Windows – Security – Horizon Secured

Secure Boot certificates are expiring

🔒 Secure Bits 💡 𝗦𝗲𝗰𝘂𝗿𝗲 𝗯𝗼𝗼𝘁𝘀 𝗰𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲𝘀 𝗮𝗿𝗲 𝗲𝘅𝗽𝗶𝗿𝗶𝗻𝗴 𝗶𝗻 𝗝𝘂𝗻𝗲 𝟮𝟬𝟮𝟲 – 𝗺𝗮𝗻𝘂𝗮𝗹 𝘀𝘁𝗲𝗽𝘀 𝗮𝗿𝗲 𝗿𝗲𝗾𝘂𝗶𝗿𝗲𝗱 𝘱𝘵. 1 Microsoft says many Windows client devices may update automatically, but Windows Server requires manual action. I assumed this type of operation would be 𝘀𝘁𝗿𝗮𝗶𝗴𝗵𝘁𝗳𝗼𝗿𝘄𝗮𝗿𝗱. ❌ It wasn’t. 𝗗𝗶𝘀𝗰𝗹𝗮𝗶𝗺𝗲𝗿: This is just a record of how I proceeded step […]

Do you use RDP?

🔒 Secure Bits 💡 𝗗𝗼 𝘆𝗼𝘂 𝘂𝘀𝗲 𝗥𝗗𝗣? There’s a 𝘀𝘂𝗿𝗽𝗿𝗶𝘀𝗶𝗻𝗴 𝗿𝗶𝘀𝗸 you might not be thinking about — and it’s already on your machine. When you use Remote Desktop (𝗥𝗗𝗣) via the 𝗠𝗦𝗧𝗦𝗖 client, any credentials you enter can be retrieved in plaintext in the process 𝗺𝗲𝗺𝗼𝗿𝘆. That means your domain admin password could […]

Disable NetBIOS, LLMNR, LMHOSTS and WINS

🔒 Secure Bits 💡 𝗗𝗼 𝘆𝗼𝘂 𝗱𝗶𝘀𝗮𝗯𝗹𝗲 𝗡𝗲𝘁𝗕𝗜𝗢𝗦, 𝗟𝗟𝗠𝗡𝗥 & 𝗟𝗠𝗛𝗢𝗦𝗧𝗦 (𝗮𝗻𝗱 𝗪𝗜𝗡𝗦)? You should—this is basic Windows hardening for domain devices. 𝗪𝗵𝗮𝘁 𝘁𝗼 𝘁𝘂𝗿𝗻 𝗼𝗳𝗳 (𝗮𝗻𝗱 𝗵𝗼𝘄): 🔹 𝗡𝗲𝘁𝗕𝗜𝗢𝗦 – legacy naming/session protocol. GPOs are hit-or-miss; set the registry per adapter (use a startup script to loop all adapters): 𝘏𝘒𝘓𝘔\𝘚𝘠𝘚𝘛𝘌𝘔\𝘊𝘶𝘳𝘳𝘦𝘯𝘵𝘊𝘰𝘯𝘵𝘳𝘰𝘭𝘚𝘦𝘵\𝘚𝘦𝘳𝘷𝘪𝘤𝘦𝘴\𝘕𝘦𝘵𝘉𝘛\𝘗𝘢𝘳𝘢𝘮𝘦𝘵𝘦𝘳𝘴\𝘐𝘯𝘵𝘦𝘳𝘧𝘢𝘤𝘦𝘴\{𝘎𝘜𝘐𝘋}\𝘕𝘦𝘵𝘣𝘪𝘰𝘴𝘖𝘱𝘵𝘪𝘰𝘯𝘴=2 🔹 𝗪𝗜𝗡𝗦 – only matters if […]

Windows Server Core

🔒 Secure Bits 💡 𝗛𝗮𝘁𝗲 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝗖𝗼𝗿𝗲? 𝗛𝗲𝗿𝗲’𝘀 𝗪𝗵𝘆 𝗬𝗼𝘂 𝗦𝗵𝗼𝘂𝗹𝗱 𝗔𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝗨𝘀𝗲 𝗜𝘁 Windows Server Core is one of the 𝗺𝗼𝘀𝘁 𝗺𝗶𝘀𝘂𝗻𝗱𝗲𝗿𝘀𝘁𝗼𝗼𝗱 𝗮𝗻𝗱 𝘂𝗻𝗱𝗲𝗿𝘂𝘀𝗲𝗱 “tools” in the Windows ecosystem. 🖥️ 𝗪𝗵𝗮𝘁 𝗶𝘀 𝗶𝘁? It’s Windows Server — but 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝘁𝗵𝗲 𝗚𝗨𝗜. Just PowerShell, Command Line, and sconfig. And yes, it still supports critical […]

UAC – Prompt for consent for non-Windows binaries

🔒 Secure Bits 💡 𝗧𝗿𝘆 𝘁𝗵𝗶𝘀 𝗼𝗻 𝘆𝗼𝘂𝗿 𝗺𝗮𝗰𝗵𝗶𝗻𝗲: Windows + R → msconfig.exe → ENTER If msconfig opens without a prompt, your UAC config is too weak. This is a common misstep—many environments still run default Windows settings, leaving a gap attackers love to exploit via UAC bypass techniques. ✅ 𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝘁𝗼 𝗳𝗶𝘅 […]

UAC Recommended Settings

🔒 Secure Bits 💡 This is how your UAC configuration should look. Does it look different? If so, there should be a reason for it, as you might be allowing a potential attacker to bypass your UAC. There are usually over 300 items in security baselines, many of them crucial from a cybersecurity perspective. If […]

RDP Security Features

🔒 Secure Bits 💡 𝗗𝗼 𝘆𝗼𝘂 𝘂𝘀𝗲 𝗥𝗗𝗣 𝗿𝗲𝗴𝘂𝗹𝗮𝗿𝗹𝘆 𝗶𝗻 𝘆𝗼𝘂𝗿 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁? Then you should know there are more secure ways to do it. 𝗕𝘆 𝗱𝗲𝗳𝗮𝘂𝗹𝘁, your credentials are sent to the remote host during an RDP session — which means if the machine is compromised, attackers can steal and reuse them. 𝗕𝘂𝘁 𝘁𝗵𝗲𝗿𝗲’𝘀 𝗴𝗼𝗼𝗱 𝗻𝗲𝘄𝘀 […]

RDP Restricted Admin Mode

🔒 Secure Bits 💡 𝗗𝗼 𝗬𝗼𝘂 𝗨𝘀𝗲 𝗥𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗲𝗱 𝗔𝗱𝗺𝗶𝗻 𝗠𝗼𝗱𝗲 𝗳𝗼𝗿 𝗥𝗗𝗣? If not, you should—it 𝗽𝗿𝗲𝘃𝗲𝗻𝘁𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗲𝘅𝗽𝗼𝘀𝘂𝗿𝗲. 𝗪𝗵𝘆 𝗜𝘁 𝗘𝘅𝗶𝘀𝘁𝘀: Restricted Admin Mode was designed to let administrators connect to a potentially compromised device without passing their credentials to it. You must already be an administrator on the target machine, but your credentials […]

RDP – MSTSC Plaintext Password

🔒 Secure Bits 💡 𝗧𝗵𝗶𝗻𝗸 𝗥𝗗𝗣 + 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗚𝘂𝗮𝗿𝗱 𝗸𝗲𝗲𝗽𝘀 𝘆𝗼𝘂𝗿 𝗱𝗼𝗺𝗮𝗶𝗻 𝗮𝗱𝗺𝗶𝗻 𝗰𝗿𝗲𝗱𝘀 𝘀𝗮𝗳𝗲? 𝗡𝗼𝘁 𝗿𝗲𝗮𝗹𝗹𝘆. Even in 2025, many 𝗮𝗱𝗺𝗶𝗻𝘀 𝘀𝘁𝗶𝗹𝗹 𝗲𝘅𝗽𝗼𝘀𝗲 𝘁𝗵𝗲𝗶𝗿 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀 without realizing it — just by using RDP to access Domain Controllers from their regular workstation. 🧠 “But I’ve got 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗚𝘂𝗮𝗿𝗱, I’m protected!” Not always. 𝗛𝗲𝗿𝗲’𝘀 𝘄𝗵𝗮𝘁 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝗵𝗮𝗽𝗽𝗲𝗻𝘀 𝗶𝗻 𝗰𝗮𝘀𝗲 […]

Privileged Access Workstations (PAWs)

🔒 Secure Bits 💡 Why should you use Privileged Access Workstations (PAWs)? Accessing your infrastructure through a basic user device leaves your privileged account credentials in the device’s memory, and it is making you susceptible to keyloggers (software or hardware) that can capture these credentials. To mitigate this risk, implement PAWs in your environment and […]

Category: Windows – Security