Why Active Directory is the spine of most attack paths

When CloudShark confirms a route from an internet-facing entry point to something that would genuinely hurt — a finance system, a patient database, an executive mailbox — the middle of that route almost always runs through Active Directory. Not through an AD "vulnerability" in the patchable sense, but through configuration: identity is the connective tissue that turns three unrelated low-severity issues into one walkable path.

That is also why these findings rarely appear at the top of a scanner report. A scanner sees a service account, a group membership, a delegation flag — each unremarkable on its own. It takes path-level testing to show that, chained together, they end at domain admin. Below are the eight misconfigurations we keep proving in production environments, why each one matters on a real route, and the fix that closes it.

The top eight, in the order we find them

1. Shared and reused service-account passwords

One credential quietly reused across a backup agent, a monitoring tool, and a line-of-business app. It shows up in more confirmed routes than any other single issue, because one exposure anywhere becomes access everywhere the credential is valid.

Fix: give every service its own identity, rotate the existing passwords, and move them into a managed vault. Where the platform supports it, prefer group managed service accounts so rotation stops being a human job.

2. Stale privileged accounts and nested group sprawl

Admin accounts for people who left, vendor accounts from finished projects, and groups nested inside groups until nobody can say who is actually privileged. Dormant privilege is invisible in daily operations but fully visible to an intruder enumerating the directory.

Fix: review privileged group membership quarterly, expire accounts with HR offboarding, and flatten nesting until membership answers one question: who can administer what, today?

3. Service accounts exposed to offline password guessing

Any service account tied to a service principal name can have its ticket material requested by a legitimate domain user — and if the password is old and human-chosen, it can be attacked offline at leisure. Long-forgotten accounts with passwords set years ago are the classic case.

Fix: inventory accounts with service principal names, set long machine-generated passwords, and migrate to managed accounts where possible. Password age is the tell: anything older than a year deserves attention this quarter.

4. Unconstrained delegation on legacy servers

A server trusted for unconstrained delegation can impersonate the users who authenticate to it. One forgotten application server with this flag set — often enabled a decade ago to make a login flow work — can hand over the identities of everyone who touches it, including administrators.

Fix: find every computer object trusted for unconstrained delegation and either remove the setting or replace it with constrained, resource-based delegation. Mark your most privileged accounts as sensitive and not-delegatable.

5. Over-broad rights to edit Group Policy

Whoever can edit a Group Policy Object linked to a computer effectively administers that computer. Edit rights granted to a helpdesk team, a deployment tool, or "Domain Users, temporarily, in 2019" turn a single compromised low-value account into configuration control over entire organisational units.

Fix: audit who can create, edit, and link GPOs — especially any policy linked to domain controllers or server OUs — and cut the list to a small, named set of administrators.

6. Legacy authentication protocols left enabled

Older name-resolution and authentication protocols were designed for friendlier networks. Left enabled, they leak credential material onto the local network segment as a matter of routine operation, giving an intruder passive material to work with before they touch a single server.

Fix: disable what you do not use — legacy broadcast name resolution, the oldest NTLM variants, unsigned LDAP binds — and enforce SMB signing. Do it audit-first: log usage for a fortnight, migrate the stragglers, then turn the protocol off.

7. No administrative tiering on a flat network

When the same admin account that manages workstations also logs into domain controllers, any workstation compromise is one step from the directory itself. Flat networks make the walk shorter: nothing separates the machine that opens email attachments from the machine that holds every password hash in the company.

Fix: separate accounts by tier — workstation admins never touch servers, domain admins never log into workstations — and back it with network segmentation between user, server, and identity zones. This is the single most path-destroying change on this list.

8. Forgotten file shares holding credentials and backups

Old IT shares are archaeology: deployment scripts with passwords in them, unattended-install answer files, virtual machine images, and directory backups. A share nobody has opened since 2021 is still open to everyone the permissions say it is — and directory backups in particular contain material equivalent to the keys to the domain.

Fix: inventory shares readable by broad groups, delete what has no owner, and treat any share that ever held credentials as compromised: rotate what was in it, then decommission it.

What to fix first

Eight items is still a list, and lists invite deferral. The pattern from our engagements is consistent: credential hygiene first (items 1 and 3 — rotation, vaulting, managed accounts), tiering second (item 7), decommissioning third (items 2 and 8). Those five collapse the majority of confirmed routes we see, because they remove the chokepoint hops that multiple paths share. Across FireShield assessments, 94% of critical exposure closes with three or fewer changes — and those changes are almost always drawn from this list, not from the CVE backlog.