Active Directory L3 Support Engineer - NTLM, PowerShell, AD, LDAP signing, Zero Trust, CyberArk
Toronto, ON - Hybrid (4 Days WFO)
6-12 Months Contract
Key Responsibilities
- Deploy and configure additional domain controllers across primary and disaster recovery sites, including DC01 and DC02, to improve availability, resilience, and site-level recovery readiness.
- Replace legacy Windows Server 2016 domain controllers and support platform modernization activities with minimal service disruption.
- Implement production and development network segmentation to reduce lateral movement risk and align identity services with Zero Trust principles.
- Maintain Active Directory health across replication, authentication, DNS integration, and Group Policy processing.
Security Hardening and Access Control
- Enable Extended Protection for Authentication (EPA) and require SSL/TLS for privileged HTTP-based services such as AD CS and ADWS to reduce credential relay and man-in-the-middle exposure.
- Enforce SMB signing to help prevent tampering and NTLM relay over SMB sessions.
- Disable NTLMv1 and strengthen LDAP protections by enforcing LDAP signing and channel binding / LDAPS for directory communications.
- Implement Kerberos armoring, restrict unconstrained delegation, tighten delegation permissions on privileged accounts, and address unknown delegation entries.
- Remediate excessive privilege findings, including Admin Count issues, GPO-deployed file exposure, missing protective ACLs, and privileged accounts not enrolled in Protected Users.
- Remove insecure legacy access patterns such as pre-Windows 2000 compatible group usage and administrator logon allowances through Group Policy.
- Enforce stronger password and privileged account controls, including a 12-character minimum complexity baseline, password expiration where appropriate, and smartcard password rotation requirements.
- Identify and remediate risky account configurations such as PASSWD_NOTREQD, password never expires, admin accounts with email usage, and missing delegation restrictions.
Group Policy, Logging, and Compliance
- Harden Group Policy baselines by enforcing event audit logging, PowerShell logging, supported encryption types, remote desktop best-practice settings, and secure administrator sign-in controls.
- Review and remediate LDAP signing and channel binding gaps, privileged HTTP service protection gaps, and other domain-level weak configurations identified through assessments.
- Document remediation plans, implementation standards, and operational procedures to support audit readiness and ongoing compliance.
- Partner with infrastructure, cybersecurity, and application teams to validate compatibility, sequence change windows, and reduce operational risk during security enforcement activities.
Required Technical Skills
- Hands-on experience administering Active Directory Domain Services in multi-domain or multi-site enterprise environments.
- Strong knowledge of domain controllers, replication, DNS, Group Policy, authentication flows, and disaster recovery design for AD.
- Practical experience implementing Microsoft security controls such as EPA, LDAP signing, channel binding, Kerberos hardening, SMB signing, and privileged account protections.
- Experience with Active Directory Certificate Services, Active Directory Web Services, Windows Server hardening, and identity-related remediation programs.
- Ability to analyze and remediate privilege escalation paths, insecure account settings, and policy-based configuration weaknesses.
- Proficiency with PowerShell for audit, remediation, automation, and operational reporting.
- Experience planning and executing infrastructure upgrades, domain controller replacement, and controlled production changes.
Preferred Qualifications
- Experience supporting regulated or highly controlled enterprise environments with strong audit, change management, and documentation expectations.
- Familiarity with Zero Trust architecture, privileged access management, and identity security assessments.
- Relevant Microsoft certifications in Windows Server, Active Directory, security, or identity administration are advantageous
Pay: $55.00-$60.00 per hour
Work Location: Hybrid remote in Toronto, ON (Toronto District)
