Integration of technical and organizational measures to protect the Active Directory domain: from network segmentation to incident monitoring system
Mikhail I. Mitrofanov1, Oleg S. Lauta2, Nikolai N. Kramskoy3, Aleksandr S. Kurakin3
1National Research ITMO University.
2Admiral Makarov State University of Maritime and Inland Shipping.
3Limited Liability Company «Special Technology Center».
DOI 10.24412/2410-9916-2026-1-219-218
Full text
XML JATSAbstract
Purpose. In conditions of high dependence of corporate infrastructures on the domain architecture of Active Directory, domain protection is considered as a key element of ensuring the stability of the entire information system of the organization. However, operational practice demonstrates that even with a variety of technical means of protection, AD compromise remains possible due to the lack of system integration of technical and organizational measures. There is a fragmented implementation of security solutions, inconsistency in administration and monitoring procedures, as well as a gap between the security architecture and its maintenance processes. The purpose of the work is to develop an integrated Active Directory domain protection model that combines technical and organizational measures at all levels of the infrastructure --- from network segmentation to an incident monitoring system --- with formalization of criteria for their criticality and interrelationships. Methods. The methodology is based on a system analysis of domain infrastructure, decomposition of protection levels, analysis of the MITRE ATT&CK matrix, the method of expert assessments of the criticality of measures, as well as analysis of Windows event logs to build a monitoring model and incident correlation. Novelty. A five--level integrated Active Directory protection model is proposed, considering a monitoring system (SIEM-EDR) as an integration layer that combines technical and organizational countermeasures into a single layered architecture. A classification of measures according to the level of criticality has been introduced, depending on their position in the attack chain. Results. A structured model for the integration of technical and organizational AD protection measures has been developed, tables of matching attack vectors and countermeasures have been formed, priorities for monitoring Windows events and criteria for the criticality of protective measures have been determined. Practical relevance. The proposed model makes it possible to build a domain infrastructure protection architecture taking into account the limitations of real organizations, justify the priority of implementing measures, increase the effectiveness of incident response processes and rationally allocate the information security budget.
Key words
Active Directory, domain infrastructure, information security, network segmentation, SIEM, EDR, in-depth protection, incident monitoring, MITRE ATT&CK, privileged access management.
Reference for citation
Mitrofanov M. I., Lauta O. S., Kramskoy N. N., Kurakin A. S. Integration of technical and organizational measures to protect the Active Directory domain: from network segmentation to incident monitoring system. Systems of Control, Communication and Security, 2026, no. 1, pp. 219-218. DOI: 10.24412/2410-9916-2026-1-219-218 (in Russian).
References
1. Using Active Directory in enterprise infrastructure. Habr. 23 April 2025. Available at: https://habr.com/ru/companies/first/articles/903572/ (accessed 10 January 2026) (in Russian).
2. Active Directory Attacks. Cayosoft Blog. 8 December 2025. Available at: https://www.cayosoft.com/blog/active-directory-attacks (accessed 10 January 2026).
3. Swapna S., Gokul Nath S., Yogesh S. G., Dillikumar P. S. Advanced Threat Detection with Active Directory and SIEM. International Journal for Research in Applied Science and Engineering Technology (IJRASET), 2025, vol. 13, no. 4. doi: 10.22214/ijraset.2025.68478.
4. Khattab O. Conducting Empirical Research Study: How to Effectively and Securely Use the Vital Features of the Active Directory Network Server. Academia.edu, 2020. Available at: https://www.academia.edu/43009557/Conducting_Empirical_Research_Study_How_to_Effectively_and_Securely_Use_the_Vital_Features_of_the_Active_Directory_Network_Server (accessed 10 January 2026).
5. Active Directory. Institute of Software Technology, TU Graz, 2024. Available at: https://www.isec.tugraz.at/wp-content/uploads/2024/09/04-active-directory-handout-2025.pdf (accessed 10 January 2026).
6. Strengthening Active Directory Security: Detecting and Mitigating Kerberoasting Attacks. Computer, 2025. DOI: 10.1109/MC.2024.3434535.
7. Simulation of Pre-Ransomware Attacks on Active Directory. 2024 17th International Conference on Security of Information and Networks (SIN), 2024. DOI: 10.1109/SIN63213.2024.10871611.
8. Attacks on Active Directory -- Resource-based Constrained Delegation and New Patches, 2025. DOI: 10.1109/KI64036.2025.10916465.
9. Active Directory Kerberoasting Attack Monitoring and Detection Techniques. Proceedings of the 17th International Conference on Security and Cryptography, 2020. DOI: 10.5220/0008955004320439.
10. Decoding the MITRE Engenuity ATT&CK Enterprise Evaluation: An Analysis of EDR Performance in Real-World Environments, 2024. DOI: 10.1145/3589334.3645333.
11. Demo: Synthesizing Realistic Enterprise Active Directory Attack Graphs with ADSynth. ACM SIGSAC Conference on Computer and Communications Security Companion, 2024. DOI: 10.1145/3672202.3673732.
12. McDonald A., Papadopoulos P., Buchanan W. Ransomware: Analysing the Impact on Windows Active Directory Domain Services. Sensors, 2022, vol. 22, no. 3, art. 953. DOI: 10.3390/s22030953.
13. Elmiger M., Lemoudden M., Pitropakis N., Buchanan W. Start thinking in graphs: using graphs to address critical attack paths in a Microsoft cloud tenant. International Journal of Information Security, 2023. DOI: 10.1007/s10207-023-00751-6.
14. Syynimaa N. Exploring Attack Paths Using Graph Theory: Case -- Microsoft Entra ID Pass-Through Authentication. Proceedings of the 11th International Conference on Information Systems Security and Privacy, 2025. DOI: 10.5220/0013119100003899.
15. Nebbione G., Calzarossa M. A Methodological Framework for AI-Assisted Security Assessments of Active Directory Environments. IEEE Access, 2023, vol. 11, pp. 15119-15130. DOI: 10.1109/access.2023.3244490.
16. Sabri M., Ghebrehiwet I., Zaki N., Mohamad M. Explainable deep learning approach for advanced persistent threats (APTs) detection in cybersecurity. Artificial Intelligence Review, 2024, vol. 57, no. 11. DOI: 10.1007/s10462-024-10890-4.
17. Barros S. R. S. M. U. I., Oliveira C. F. B. S. Privileged Access Management: A Comprehensive Survey. IEEE Access, 2022, vol. 10, pp. 11233-11253. Available at: https://www.ijfmr.com/papers/2024/2/30122.pdf (accessed 09 March 2026).
18. Bridging Gaps in Active Directory Security: Threat Landscape, Limitations, and Future-Proof Solutions. International Journal for Electronic Crime Investigation, 2025, vol. 9, no. 1. DOI: 10.54692/ijeci.2025.0901245.
19. Kowalski R., Limber S., McCord A. A developmental approach to cyberbullying: Prevalence and protective factors. Aggression and Violent Behavior, 2019, vol. 45, pp. 20-32.
20. Janeway T. The NIST Cybersecurity Framework -- Third Parties Need Not Comply. ISACA Journal, 2020, vol. 1. Available at: https://www.isaca.org/resources/isaca-journal/issues/2020/volume-1/the-nist-cybersecurity-framework-third-parties-need-not-compl (accessed 09 March 2026).
21. Glukhov A. P., Prozritelev E. E., Katsuk D. S. Information security management. Vestnik SibADI, 2021, no. 4 (100), pp. 17-23 (in Russian).
22. Rasmussen J. Risk management in a dynamic society: a modelling problem. Safety Science, 1997, vol. 27, no. 2-3, pp. 183-213. DOI: 10.1016/S0925-7535(97)00052-0.
23. GPO and Active Directory: managing access via GPOAdmin. Habr, 22 March 2021. Available at: https://habr.com/ru/companies/galssoftware/articles/543588/ (accessed 09 March 2026) (in Russian).
This article is distributed under a license Creative Commons Attribution 4.0 License.
The metadata of the article is distributed under a license CC0 1.0 Universal