All networks have security vulnerabilities. Penetration testing and network security assessments are great tools to gauge the security posture of your environment. However, most organizations attempt these without conducting some sort of basic hardening.
The result you might ask?
A report with critical findings and a team that is now rushed to fix them.
Does it matter that we can gain Domain Administration permissions within an hour? No.
We want our engagements to mean something and have value to your organization. This is why we are publishing some best practices for organizations to follow and a series of videos on how to implement some of these controls.
As with all recommendations, we recommend that you test and research all changes before implementing in your environment. What might work for most may cause issues in your environment. If you are not sure, give us a call, we can help. We are not liable for any damages.

Hardening Microsoft Windows Environments: Configuring Audit Policies

Windows Domain Controller Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain controller policy, this should be applied to the OU that your domain controllers reside.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Audit Policy

Policy Recommended Default
Audit account logon events Success, Failure Success
Audit account management Success, Failure Success
Audit directory service access Success Success
Audit logon events Success, Failure Success
Audit object access Failure No auditing (not defined)
Audit policy change Success Success
Audit privilege use Failure No auditing (not defined)
Audit process tracking Success, Failure No auditing (not defined)
Audit system events Success Success

 
Member Servers and Workstation Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain policy, this should be applied at the root level of your domain.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Audit Policy

Policy Recommended Default
Audit account logon events Success, Failure No auditing (not defined)
Audit account management Success, Failure No auditing (not defined)
Audit directory service access No auditing (not defined) No auditing (not defined)
Audit logon events Success, Failure No auditing (not defined)
Audit object access Failure No auditing (not defined)
Audit policy change Success No auditing (not defined)
Audit privilege use Failure No auditing (not defined)
Audit process tracking Success, Failure No auditing (not defined)
Audit system events Success No auditing (not defined)

Hardening Microsoft Windows Environments: Basic Domain Hardening Using GPMC

Member Servers and Workstation Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain policy, this should be applied at the root level of your domain.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Security Options

Policy Recommendation
Accounts: Administrator account status Enabled
Account: Rename administrator account Set a unique username
Network access: Allow anonymous SID/name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: LAN Manager authentication level Sent NTLMv2 response only/refuse LM and NTLM

Windows Domain Controller Audit Policy:
We recommend that you create a new policy for these settings and give it precedence over the default domain controller policy, this should be applied to the OU that your domain controllers reside.
Computer Configuration> Windows Settings> Security Settings> Local Polices> Security Options

Policy Recommendation
Network access: Allow anonymous SID/name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: LAN Manager authentication level Sent NTLMv2 response only/refuse LM and NTLM