๐ Secure Bits ๐ก
๐ช๐ฎ๐ป๐ ๐๐ผ ๐ฒ๐น๐ถ๐บ๐ถ๐ป๐ฎ๐๐ฒ ๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ๐ for Domain Admins in Active Directory?
You canโbut only with ๐ฐ๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ-๐ฏ๐ฎ๐๐ฒ๐ฑ ๐น๐ผ๐ด๐ผ๐ป, properly implemented.
Smart cards (e.g. YubiKey 5 NFC) let you remove passwords entirelyโeven for privileged accounts.
๐๐๐ ๐ถ๐ ๐ต๐ฎ๐ ๐๐ผ ๐ฏ๐ฒ ๐๐ฒ๐ ๐๐ฝ ๐ฟ๐ถ๐ด๐ต๐:
๐น Authentication uses PKINIT (Kerberos with certificates). The private key never leaves the smart card.
๐น AD requires three cert templates:
โข Kerberos Authentication (Domain Controllers)
โข Enrollment Agent (admin issuing certs)
โข SmartCardLogon (end users)
๐น DCs get certs via auto-enrollment (GPO).
๐น Admins use tools like certmgr.msc + YubiKey Manager to enroll users.
๐น Drivers (Minidriver) must be installed locally and on RDP targets.
๐น Set a Smart Card Removal Policy to lock/log off on key pull.
๐น Flag accounts with Smart card is required for interactive logon to block password fallback.
โข Optional: Set 120-character random passwords for disabled accounts with the same check.
๐๐ฒ๐ ๐ฟ๐ถ๐ฑ ๐ผ๐ณ ๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ๐ – โ
Have you already deployed passwordless logon in AD? What worked (or broke)? ๐
๐๐๐๐ต๐ผ๐ฟ: Martin Handl โ full article: https://iqunit.com/smartcard-logon-teil-1/
