๐ ๐๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐๐ถ๐ฒ๐น๐ฑ โ Real-World Findings from Security Assessments
๐ฅ ๐ฐ๐ณ.๐ฒ%ย of infrastructures Iโve assessed ๐ฑ๐ผ ๐ป๐ผ๐ ๐๐๐ฒ ๐๐ต๐ฒ ๐น๐ฒ๐ฎ๐๐ ๐ฝ๐ฟ๐ถ๐๐ถ๐น๐ฒ๐ด๐ฒ ๐บ๐ผ๐ฑ๐ฒ๐น ๐ณ๐ผ๐ฟ ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐
Most environments still rely onย basic domain user accountsย as service accounts โ and theyโre usually highly privileged.ย ๐ง๐ต๐ถ๐ ๐ฐ๐ฟ๐ฒ๐ฎ๐๐ฒ๐ ๐๐ฒ๐๐ฒ๐ฟ๐ฎ๐น ๐ฝ๐ฟ๐ผ๐ฏ๐น๐ฒ๐บ๐:
1๏ธโฃย ๐ฃ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ๐ ๐ถ๐ป ๐๐ต๐ฒ ๐ฏ๐ฎ๐ฐ๐ธ๐ด๐ฟ๐ผ๐๐ป๐ฑย โ These accounts have regular passwords, which are often weak and almost never rotated (without a 3rd-party solution). ๐ ๐ณ๐ฟ๐ฒ๐พ๐๐ฒ๐ป๐๐น๐ ๐๐ฒ๐ฒ ๐ฝ๐ฟ๐ฒ๐ต๐ถ๐๐๐ผ๐ฟ๐ถ๐ฐ ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐ from 2003 that nobody dares to touch โ because when disabled, something breaks. Many of them have 5โ8 character passwords.
2๏ธโฃย ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ฎ๐๐๐ถ๐ป๐ด ๐ฟ๐ถ๐๐ธย โ If a Service Principal Name (SPN) is registered, anyone can request a Ticket Granting Service (TGS) ticket. These are ๐ฒ๐ป๐ฐ๐ฟ๐๐ฝ๐๐ฒ๐ฑ ๐๐ถ๐๐ต ๐ฎ ๐ธ๐ฒ๐ ๐ฑ๐ฒ๐ฟ๐ถ๐๐ฒ๐ฑ ๐ณ๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐โ๐ ๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ. If that password is weak, attackers can crack it offline and gain access.
๐๐ผ๐ ๐๐ผ ๐ต๐ฎ๐ป๐ฑ๐น๐ฒ ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐ ๐ฝ๐ฟ๐ผ๐ฝ๐ฒ๐ฟ๐น๐:
๐น ๐๐ผ๐ปโ๐ ๐๐๐ฒ basic domain user accountsย for services.
๐น If access is needed only to local resources โ useย ๐ฉ๐ถ๐ฟ๐๐๐ฎ๐น ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐๐ฐ๐ฐ๐ผ๐๐ป๐๐ย (VSA).
๐น If access to domain resources is needed โ useย ๐ ๐ฎ๐ป๐ฎ๐ด๐ฒ๐ฑ ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐๐ฐ๐ฐ๐ผ๐๐ป๐๐ (MSA / gMSA / dMSA).
๐ Withย Windows Server 2025, you can more easily replace your service accounts withย dMSAs.
๐๐ณ ๐๐ผ๐ ๐บ๐๐๐ ๐๐๐ฒ ๐ฏ๐ฎ๐๐ถ๐ฐ ๐๐๐ฒ๐ฟ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐:
๐ธ Use long, random passwords (20+ characters).
๐ธ Restrict Kerberos encryption toย AES only.
โ And the main thing, always ๐ฝ๐ฟ๐ผ๐๐ถ๐ฑ๐ฒ ๐ท๐๐๐ ๐ฒ๐ป๐ผ๐๐ด๐ต ๐ฝ๐ฟ๐ถ๐๐ถ๐น๐ฒ๐ด๐ฒ๐ ๐๐ผ ๐ณ๐ถ๐ป๐ถ๐๐ต ๐๐ต๐ฒ ๐๐ฎ๐๐ธ. Do not use highly privileged groups, just because somebody asks you to, there is usually a better way.
