ANSSI Active Directory Guide: Security Recommendations

The query cluster anssi active directory guide often leads to the wrong expectation: there is no single ANSSI PDF that, by itself, is enough to "make Active Directory compliant." For a modern AD environment, the useful baseline is a set of complementary guides. The main document is the ANSSI guide published on October 18, 2023 on secure administration of information systems that rely on Active Directory. But it has to be read together with the ANSSI 2021 guide on secure administration of information systems, the 2022 guide on Windows logging in an Active Directory environment, and the December 2023 guide on Tier 0 remediation when the question is no longer hardening, but regaining control after compromise.

That distinction changes how the material should be used. The 2023 AD guide does not cover everything. It explicitly states that cloud topics and Microsoft Entra ID are out of scope, and it points readers back to the generic secure-administration guide for administrator workstations themselves: internet access, hardening, encryption, and usage restrictions. Searching for an "ANSSI Active Directory guide" is therefore useful only if you first understand which document is meant to drive which decision before turning it into technical controls.

Important note: the ANSSI publications referenced here are technical guides. They are architectural and methodological references, but they are not, by themselves, an automatic legal requirement or any kind of "ANSSI Active Directory certification." If your project also sits inside a NIS2, ISO 27001, or similar compliance program, you need to separate the regulatory text from the technical measures used to answer it.

What Does the ANSSI Active Directory Guide Cover?

The 2023 ANSSI guide on secure administration of information systems that rely on AD focuses on the problem many teams still underestimate: in an environment built around Active Directory, a compromise of the directory usually does not start with just one "bad AD setting." It often comes from a combination of weak administrative practices, insufficient logical segmentation, and control paths that remain open from other parts of the information system.

So the text is less a checklist of boxes to tick and more a trust model. It explains how to reason in trust zones, how to identify Tier 0, how to reduce control paths toward the directory, why NTLM and Kerberos usage has a direct impact on segmentation, and why detection has to be treated as a normal part of AD architecture rather than something bolted on at the end of a project.

This guide should not be read as a replacement for other ANSSI documents. It complements them. It also does not aim to cover every cloud issue, governance concern, or the detailed hardening of administrator workstations. That is exactly why a technical reader who wants to "apply ANSSI to AD" has to start from a group of documents rather than a single publication.

Which ANSSI Documents Actually Matter Today

The table below is the most useful way to read the ANSSI corpus in practice:

Document	Date	Real role in an AD project
Recommendations for secure administration of information systems that rely on AD	October 18, 2023	Main document for logical segmentation, Tier 0, AD control paths, authentication-secret exposure, and detection principles in AD-based environments.
Recommendations for secure administration of information systems	May 11, 2021	Methodological baseline for administration architecture: dedicated accounts, administrator workstations, internet access, admin network design, bastions, and separation of use cases.
Securing logging in a Microsoft Active Directory environment	January 28, 2022	Operational guide for Windows and AD logging: audit policy, centralized collection, WEF/WEC, event selection, Sysmon, and collection-server segmentation.
Cyberattacks and remediation: Tier 0 Active Directory remediation	version 1.0, December 2023	Reference to use when the objective is no longer only hardening, but regaining control of a compromised AD, removing persistence paths, and rebuilding trust in the core trust boundary.
Security recommendations relating to Active Directory	August 29, 2014	Historical reference now obsolete. It still helps explain how the topic evolved, but it should no longer be treated as the main baseline for a current AD deployment.

The important point is simple: the 2014 AD guide is now obsolete in the public ANSSI corpus. The useful baseline today is therefore the 2023 guide, supplemented as needed by the 2021, 2022, and 2023 remediation guides.

The ANSSI Principles That Structure a Hardened Active Directory

The ANSSI logic is not "harden GPOs one by one." It starts with a more structural question: which resources share a similar level of trust, sensitivity, and exposure, and how do you stop a local compromise from climbing back into the directory or Tier 0?

In that model, segmentation is not an abstract network diagram. It is a combination of measures:

identify the most sensitive resources;
analyze attack paths and control paths toward those resources;
classify assets into levels or Tiers;
apply administration practices that are compatible with that classification;
reduce the exposure of each Tier;
harden the systems and software used for administration;
log and detect in a way that matches that architecture.

This matters because the risk perimeter is not limited to domain controllers. The 2023 AD guide explicitly notes that other parts of the information system can become control paths toward the directory: virtualization, storage, backup, administration tooling, trust relationships, built-in accounts, configuration containers, or any system that can recover or replay authentication secrets.

In practice, an AD that is hardened in the ANSSI sense is not just a directory with good settings. It is an environment where trust relationships are explicit, privileges are separated, and you can demonstrate that an administrator or workstation from a lower level does not have a simple path into the core trust boundary.

Segmentation, Trust Zones, and Dedicated Administration

The key term here is trust zone. In the 2023 AD guide, ANSSI uses that concept to structure segmentation across the information system. The point is not to isolate everything in the same way, but to group together resources that share a similar level of sensitivity and exposure, then prevent a compromise inside one zone from spreading freely into the most critical zones.

On the ground, that means treating administration as its own activity. The 2021 ANSSI guide on secure administration of information systems is very clear on several points:

administrative accounts must be reserved for administrative actions only;
they must not be used for office work or interactive sessions on workstations that are not reserved for administration;
built-in administrative accounts must not be the normal operating baseline;
individual administrator accounts should be preferred so that traceability and segregation of duties remain possible;
the administrator workstation has to be treated as a sensitive asset;
internet access and internet-connected email must not be opened from that environment.

If privileged accounts still log on to standard office workstations, if administrator secrets still transit through multipurpose systems, or if administrative jump paths still go through less trusted environments, then your architecture already contradicts the ANSSI model, even if your GPOs and ACLs look clean.

A bastion can be part of the answer, but ANSSI treats it as one architectural case, not as a magic control. Dedicated admin workstations only matter if the day-to-day practice matches them: no web browsing, no email, no unnecessary software, and no mixing of office and administrative use.

If you want to turn those principles into concrete checks, the right approach is not to start with tools. Start by verifying who administers what, from which machine, with which account, over which network path, and toward which trust zone. A practical audit checklist such as How to Audit Active Directory Security: Practical Checklist for Internal Teams becomes useful at that point because it converts ANSSI principles into observable checks.

Tier 0, Privileged Accounts, and Administrative Paths

The 2023 AD guide reuses the historical Tier model and states clearly that Tier 0 is the core trust boundary of the organization. Resources at that level allow, directly or indirectly, privilege assignment over other Tiers and therefore control over the directory.

The classic mistake is to reduce Tier 0 to domain controllers alone. ANSSI goes further. In both the segmentation logic and the remediation logic, you also have to look at privileged objects, trust relationships, system and configuration containers, built-in accounts, authentication secrets, and the machines on which those secrets can be exposed. The Tier 0 remediation guide emphasizes one very practical point: secure administrator workstations and any machines that can contain privileged-account secrets are part of the problem, because an attacker who retains persistence on those machines can often regain access to the core trust boundary.

Another important technical point is that, in remediation, ANSSI reminds readers that the security boundary is the forest, not the domain. Technical objectives are therefore not considered complete until they have been carried out across all domains of a compromised forest, and in parallel, so that a domain already remediated cannot be compromised again from one that has not yet been remediated.

That view forces you to move beyond an audit that is too object-by-object. In a real AD environment, you need to analyze:

privileged groups and accounts that are still active;
overly broad delegations;
undocumented control paths;
privileged secrets that are still present outside Tier 0;
technical dependencies on backup, virtualization, PKI, or other systems that can recover AD control;
old or overprivileged accounts that no longer have a clear business justification.

That reading directly overlaps with topics such as Stale Privileged Accounts: Hidden Risk in Active Directory, ADCS Certificate Attacks: How ESC1 to ESC8 Lead to Domain Admin, and Kerberos Delegation Attacks: From Unconstrained to RBCD Abuse. The ANSSI point is not to stack alerts. It is to reduce, document, and then monitor the real paths that can hand control of the directory back to an attacker.

Logging and Detection Capability in an AD Environment

Another common misunderstanding is to treat detection as a SIEM overlay that is independent from the Active Directory project itself. The 2022 ANSSI guide on logging in Microsoft Active Directory environments shows the opposite: useful logging is an architectural question.

The document covers Windows audit policy, local storage and log rotation, centralized event collection, selection of useful logs, Sysmon for extended telemetry, and collection built on Windows Event Forwarding (WEF) and Windows Event Collector (WEC). The message is not "turn on everything." It is: choose the logs that actually support detection and investigation, centralize them inside a coherent perimeter, and segment the collection servers as well.

This guide is also explicitly operational. It does not stop at saying that logging matters; it goes down to Windows mechanisms and collection design. It also states an important limit: its scope assumes systems that connect regularly. Isolated or weakly connected systems therefore require adapted logging and retrieval mechanisms of their own.

In an AD environment hardened in the ANSSI sense, detection therefore has to answer concrete questions:

which privileged administrative actions took place;
from which workstations and with which accounts;
which changes affected privileged objects, GPOs, or control paths;
which secrets can still move outside trusted environments;
which critical events actually reach the collection tier;
how much investigative depth is available if an incident touches Tier 0.

The goal is not to replace your whole detection ecosystem. It is to establish a logging baseline that is sufficient to watch administration, authentication, structural directory changes, and the health of critical assets. That is also where topics such as LDAP Signing Disabled: How Unsigned Binds Expose Active Directory or Kerberoasting: How Attackers Crack Service Account Passwords become useful: they show the kind of exposure that should appear either in preventive controls or in detection capability.

How to Apply These Recommendations in a Real AD Environment

The right method is not to convert an ANSSI guide into a thousand tiny tasks. In a real directory, it is better to move in seven structured steps.

1. Freeze the source set

Decide which guide drives which decision. The 2023 AD guide for segmentation and Tier 0. The 2021 Administration guide for accounts, workstations, and admin networks. The 2022 Logging guide for collection and retention. The 2023 Tier 0 remediation guide for post-compromise situations.

2. Map trust zones and Tiers

List the resources that control the directory or can influence it: domain controllers, PKI, backup, hypervisors, administration tools, privileged accounts, critical GPOs, trust relationships, and administrator workstations. A tool comparison such as Active Directory Security Audit Tools: What to Compare Before You Choose becomes relevant if you need to objectify those control paths at scale.

3. Document administrative paths

Does a Tier 0 administrator connect from a dedicated workstation? From which network? With which individual account? Are office and administrative use cases still mixed? Are privileged accounts really constrained to their intended perimeter, or do their secrets still appear on lower-trust systems?

4. Revisit the protocols and mechanisms that break segmentation

The 2023 AD guide dedicates an entire chapter to the dangers of NTLM and Kerberos for segmentation. You therefore have to review the mechanisms that allow secret reuse, broad credential spread, or overly permissive delegation. This is where it makes sense to cross-check your controls against topics such as Kerberos Delegation Attacks: From Unconstrained to RBCD Abuse, AD and Azure Compliance: NIS2, ISO 27001, CIS Controls, or ADCS exposures if your PKI plays a role in control paths.

5. Build sustainable logging

Enable the useful logs, centralize them, secure the collectors, and keep time synchronization under control. Do not try to see everything on day one. First make privileged administration, critical changes, and activities that affect the core trust boundary visible.

6. Build a structured remediation backlog

Not every deviation matters equally. An old privileged account that is still active, an excessive delegation on a privileged object, a non-dedicated admin workstation, a poorly controlled trust relationship, or broken event collection do not have the same impact. The right backlog is not sorted by technology type, but by impact on segmentation and Tier 0.

7. Know when to leave hardening and enter remediation

If you already detect active compromise paths, persistence on privileged assets, or a loss of trust in the core trust boundary, you need a different frame. At that point, the Tier 0 remediation guide is more appropriate than a normal hardening checklist.

Validation After Hardening

An AD environment is not "ANSSI-aligned" just because a documentation pack exists. You need to be able to answer precise validation questions.

On segmentation

Can Tier 0 still be reached from a lower-level workstation, account, or tool?
Do backup, virtualization, PKI, or third-party administration systems open a control path toward the directory?
Have trust relationships and delegations been reviewed with a trust model in mind rather than only functionality?

On administration

Are privileged accounts individual and restricted to administrative use only?
Are administrator workstations dedicated, controlled, and free from internet or internet-connected email access?
Can privileged-account secrets still land in memory on machines that are not part of the core trust boundary?

On detection

Are critical logs enabled and centralized?
Are collection servers segmented and monitored themselves?
Is it actually possible to investigate a privileged-object modification, abnormal administration action, or suspected Tier 0 compromise from the data that is available?

On doctrine

Do the teams know which ANSSI guide to use for which topic?
Has the 2014 guide really been removed from the baseline source set?
Are NIS2 or ISO requirements treated as adjacent topics, without making the AD guide say things it does not say?

How EtcSec Helps Validate These Gaps

EtcSec is not there to turn a technical guide into a marketing badge. The value of a specialized audit is elsewhere: making visible the gaps described by the ANSSI texts, but that teams often struggle to objectify at the scale of a real environment.

In practice, an audit aligned with that approach should help you:

map control paths into Tier 0 and privileged objects;
inventory privileged accounts, delegated rights, and exposures that no longer have a clear justification;
highlight where logical segmentation is contradicted by actual usage;
verify whether logging and collection really support detection and investigation;
prioritize remediation work that reduces the risk of losing control of the directory again.

In that model, EtcSec helps validate technical gaps. It does not replace architecture decisions, internal governance, or post-incident remediation work when the core trust boundary is already lost.

ANSSI Active Directory Guide: Applying the Security Recommendations in Practice