ad-hardening

May 20, 2024 · 1 min read
project

ad-hardening is a comprehensive guidebook and reference repository dedicated to securing and hardening Active Directory (AD) environments in air-gapped, isolated networks. While physical isolation eliminates many remote threats, it places a heavier security premium on internal access control, endpoint hygiene, and physical media management.

This project outlines step-by-step guidance, configurations, and templates to establish a resilient security posture inside sensitive, non-internet-connected directory environments.

Core Hardening Pillars

  • Tiered Administrative Model: Isolating Tier 0 (Domain Controllers/Admins) credentials from Tier 1 (Servers) and Tier 2 (Workstations) to eliminate lateral escalation risks.
  • Offline Authentication & MFA: Strategies for deploying local, offline-capable multi-factor authentication without internet-based validation services.
  • Service Account Securing: transitioning legacy service accounts to Group Managed Service Accounts (gMSAs) to enforce automatic password rotation.
  • Audit & Event Analysis: Configuration templates for offline Windows Event Forwarding (WEF) and local security log auditing.
  • Removable Media Control: Hardening USB and other removable hardware access policies via Group Policy Objects (GPOs) to combat sneakernet malware propagation vectors.
Active Directory Directory Services Hardening Air-Gap Cybersecurity Windows Security
Florian Stosse
Authors
Florian Stosse
Cybersecurity engineer

About Me

Hi, I’m Florian Stosse, just another information security engineer !

Current work

I currently work at the European Space Agency, as a cybersecurity engineer for the Galileo programme, specifically for the Galileo Mission Segment (GMS).

Experience summary

I previously worked at Safran Data Systems, in the Space & Communications business unit. I focused on hardening and securing our embedded Windows 7 and 10/11 platforms (Cortex family of TT&C and high data rate receivers), among other cool things :)

Before that, in October 2018, I started a PhD thesis at CEA-List and ANSSI to work on formal methods applied to software security. More specifically, I was working on software defenses and hardening against hardware vulnerabilities, such as Spectre and Meltdown, using sound static analysis tools (Frama-C in particular).

My thesis was under the supervision of Julien Signoles (CEA), and my advisors were Patricia Mouy (ANSSI) and Florent Kirchner (CEA).

Unfortunately, we had to put a stop to the thesis, but hey, that’s life !

Education summary

I graduated with a M.Sc in Computer Science (major in cybersecurity, minor in embedded systems) from ESIEA Paris (a top French engineering school, part of the “Grandes écoles”) in August 2018. During my graduate studies, I was an apprentice at Bureau Veritas’ R&D center in La Défense, Paris.

I worked in the RAMS department, and my main areas of work were:

  • software security (e.g. static analysis, SDLC),
  • connected/autonomous vehicles security (e.g. ISO 21434 for automotive security engineering),
  • and industrial systems security (e.g. ISO 62443 certification).

Do not hesitate to get in touch if you want to chat about these topics (or anything else, really) !