Category: Active Directory – Security

“Just enable MFA. It’s easy.”

🔒 Secure Bits 💡 “𝗝𝘂𝘀𝘁 𝗲𝗻𝗮𝗯𝗹𝗲 𝗠𝗙𝗔. 𝗜𝘁’𝘀 𝗲𝗮𝘀𝘆.” Sure… if you can rely on cloud identity. A lot of environments can. But 𝗺𝗮𝗻𝘆 – often the most critical ones – 𝗰𝗮𝗻𝗻𝗼𝘁 be connected to the internet at all. And that changes everything. In fully 𝗼𝗻-𝗽𝗿𝗲𝗺 / 𝗼𝗳𝗳𝗹𝗶𝗻𝗲 Windows environments, MFA often ends up being […]

Pick only 3 security controls for your AD

🔒 Secure Bits 💡 𝗜𝗳 𝘆𝗼𝘂 𝗰𝗼𝘂𝗹𝗱 𝗸𝗲𝗲𝗽 𝗼𝗻𝗹𝘆 𝟯 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀 𝗶𝗻 𝗮 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁 – 𝘄𝗵𝗮𝘁 𝘄𝗼𝘂𝗹𝗱 𝘆𝗼𝘂 𝗽𝗶𝗰𝗸? I’m curious what your “top 3” are (I know it depends a lot on what we are protecting, but let’s try). 𝗜𝗳 𝗜 𝗵𝗮𝗱 𝘁𝗼 𝗰𝗵𝗼𝗼𝘀𝗲 (𝗻𝗼𝘁 𝗮 𝘀𝗶𝗺𝗽𝗹𝗲 𝗰𝗵𝗼𝗶𝗰𝗲), 𝗺𝗶𝗻𝗲 𝘄𝗼𝘂𝗹𝗱 𝗯𝗲: 1️⃣ 𝗧𝗶𝗲𝗿𝗶𝗻𝗴 […]

How long has your Active Directory been around?

🔒 Secure Bits 💡 𝗛𝗼𝘄 𝗹𝗼𝗻𝗴 𝗵𝗮𝘀 𝘆𝗼𝘂𝗿 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗯𝗲𝗲𝗻 𝗮𝗿𝗼𝘂𝗻𝗱? The older the AD, the more “history” it carries. Admins change, projects come and go… but the 𝗹𝗲𝗳𝘁𝗼𝘃𝗲𝗿𝘀 𝘀𝘁𝗮𝘆 – in the form of forgotten misconfigurations and risky settings that attackers love ⚠️ Once an attacker gets a foothold, one of the first […]

What’s 1 minute of security training worth?

💰 𝗪𝗵𝗮𝘁’𝘀 𝟭 𝗺𝗶𝗻𝘂𝘁𝗲 𝗼𝗳 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝘄𝗼𝗿𝘁𝗵? Many AD security trainings are premium live workshops, often priced 𝗮𝗯𝗼𝘃𝗲 $𝟯,𝟬𝟬𝟬. I built 𝗕𝘂𝗶𝗹𝗱𝗶𝗻𝗴 𝗮 𝗦𝗲𝗰𝘂𝗿𝗲 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗖𝗼𝘂𝗿𝘀𝗲 to make this 𝗸𝗻𝗼𝘄𝗹𝗲𝗱𝗴𝗲 𝗮𝗰𝗰𝗲𝘀𝘀𝗶𝗯𝗹𝗲 at a fraction of the cost — with 365-day on-demand access. ✅ Hands-on experience — You actually build and harden your own […]

Do you run Active Directory Certificate Services (AD CS)?

🛠️ Practical Bits 𝗗𝗼 𝘆𝗼𝘂 𝗿𝘂𝗻 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 (𝗔𝗗 𝗖𝗦)? When was the last time you checked it for vulnerabilities? In security assessments this is 𝗲𝘃𝗲𝗿𝗴𝗿𝗲𝗲𝗻 — it’s common to find at least one certificate template that gives a 🚨straight path to 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻. ➡️ Set aside one hour and scan your AD CS. It’s one of the 𝗵𝗶𝗴𝗵𝗲𝘀𝘁-𝗶𝗺𝗽𝗮𝗰𝘁 […]

Do you still need a Password Policy nowadays?

🛠️ Practical Bits 𝗗𝗼 𝘆𝗼𝘂 𝘀𝘁𝗶𝗹𝗹 𝗻𝗲𝗲𝗱 𝗮 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗣𝗼𝗹𝗶𝗰𝘆 𝗻𝗼𝘄𝗮𝗱𝗮𝘆𝘀? Yes — even if you use MFA or passwordless options. In Active Directory there are always 𝗲𝘅𝗰𝗲𝗽𝘁𝗶𝗼𝗻𝘀: service accounts, temporary accounts, break-glass accounts, newly created users… and those still rely on passwords. Strong password + lockout policies 𝗿𝗮𝗶𝘀𝗲 𝘁𝗵𝗲 𝗯𝗮𝗿 against password spraying and […]

Do you know how attackers hide inside Active Directory?

🔒 Secure Bits 💡 𝗗𝗼 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄 𝗵𝗼𝘄 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝗵𝗶𝗱𝗲 𝗶𝗻𝘀𝗶𝗱𝗲 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆? It’s called persistence. Attackers often want to stay in your environment long-term without being spotted – which means being a loud Domain Admin is usually not the plan. To spot this, you need to understand what options attackers have and how ACLs […]

Active Directory SPN

🛠️ [𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗕𝗶𝘁𝘀] – 𝗦𝗣𝗡 Go and check your Active Directory for SPNs. You can do so easily with any simple PowerShell script. Example: ____ Get-ADUser -LDAPFilter ‘(&(objectCategory=user)(!(samAccountName=krbtgt)(servicePrincipalName=*)))’ -Properties Name, UserPrincipalName, ServicePrincipalName | Select-Object Name, UserPrincipalName, @{N=”ServicePrincipalName”;E={$_.ServicePrincipalName -join “, “}} ____ (𝙩𝙝𝙞𝙨 𝙞𝙨 𝙖𝙡𝙨𝙤 𝙥𝙖𝙧𝙩 𝙤𝙛 𝙢𝙮 𝙩𝙤𝙤𝙡 𝘼𝘿𝙋𝙧𝙤𝙗𝙚) ❓Once you have results, go through the […]

Do you use Security Baselines?

𝗗𝗲𝗳𝗮𝘂𝗹𝘁 → 𝗛𝗮𝗿𝗱𝗲𝗻𝗲𝗱 Real configs. Real fixes. Windows & AD security. 𝗗𝗼 𝘆𝗼𝘂 𝘂𝘀𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗕𝗮𝘀𝗲𝗹𝗶𝗻𝗲𝘀? You should. They set a clear, enforceable standard for Windows & AD. Without baselines you’re either on defaults or on local tweaks—both 𝗹𝗲𝗮𝗱 𝘁𝗼 𝗱𝗿𝗶𝗳𝘁, 𝗶𝗻𝗰𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝘆, 𝗮𝗻𝗱 𝗲𝗮𝘀𝘆 𝗼𝗽𝗲𝗻𝗶𝗻𝗴𝘀 for attackers. 𝗪𝗵𝗮𝘁 “𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗕𝗮𝘀𝗲𝗹𝗶𝗻𝗲𝘀” 𝗮𝗿𝗲: A curated set of […]

Can your Domain Admins log in to endpoints?

𝗗𝗲𝗳𝗮𝘂𝗹𝘁 → 𝗛𝗮𝗿𝗱𝗲𝗻𝗲𝗱 Real configs. Real fixes. Windows & AD security. Can your 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻𝘀 𝗹𝗼𝗴 𝗶𝗻 𝘁𝗼 𝗲𝗻𝗱𝗽𝗼𝗶𝗻𝘁𝘀? 𝗧𝗵𝗲𝘆 𝘀𝗵𝗼𝘂𝗹𝗱𝗻’𝘁. Disable it. Build multiple tiers with separate privileged accounts for each tier and 𝗿𝗲𝘀𝘁𝗿𝗶𝗰𝘁 𝗮𝗰𝗰𝗲𝘀𝘀 with GPO so higher tiers cannot log on to lower tiers ✅. In practice for example, your 𝗧𝟬 (𝗗𝗼𝗺𝗮𝗶𝗻 […]