Securing windows environments in a way that prevents lateral movement and/or escalation of privileges has become an incredibly difficult task.
The research and tools created in the past 2-3 years have been simply amazing, which helped to identify new attacks and vulnerabilities, while lowering the sophistication required to exploit them.
The easiest way to ensure that your environment is built in a secure manner, is to rebuild it from scratch with a security architect behind the design.
As Microsoft states, one may never trust Active Directory, if it has been compromised, unless it is possible to return to a known good state.
Unfortunately, creating a new environment is unrealistic, so in this post, I'll focus on identifying common and deadly 'flaws' in the current implementation and provide techniques and procedures that I recommend, to increase your Cyber maturity and capabilities to withstand an intrusion or limit the impact of one, should it occur.
The information provided here is by no means 'new', however it is assembled in a single location, with references (where relevant) to detailed resources on specific topics.
The post is divided in two major parts:
1) Hunting the bad, the evil and the good - Outlines the most common pitfalls that I've encountered to laterally move and/or escalate privileges in Active Directory environment.
2) When security meets business - Outlines a proposed design, a list of tasks if you may, that adds significant value to your security posture while limiting the impact on the business operations.
Many of the scripts referenced in this post may be found in this Highway_to_hell repository (They were gathered from multiple locations in one more centralized, 'easy' to reach place).