{"id":21270,"date":"2025-12-09T08:00:00","date_gmt":"2025-12-09T16:00:00","guid":{"rendered":""},"modified":"2026-02-20T07:26:45","modified_gmt":"2026-02-20T15:26:45","slug":"microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/","title":{"rendered":"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025"},"content":{"rendered":"\n<p>Active Directory Domain Services (AD DS) remains central to enterprise identity, powering authentication and authorization across hybrid environments. As organizations modernize, AD DS continues to be a frequent focus for cyberattacks. This summary outlines six critical threats and provides actionable steps to help detect and reduce risk.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/deploy\/install-active-directory-domain-services--level-100-\" target=\"_blank\" rel=\"noreferrer noopener\">Modernize your organization with AD DS<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"1-unpatched-vulnerabilities\">1. Unpatched vulnerabilities<\/h2>\n\n\n\n<p>Unpatched vulnerabilities are known security flaws in software that have not been remediated. Like any critical infrastructure, Active Directory Domain Services relies on the security of the system on which it runs. When vulnerabilities exist in the operating system or supporting components, attackers may exploit those gaps to gain initial access or escalate privileges.<\/p>\n\n\n\n<p>According to the 2025 Verizon DBIR, exploitation of known vulnerabilities accounts for roughly 20% of breaches and is up around34% year over year. These attacks don\u2019t target AD DS because it\u2019s weak\u2014they target environments that fail to apply available fixes. Timely patching is essential to protect against attackers who take advantage of systems left unpatched.<\/p>\n\n\n\n<p><strong>Detection:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/microsoft-defender-vulnerability-management\">Microsoft Defender Vulnerability Management<\/a>\u00a0for real-time visibility.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-vulnerability-management\/defender-vulnerability-management?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noreferrer noopener\">Defender for Endpoint<\/a>\u00a0validates risk reduction.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/intune\/configmgr\/sum\/understand\/software-updates-introduction?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noreferrer noopener\">Configuration Manager<\/a>\u00a0(SCCM) deploys updates and monitors compliance.<\/li>\n<\/ul>\n\n\n\n<p><strong>Recommendations:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automate and enforce timely patch deployment using\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/update-manager\/overview\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Update Manager<\/a>\u00a0or\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/mem\/configmgr\/\" target=\"_blank\" rel=\"noreferrer noopener\">SCCM<\/a>.<\/li>\n\n\n\n<li>Use\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-vulnerability-management\/defender-vulnerability-management?tabs=preview-customer\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender Vulnerability management<\/a>\u00a0to prioritize patching based on exploitability and asset exposure.<\/li>\n\n\n\n<li>Apply Windows Server 2025\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/osconfig\/osconfig-how-to-configure-security-baselines?tabs=online%2Cconfigure\" target=\"_blank\" rel=\"noreferrer noopener\">OSConfig security baselines<\/a>\u00a0to domain controllers.<\/li>\n<\/ul>\n\n\n\n<p>Once attackers gain an initial foothold\u2014often through unpatched systems\u2014they look for ways to move laterally and escalate privileges. One common technique is authentication relay attack.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"2-authentication-relay-attacks\">2. Authentication relay attacks<\/h2>\n\n\n\n<p>Authentication relay attacks (a form of man-in-the-middle) allow adversaries to impersonate users by forwarding legitimate login requests, often exploiting NTLM and sometimes Kerberos. These attacks exploit legitimate authentication flows, enabling lateral movement, data theft, and full domain compromise.<\/p>\n\n\n\n<p><strong>Detection:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Identity\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/alerts-overview\" target=\"_blank\" rel=\"noreferrer noopener\">alerts<\/a>\u00a0on suspicious authentication patterns,\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/lateral-movement-alerts\" target=\"_blank\" rel=\"noreferrer noopener\">lateral movement<\/a>, and NTLM relay attempts.<\/li>\n\n\n\n<li>Monitor\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/deploy\/configure-windows-event-collection\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Event Logs<\/a>\u00a0for failed logons and unusual authentication attempts.<\/li>\n<\/ul>\n\n\n\n<p><strong>Recommendations:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deprecate and\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/security-policy-settings\/network-security-restrict-ntlm-ntlm-authentication-in-this-domain\" target=\"_blank\" rel=\"noreferrer noopener\">disable NTLM<\/a>\u00a0wherever possible.<\/li>\n\n\n\n<li>Enforce\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/storage\/file-server\/smb-signing-overview\" target=\"_blank\" rel=\"noreferrer noopener\">SMB signing<\/a>\u00a0and\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/coreinfrastructureandsecurityblog\/active-directory-hardening-series---part-5-%E2%80%93-enforcing-ldap-channel-binding\/4235497\" target=\"_blank\" rel=\"noreferrer noopener\">LDAP channel binding<\/a>. In Windows Server 2025, this is enabled by default.<\/li>\n\n\n\n<li>Use\u00a0<a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5021989-extended-protection-for-authentication-1b6ea84d-377b-4677-a0b8-af74efbb243f\" target=\"_blank\" rel=\"noreferrer noopener\">Extended Protection for Authentication<\/a>\u00a0(EPA).<\/li>\n\n\n\n<li>Implement Just-In-Time (JIT) access and MFA for sensitive resources, and use\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-governance\/privileged-identity-management\/pim-configure\" target=\"_blank\" rel=\"noreferrer noopener\">Privileged Identity Management<\/a>\u00a0(PIM) to enforce JIT and MFA.<\/li>\n<\/ul>\n\n\n\n<p>After establishing a presence, attackers often pivot to techniques that target service accounts, which contain service tickets. Kerberoasting is a prime example, leveraging legitimate Kerberos functionality to extract and crack service tickets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"3-kerberoasting\">3. Kerberoasting<\/h2>\n\n\n\n<p>Kerberoasting targets service accounts by requesting Kerberos service tickets and performing offline brute-force attacks to recover passwords. Because the attack uses legitimate Kerberos functionality, it often goes undetected. And since many service accounts use weak or non-expiring passwords, they are especially vulnerable. The attack does not require elevated privileges to initiate and leaves minimal traces in logs. If successful, it can serve as a stepping stone to full domain compromise.<\/p>\n\n\n\n<p><strong>Detection:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check for ticket requests with unusual Kerberos encryption types in the events in\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\">Microsoft Defender XDR<\/a>.<\/li>\n\n\n\n<li>Check for alerts from\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\">Microsoft Defender XDR<\/a>, which will raise an alert with an\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/alerts-overview#suspected-kerberos-spn-exposure-external-id-2410\" target=\"_blank\" rel=\"noreferrer noopener\">external ID 2410<\/a>\u00a0for suspected Kerberos SPN exposure.<\/li>\n\n\n\n<li>Use\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/what-is\" target=\"_blank\" rel=\"noreferrer noopener\">Defender for Identity<\/a>\u00a0to detect suspicious ticket requests.<\/li>\n<\/ul>\n\n\n\n<p>For more information on how to detect Kerberoasting, see&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/11\/microsofts-guidance-to-help-mitigate-kerberoasting\/\">Microsoft Security Blog \u2013 Kerberoasting<\/a>.<\/p>\n\n\n\n<p><strong>Recommendations:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Migrate service accounts to Group Managed Service Accounts (gMSA).<\/li>\n\n\n\n<li>Disable RC4 encryption for Kerberos. Starting WS2025, RC4 will be disabled by default.<\/li>\n\n\n\n<li>Regularly audit and remove unused SPNs.<\/li>\n\n\n\n<li>Enforce\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/osconfig\/osconfig-how-to-configure-security-baselines?tabs=online%2Cconfigure\" target=\"_blank\" rel=\"noreferrer noopener\">security baselines<\/a>\u00a0for Windows Server 2025.<\/li>\n<\/ul>\n\n\n\n<p>The success of Kerberoasting and similar attacks is amplified when accounts are over-permissioned or misconfigured. Excessive privileges can create shortcuts for attackers to escalate access and compromise critical assets.<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/deploy\/install-active-directory-domain-services--level-100-\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"4-excessive-privileges-account-misconfigurations\">4. Excessive privileges &amp; account misconfigurations<\/h2>\n\n\n\n<p>Excessive privileges and misconfigurations occur when accounts have more permissions than necessary, often due to legacy setups or poor access control. Overprivileged accounts are prime targets for attackers. If compromised, they can be used to disable security tools, access sensitive data, or take control of the domain. These risks are amplified in hybrid environments where on-prem and cloud permissions intersect. A single misconfigured account can serve as a bridge between environments, expanding the blast radius of an attack.<\/p>\n\n\n\n<p><strong>Detection:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Identity flags risky settings and maps lateral movement paths.<\/li>\n\n\n\n<li>Use\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/get-started\/adac\/Advanced-AD-DS-Management-Using-Active-Directory-Administrative-Center--Level-200-\" target=\"_blank\" rel=\"noreferrer noopener\">Active Directory Administrative Center<\/a>\u00a0to review group memberships and delegated permissions using Active Directory tools.<\/li>\n<\/ul>\n\n\n\n<p><strong>Recommendations:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apply least privilege principles.<\/li>\n\n\n\n<li>Use JIT access and MFA for admin tasks.<\/li>\n\n\n\n<li>Implement Microsoft\u2019s\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/core-infrastructure-and-security\/protecting-tier-0-the-modern-way\/ba-p\/4052851\" target=\"_blank\" rel=\"noreferrer noopener\">Tiered Administration model<\/a>.<\/li>\n\n\n\n<li>Audit and\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/security\/zero-trust\/sfi\/remove-legacy-systems-that-risk-security\" target=\"_blank\" rel=\"noreferrer noopener\">clean up legacy permissions<\/a>.<\/li>\n<\/ul>\n\n\n\n<p>Beyond misconfigurations, legacy features like unconstrained delegation introduce additional risk. If left in place, they can allow attackers to impersonate users and access sensitive resources without detection.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"5-unconstrained-delegation\">5. Unconstrained delegation<\/h2>\n\n\n\n<p>Unconstrained delegation is a legacy Kerberos feature that lets services impersonate any user, posing serious risks if compromised. When enabled, a user\u2019s TGT is stored in memory and reused, posing serious risks. Because the TGT is valid across the domain, if compromised, attackers can extract TGTs to impersonate users and access any Kerberos-protected service, including domain admins.<\/p>\n\n\n\n<p><strong>Detection:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/activedirectory\/get-adcomputer?view=windowsserver2022-ps\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell<\/a>\u00a0to find systems with unconstrained delegation.<\/li>\n\n\n\n<li>Defender for Identity identifies risky configurations.<\/li>\n<\/ul>\n\n\n\n<p><strong>Recommendations:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy Credential Guard on endpoints.<\/li>\n\n\n\n<li>Add high-risk accounts to the \u201cProtected Users\u201d group.<\/li>\n\n\n\n<li>Mark privileged accounts as \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/ensure-privileged-accounts-with-sensitive-flag\" target=\"_blank\" rel=\"noreferrer noopener\">sensitive and cannot be delegated<\/a>.\u201d<\/li>\n\n\n\n<li>Remove support for unconstrained delegation.<\/li>\n<\/ul>\n\n\n\n<p>Once attackers achieve high privilege, they often seek persistence. Golden Ticket attacks represent the ultimate escalation\u2014granting attackers the ability to forge Kerberos tickets and maintain control indefinitely.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"6-golden-ticket-attack\">6. Golden Ticket attack<\/h2>\n\n\n\n<p>Golden Ticket attacks use a stolen KRBTGT account key to forge Kerberos tickets, granting unrestricted domain access. If this key is compromised, the environment is already seriously breached. Prevention centers on blocking key theft and quickly detecting forged tickets.<\/p>\n\n\n\n<p>This attack is especially dangerous because it bypasses standard authentication and enables persistent, stealthy domain access. Attackers often pair it with methods like DCSync or credential dumping to steal the KRBTGT hash.<\/p>\n\n\n\n<p><strong>Detection:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/alerts-mdi-classic\" target=\"_blank\" rel=\"noreferrer noopener\">Defender for Identity<\/a>\u00a0provides real-time alerts for Golden Ticket usage, DCSync\/DCShadow attacks, and unusual Kerberos activity.<\/li>\n\n\n\n<li>Enable Kerberos audit logging on all domain controllers.<\/li>\n<\/ul>\n\n\n\n<p><strong>Recommendations:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/manage\/forest-recovery-guide\/ad-forest-recovery-reset-the-krbtgt-password\" target=\"_blank\" rel=\"noreferrer noopener\">Rotate the KRBTGT password<\/a>\u00a0at least every 180 days (reset twice to fully invalidate tickets).<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/credentials-protection-and-management\/configuring-additional-lsa-protection\" target=\"_blank\" rel=\"noreferrer noopener\">Enable LSA Protection<\/a>\u00a0on domain controllers.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/security-assessment-non-admin-accounts-dcsync\" target=\"_blank\" rel=\"noreferrer noopener\">Remove non-admin accounts<\/a>\u00a0with DCSync permissions.<\/li>\n\n\n\n<li>Implement\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/core-infrastructure-and-security\/protecting-tier-0-the-modern-way\/ba-p\/4052851\" target=\"_blank\" rel=\"noreferrer noopener\">tiered administration<\/a>\u00a0and least privilege to limit replication rights and administrative access.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"upgrade-your-cybersecurity-with-microsoft\">Upgrade your cybersecurity with Microsoft<\/h2>\n\n\n\n<p>Active Directory Domain Services is central to enterprise identity and access management, making it a frequent focus for cyberattacks. Proactive detection and remediation are essential to reduce risk. If you suspect a compromise, rapid containment is critical.&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/microsoft-incident-response?msockid=3a9343c2a3aa661410ef562ca21067ea\">Microsoft Incident Response<\/a>&nbsp;can help before, during, and after a cybersecurity incident. To learn more, visit&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/08\/15\/how-the-microsoft-incident-response-team-helps-customers-remediate-threats\/\">Upgrade proactive and Reactive defenses with Microsoft Incident Response<\/a>.<\/p>\n\n\n\n<p>By applying the detection methods and remediation steps outlined above, organizations can significantly reduce their attack surface. Microsoft\u2019s security tools\u2014Defender for Identity, Defender Vulnerability Management, Sentinel, and Privileged Identity Management\u2014provide the analytics and controls needed to help stay ahead of evolving threats.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As organizations modernize, AD DS continues to be a frequent focus for cyberattacks. This summary outlines six critical threats and provides actionable steps to help detect and reduce risk.<\/p>\n","protected":false},"author":6104,"featured_media":21275,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[3732],"product":[],"content-type":[964],"solution":[967],"coauthors":[3731],"class_list":["post-21270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-windows-server-2025","content-type-updates","solution-security","review-flag-1593580427-982","review-flag-1710328007-107","review-flag-1593580414-127","review-flag-1593580409-206","review-flag-1-1593580431-223","review-flag-1-1710328007-20","review-flag-2-1593580436-936","review-flag-2-1710328007-310","review-flag-3-1593580441-66","review-flag-3-1710328007-736","review-flag-4-1593580446-763","review-flag-4-1710328008-217","review-flag-5-1593580451-829","review-flag-5-1710328008-171","review-flag-6-1593580456-819","review-flag-6-1710328008-798","review-flag-disab-1710328014-151","review-flag-disab-1710328014-972","review-flag-man-1593580365-471","review-flag-man-1710328006-143","review-flag-micro-1680215162-488","review-flag-on-pr-1593580810-180","review-flag-on-pr-1710328012-657"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025 | Microsoft Windows Server Blog<\/title>\n<meta name=\"description\" content=\"As organizations modernize, AD DS continues to be a focus for cyberattacks. This summary provides actionable steps to help detect and reduce risk.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025 | Microsoft Windows Server Blog\" \/>\n<meta property=\"og:description\" content=\"As organizations modernize, AD DS continues to be a focus for cyberattacks. This summary provides actionable steps to help detect and reduce risk.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Windows Server Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/WindowsServer\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-09T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-20T15:26:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"1333\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Karen Guo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg\" \/>\n<meta name=\"twitter:creator\" content=\"@WindowsServer\" \/>\n<meta name=\"twitter:site\" content=\"@WindowsServer\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Karen Guo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 min read\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/author\/karen-guo\/\",\"@type\":\"Person\",\"@name\":\"Karen Guo\"}],\"headline\":\"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025\",\"datePublished\":\"2025-12-09T16:00:00+00:00\",\"dateModified\":\"2026-02-20T15:26:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/\"},\"wordCount\":1157,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg\",\"keywords\":[\"Windows Server 2025\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/\",\"name\":\"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025 | Microsoft Windows Server Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg\",\"datePublished\":\"2025-12-09T16:00:00+00:00\",\"dateModified\":\"2026-02-20T15:26:45+00:00\",\"description\":\"As organizations modernize, AD DS continues to be a focus for cyberattacks. This summary provides actionable steps to help detect and reduce risk.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg\",\"width\":2000,\"height\":1333,\"caption\":\"Laptop on a table.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/\",\"name\":\"Microsoft Windows Server Blog\",\"description\":\"Your Guide to the Latest Windows Server Product Information\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization\",\"name\":\"Microsoft Windows Server Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"width\":1,\"height\":1,\"caption\":\"Microsoft Windows Server Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/WindowsServer\",\"https:\/\/x.com\/WindowsServer\",\"https:\/\/www.linkedin.com\/showcase\/microsoft-cloud-platform\/\",\"https:\/\/www.youtube.com\/user\/MSCloudOS\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025 | Microsoft Windows Server Blog","description":"As organizations modernize, AD DS continues to be a focus for cyberattacks. This summary provides actionable steps to help detect and reduce risk.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025 | Microsoft Windows Server Blog","og_description":"As organizations modernize, AD DS continues to be a focus for cyberattacks. This summary provides actionable steps to help detect and reduce risk.","og_url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/","og_site_name":"Microsoft Windows Server Blog","article_publisher":"https:\/\/www.facebook.com\/WindowsServer","article_published_time":"2025-12-09T16:00:00+00:00","article_modified_time":"2026-02-20T15:26:45+00:00","og_image":[{"width":2000,"height":1333,"url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg","type":"image\/jpeg"}],"author":"Karen Guo","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg","twitter_creator":"@WindowsServer","twitter_site":"@WindowsServer","twitter_misc":{"Written by":"Karen Guo","Est. reading time":"5 min read"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/author\/karen-guo\/","@type":"Person","@name":"Karen Guo"}],"headline":"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025","datePublished":"2025-12-09T16:00:00+00:00","dateModified":"2026-02-20T15:26:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/"},"wordCount":1157,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg","keywords":["Windows Server 2025"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/","name":"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025 | Microsoft Windows Server Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg","datePublished":"2025-12-09T16:00:00+00:00","dateModified":"2026-02-20T15:26:45+00:00","description":"As organizations modernize, AD DS continues to be a focus for cyberattacks. This summary provides actionable steps to help detect and reduce risk.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2025\/12\/media_12beadf27cdffaf582fd57a294.jpg","width":2000,"height":1333,"caption":"Laptop on a table."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/2025\/12\/09\/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft\u2019s guidance to help mitigate critical threats to Active Directory Domain Services in 2025"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/","name":"Microsoft Windows Server Blog","description":"Your Guide to the Latest Windows Server Product Information","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#organization","name":"Microsoft Windows Server Blog","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","width":1,"height":1,"caption":"Microsoft Windows Server Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/WindowsServer","https:\/\/x.com\/WindowsServer","https:\/\/www.linkedin.com\/showcase\/microsoft-cloud-platform\/","https:\/\/www.youtube.com\/user\/MSCloudOS"]}]}},"word_count":1138,"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Windows Server Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/posts\/21270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/users\/6104"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/comments?post=21270"}],"version-history":[{"count":4,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/posts\/21270\/revisions"}],"predecessor-version":[{"id":21277,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/posts\/21270\/revisions\/21277"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/media\/21275"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/media?parent=21270"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/post_tag?post=21270"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/product?post=21270"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/content-type?post=21270"},{"taxonomy":"solution","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/solution?post=21270"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/windows-server\/blog\/wp-json\/wp\/v2\/coauthors?post=21270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}