๐๐๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐๐ถ๐ฒ๐น๐ฑ: Real-World Findings from Security Assessments
๐ฅ๐ฒ๐ฒ.๐ณ% of infrastructures I analyzed ๐ฑ๐ผ ๐ป๐ผ๐ ๐ฝ๐ฟ๐ผ๐๐ฒ๐ฐ๐ ๐๐ต๐ฒ๐ถ๐ฟ ๐ฝ๐ฟ๐ถ๐๐ถ๐น๐ฒ๐ด๐ฒ๐ฑ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐ on the Active Directory level.
This is aย ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐ด๐ฎ๐ฝย โ and one thatโs surprisinglyย ๐ฒ๐ฎ๐๐ ๐๐ผ ๐ณ๐ถ๐ .
One of the most underrated ways to harden privileged accounts is by using theย ๐ฃ๐ฟ๐ผ๐๐ฒ๐ฐ๐๐ฒ๐ฑ ๐จ๐๐ฒ๐ฟ๐ย group in Active Directory.
๐ช๐ต๐ฎ๐ ๐ฑ๐ผ ๐๐ผ๐ ๐ด๐ฎ๐ถ๐ป?
โ NTLM authentication is blocked โ no NT hashes stored in memory
โ Plaintext passwords are not cached (Wdigest & legacy delegation)
โ No delegation allowed
โ TGTs have limited lifetime
โ Kerberos-only authentication (safer by design)
(check the whole list in the documentation)
๐ฌ๐ฒ๐, ๐๐ต๐ฒ๐ฟ๐ฒ ๐ฎ๐ฟ๐ฒ “๐น๐ถ๐บ๐ถ๐๐ฎ๐๐ถ๐ผ๐ป๐”:
โ You canโt authenticate over IP (NTLM fallback wonโt work)
โ Some legacy apps or services may not support Protected Users
But the trade-off is worth it. This is ๐น๐ผ๐-๐ฒ๐ณ๐ณ๐ผ๐ฟ๐, ๐ต๐ถ๐ด๐ต-๐ถ๐บ๐ฝ๐ฎ๐ฐ๐ hardening โ and one of the simplest ways to raise the bar for attackers.
๐ If you havenโt already โ audit your privileged accounts and consider moving them under the protection of this group.
