microsoft LAPS so that local administrator passwords are automatically rotated per machine. This prevents a hijacked local admin account from being used as a stepping stone to further machines.
Hybrid Security (Entra ID)
Entra ID Connect · Conditional Access
Local AD and the Microsoft 365 cloud are converging. I secure the interfaces (Entra ID Connect) so that an incident in your local network does not automatically compromise your cloud identities and Microsoft 365 data.
Securing Service Accounts
Managed Service Accounts (gMSA)
Over-privileged service accounts for backups or ERP systems are identified, limited to the minimum required rights, and – where possible – migrated to automatically managed Group Managed Service Accounts (gMSA).
Taking the attacker's perspective
AD hardening requires deep engineering knowledge. I work with the same tools as professional red teams to uncover vulnerabilities before attackers can exploit them.
My toolbox
Attack Path Analysis
I use specialised AD analysis tools to discover graph-based hidden attack paths, orphaned delegations, and dangerous permissions in your Active Directory. Real security instead of mere checklists.
Hardening against credential attacks
I disable insecure legacy protocols (NTLMv1, SMBv1), enable SMB Signing and LDAP Channel Binding to protect against relay attacks, and harden service accounts specifically against Kerberoasting and AS-REP Roasting.
Protected Users & MFA
I move highly privileged accounts (Domain Admins) into the "Protected Users Security Group," making credential theft in memory extremely difficult. Wherever possible, I enforce phishing-resistant methods (e.g., smart cards or third-party MFA) for administrative access.
Efficiently using built-in tools
My philosophy: Security should not be an unaffordable material battle. I configure the powerful, often unused security features already included in your Windows Server licenses.
I am not a Microsoft reseller and do not earn from licenses. My expertise is based on hard corporate practice. I optimize what you already own – without hidden product costs.
Gradual hardening – without operational disruption
Changes to the core of IT require maximum caution. I follow a phased approach: everything happens during live operations, without big-bang outages.
AD Audit & Attack-Path Analysis
Before we change anything, I read the AD. We analyze groups, GPOs, and service accounts. You receive a visualized vulnerability map and a prioritized audit report.
Securing the Control Plane (Tier 0)
We start with the "crown jewels". Domain Controllers and admin accounts are isolated. Setup of dedicated PAWs and cleanup of highly privileged groups (Enterprise Admins).
Server & Client Hardening (Tier 1/2)
Gradual introduction of GPO baselines and rollout of LAPS on all servers and endpoints. Legacy issues and protocols are deactivated after successful testing in monitoring mode.
Handover & Operations Manual
Complete documentation of the new AD structure, the Enterprise Access Model, and all GPOs. After a structured briefing, your internal IT team can safely continue operating the hardened environment.
Enterprise know-how for the SME market
I bring proven corporate security standards to your company – transparently, independently, and at eye level.
Experience from critical environments
In my main job, I administer and secure IT infrastructures in the European aerospace sector under the highest stability requirements. I bring exactly this thoroughness to your AD environment.
Taking the attacker's perspective
I know the attack vectors that penetration testers and ransomware groups exploit first. I use this knowledge defensively to make your network truly secure – not just on paper.
Independent & license-neutral
I am not tied to sales targets. I earn from consulting and clean execution. No unnecessary software sales, just a focus on the best engineering.
Documentation as a core deliverable
Complete documentation is not a nice bonus, it is mandatory. Upon completion, your team knows exactly how the authorization concept is structured. No vendor lock-in.
The direct line
You talk directly to the engineer who plans and implements your AD hardening – not to a project manager or an outsourced support team.
Bremen & Remote
On-site in Bremen and northern Germany for workshops and analyses, remote for technical implementation. Flexible, low-disruption, and reliable.
The before-and-after comparison
A historically grown AD sprawl becomes a structured, documented, and insurance-compliant environment.
All IT staff are Domain Admins – nobody knows why anymore.
Clean role separation according to the Enterprise Access Model – every admin has a defined scope.
A compromised office PC is enough for complete domain takeover.
Isolation of the Control Plane – ransomware cannot reach the Domain Controllers from the client.
Hundreds of inconsistent GPOs that no one has touched in years.
Cleaned, documented GPO baseline according to CIS Benchmarks – maintainable and auditable.
Service accounts with admin rights and passwords that never expire.
Hardened accounts (gMSA) with minimal rights, protected against Kerberoasting.
The same local admin password on every server and laptop.
Automatically rotating, individual local passwords via Microsoft LAPS.
Unclear whether you meet current NIS2 and insurance requirements.
Demonstrably hardened environment – ready for any audit and insurance discussion.
What you are probably wondering
Clear answers to the most important questions about AD hardening and infrastructure security.
Absolutely. A historically grown, poorly documented AD environment is the rule in SMEs, not the exception. I start with a structured inventory using analysis tools – a complete, data-driven documentation of your environment is the first tangible result of my work.
Usually not. The Enterprise Access Model, GPO hardening, and LAPS are powerful built-in tools already included in existing Windows Server environments. Credential Guard requires Windows Enterprise Edition and compatible hardware (UEFI, Secure Boot, virtualisation support) – we check this during the inventory. Most of what I configure comes from what you already own.
Yes. We implement gradually, test extensively, and perform critical changes to permissions outside your core working hours. There is no "big bang" that paralyzes your company overnight.
A system house works broadly (hardware rollout, helpdesk, Office 365). In-depth AD security, attack path analysis, and the introduction of the Enterprise Access Model are specialist tasks that occur too rarely in the daily life of a system house. I do not replace your system house; I complement it as an expert for this strategic securing.
The audit and the evaluation of attack paths are usually completed after one to two weeks. The implementation phase depends heavily on the size and age of your environment. Typically, we estimate four to eight weeks for mid-sized companies, divided into easily digestible milestones.
Massively. Insurers today specifically ask for Privileged Access Management (PAM), Multi-Factor Authentication (MFA) for admins, and structured patch/GPO management. Without these measures, you lose protection. With the documented EAM architecture, you prove that you have actively implemented the required "state of the art".
Your Active Directory is the foundation of your IT. It was mostly built in an era when ransomware wasn't even a concept. Since then, it has only been expanded, almost never cleaned up, and certainly never fundamentally questioned. This is exactly the blind spot attackers are waiting for.
Does this apply to your cloud identities too?
The local AD and Microsoft Entra ID are almost always inseparably linked. Whoever compromises your local network walks straight into your Microsoft 365 tenant without any additional hurdles.
Who protects access from the outside?
A clean permission concept secures the inside. But who uncompromisingly controls who can even reach these systems from the outside? Without a modern firewall architecture, internal hardening is only half the battle.