🛠️ [𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗕𝗶𝘁𝘀] – 𝗦𝗣𝗡
Go and check your Active Directory for SPNs. You can do so easily with any simple PowerShell script. Example:
____
Get-ADUser -LDAPFilter ‘(&(objectCategory=user)(!(samAccountName=krbtgt)(servicePrincipalName=*)))’ -Properties Name, UserPrincipalName, ServicePrincipalName | Select-Object Name, UserPrincipalName, @{N=”ServicePrincipalName”;E={$_.ServicePrincipalName -join “, “}}
____
(𝙩𝙝𝙞𝙨 𝙞𝙨 𝙖𝙡𝙨𝙤 𝙥𝙖𝙧𝙩 𝙤𝙛 𝙢𝙮 𝙩𝙤𝙤𝙡 𝘼𝘿𝙋𝙧𝙤𝙗𝙚)
❓Once you have results, go through the following 𝘁𝗵𝗼𝘂𝗴𝗵𝘁 𝗽𝗿𝗼𝗰𝗲𝘀𝘀:
Do I know these service accounts?
✅ Proceed below
❌ You need to investigate
Do I need these service accounts?
✅ Proceed below
❌ Decommission them
Can these service accounts be migrated to MSA type?
✅ Change them
❌ Proceed below
Is the password of that account long and complex?
✅ You should be good now
❌ Proceed below
Improve the password and change it regularly.
This ensures you 𝗺𝗼𝘃𝗲 𝗮𝘁 𝗹𝗲𝗮𝘀𝘁 𝗮 𝗯𝗶𝘁 𝘁𝗼𝘄𝗮𝗿𝗱 𝘁𝗵𝗲 𝗺𝗼𝗿𝗲 𝘀𝗲𝗰𝘂𝗿𝗲 Active Directory.
