๐ ๐๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐๐ถ๐ฒ๐น๐ฑ โ Real-World Findings from Security Assessments
๐ฅ ~๐ฏ๐ฌ%ย of environments I assessedย ๐๐๐ถ๐น๐น ๐ฐ๐ผ-๐ต๐ผ๐๐ ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐ฟ๐ผ๐น๐ฒ๐ ๐ถ๐ป๐๐๐ฒ๐ฎ๐ฑ ๐ผ๐ณ ๐๐ฒ๐ฝ๐ฎ๐ฟ๐ฎ๐๐ถ๐ป๐ด ๐๐ต๐ฒ๐บ
๐ ๐๐ฒ๐ฒ ๐๐ต๐ถ๐ ๐ฎ๐น๐น ๐๐ต๐ฒ ๐๐ถ๐บ๐ฒ:
๐ธ DHCP on Domain Controllers (and yesโthere are someย nasty escalationย pathsย with default DHCP groups when hosted on a DC)
๐ธ AD CS on Domain Controllers
๐ธ Entra ID Connect co-hosted with other services
๐ธ โฆand more
This isnโt just โmessy architectureโ โ it createsย ๐ฟ๐ฒ๐ฎ๐น ๐ฎ๐๐๐ฎ๐ฐ๐ธ ๐ฝ๐ฎ๐๐ต๐, and it also makes a proper Tiering Model / access restrictions almost impossible, because these roles often belong to different tiers.
โ In 2026, I reallyย struggle to find a good reasonย not to separate servicesโat least for the security-critical ones.
Even if youโre limited by licensing / VM counts, you can still design it sanely โ butย you ๐ป๐ฒ๐ฒ๐ฑ ๐๐ผ ๐๐ป๐ฑ๐ฒ๐ฟ๐๐๐ฎ๐ป๐ฑ ๐๐ต๐ฒ ๐๐ถ๐ฒ๐ฟ๐ถ๐ป๐ด ๐ฐ๐ผ๐ป๐ฐ๐ฒ๐ฝ๐ ๐ณ๐ถ๐ฟ๐๐, otherwise youโll lock yourself into a risky setup.
(๐ short free intro here: https://academy.horizon-secured.com/p/windows-infrastructure-security-tiering-model)
๐ฌ Do you co-host services in your environment? If yesโwhatโs the reason(cost, legacy, operational constraints)?
