The domain Kerberos service account, KRBTGT (https://adsecurity.org/?p=483), is an important account since it is used to sign & encrypt Kerberos tickets. The account is disabled and the password doesn’t change except when moving from Windows 2000/2003 to Windows Server 2008 (or newer). This is a highly privileged account and if an attacker can gain knowledge … Continue reading| Active Directory & Azure AD/Entra ID Security
The Tombstone lifetime (TSL) in Active Directory is the limit as to how long a deleted object can remain in AD. The original value was 60 (days). Windows versions since Windows 2003 SP2 have this set to 180 (days). Note that this also affects backups, how long a backup is valid and replication – if … Continue reading| Active Directory & Azure AD/Entra ID Security
Ensuring proper Domain Controller configuration is key for Active Directory security. Part of this is making sure they are running supported versions of Windows. At this point, DCs should be running at least Windows Server 2016, preferably Windows Server 2019 or 2022. Hold off on deploying Windows Server 2025 DCs for now due to the … Continue reading| Active Directory & Azure AD/Entra ID Security
In every Active Directory domain, there’s the default domain Administrator account. Here are some key items to check: PowerShell for current domain using the AD PowerShell cmdlets:| Active Directory & Azure AD/Entra ID Security
There are several default/built-in privileged groups that should be reviewed: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups PowerShell Script leveraging the Active Directory PowerShell module: https://github.com/PyroTek3/Misc/blob/main/Get-ADBuiltInAdmins.ps1| Active Directory & Azure AD/Entra ID Security
Over the summer, I rebuilt my Active Directory lab environment with multiple regional domains. Instead of manually configuring common issues, I decided to create a PowerShell script to do this for me. My Invoke-ADLabBuildOut script does the following: PowerShell AD lab build out script leveraging the Active Directory PowerShell module:https://github.com/PyroTek3/ADLab| Active Directory & Azure AD/Entra ID Security
Active Directory computers should be reviewed about once a year. Old operating systems can hold back security progress like keeping SMBv1 and NTLMv1 active. Inactive computers should be discovered and disabled when no longer in use (and eventually removed). The OperatingSystem & PasswordLastSet attributes are self-explanatory, though we can use the LastLogonDate which represents the … Continue reading| Active Directory & Azure AD/Entra ID Security
An important Active Directory setting determines what security capabilities are available which relates to the level of the forest and/or domain. This post collects the relevant capabilities of Windows domain and forest functional levels. Forest Functional Level Features: Domain Functional Level Features: References: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754918(v=ws.10) https://learn.microsoft.com/en-us/windows-server/identity/ad-...| Active Directory & Azure AD/Entra ID Security
I recently published an article on the TrustedSec blog site called “Detecting Active Directory Password-Spraying with a Honeypot Account“. This article describes how to use an Active Directory honeypot account in order to detect Password Spraying. Read the article here:https://trustedsec.com/blog/detecting-password-spraying-with-a-honeypot-account| Active Directory & Azure AD/Entra ID Security
There are several different types of user accounts - at least how they are used. There are standard user accounts, service accounts, and admin accounts.There are numerous user account settings that can make them vulnerable. These configurations include: Inactive - account has not logged on or changed the password in over 180 days which may ...| Active Directory & Azure AD/Entra ID Security
This article is a cross-post from TrimarcSecurity.comOriginal article: https://www.trimarcsecurity.com/single-post/2019/02/12/Mitigating-Exchange-Permission-Paths-to-Domain-Admins-in-Active-Directory The Issue Recently a blog post was published by Dirk-jan Mollema titled "Abusing Exchange: One API call away from Domain Admin " (https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/)which highlighted several issues with Exchange permissions and a chained attack which would ...| Active Directory & Azure AD/Entra ID Security