Implementing Micro-Segmentation in a Legacy Enterprise Lab Network: A Zero Trust Approach to Reducing Lateral Movement, Improving Containment, and Controlling Operational Overhead

Older enterprise networks often rely on broad internal trust, allowing extensive east–west connectivity that can accelerate lateral movement after an initial compromise.

This study evaluates micro-segmentation as a practical Zero Trust control in a Windows Active Directory lab that models common legacy dependencies (directory services, file services, a web tier, and a database tier).

Three postures are compared: a permissive flat baseline, dependency-based service allow‑listing, and an identity/role‑aware posture that restricts privileged management paths. Effectiveness is quantified using reachability metrics (allowed flows, reachable hosts, and hop depth), time-to-containment from observed unauthorized attempts, performance of representative HTTP/SMB flows, and operational overhead (rule footprint and change events).

Results show a material reduction in internal reachability and improved containment timelines, with a manageable performance impact, culminating in an implementation roadmap and a repeatable metrics pack to support phased adoption in legacy environments.