Blog
Technical notes on Active Directory security, hardening, incident readiness and measurable risk reduction.
The Account Lockout Threshold is not a complete spray defense. Set well, it limits online guessing, creates usable signals, and exposes stale credential problems. Set badly, it locks the business out.
AS-REP Roasting usually starts with a simple account setting: Kerberos pre-authentication is not required. The fix is technically small, but it needs ownership, testing, and drift control.
Coerce attacks are rarely fixed by one setting. The real question is which systems can still trigger NTLM, SMB, RPC or HTTP authentication unexpectedly.
Unconstrained Delegation is often a historical convenience setting for old double-hop scenarios. In modern AD environments, it should be practically absent outside domain controllers.
AD CS indirectly controls who can authenticate as whom. If templates, enrollment rights and CA operations are unmanaged, PKI can become a domain takeover path.
Kerberos Armoring (FAST) hardens Kerberos pre-authentication and reduces exposure to certain offline and downgrade paths. The value is real — but only with dependency visibility, staged rollout, and well-tested rollback per scope.
LSASS is a prime target for credential theft. RunAsPPL makes direct access significantly harder — if you handle compatibility, rollout and operations with discipline.
The krbtgt account is the foundation of Kerberos ticket integrity in an AD domain. Rotating it is not a casual “password change” — it’s a controlled operation with replication, ticket lifetimes, and dependencies. This is a practical, low-drama rollout approach, including limits and a project checklist.
Deleted users, groups, or OUs are a very real operational risk — and classic backup restores are often too heavy for the job. With the AD Recycle Bin you get a pragmatic, auditable restore option, if you roll it out properly.
SMBv1 has no place in modern AD environments — yet in practice it’s often still enabled somewhere. This is a controlled, low-drama way to remove SMBv1 from clients, servers, and images without breaking operations.
When DNS fails, Windows often falls back to LLMNR or NetBIOS (NBT-NS) — multicast/broadcast instead of authority. That’s unnecessary attack surface and creates confusing authentication noise. Here’s a controlled, project-friendly rollout.
WDigest is a legacy mechanism that can be re-enabled by old images, GPOs, or troubleshooting workarounds. Here’s how to verify the current state, enforce a robust baseline, and keep plaintext passwords out of LSASS.
Domain Controllers are Tier 0. Print services don’t belong there. This is how to disable the Print Spooler safely, handle exceptions, and make the control auditable.
Unsigned LDAP binds are an avoidable risk lever. A controlled rollout starts with dependency visibility, clear telemetry and staged enforcement.
When regular users can create computer objects, unnecessary attack paths appear. MachineAccountQuota should be a decision, not an inherited default.
Protected Users is powerful, but not for broad rollout. Its value depends on carefully selected accounts and tested admin paths.
NTLM is rarely removed in one step. A reliable approach starts with audit data, clear exceptions and a Kerberos target state.
SMB signing does not secure every file share by itself, but it removes an important lever from relay-style attacks.
LAPS reduces lateral movement only when scope, permissions, rotation and DSRM recovery are planned deliberately.
Critical vulnerabilities must be assessed quickly, but always in the context of exposure, exploitability and compensating controls.
Conditional Access is not a one-off project, but a continuous control layer for identities, devices, risk and administrative access.
Why AD security should not be treated as a one-off check, but as a prioritized project building block for risk reduction, audit readiness and incident readiness.
Ransomware readiness is not decided by the backup tool alone, but by identities, recovery paths and separated administration models.
Firewall and NGFW rulebases quickly lose value without maintenance. Good hygiene reduces attack surface and improves audit readiness.
EDR creates value only through clean policies, meaningful exceptions, incident processes and tests against realistic attack techniques.
Zero Trust works better as an architecture principle than as a product category: identities, devices, segmentation and visibility must align.
For critical-infrastructure environments, remote access is defensible only when identity, segmentation, logging and emergency operations are designed together.
Awareness reduces risk sustainably only when technical controls, reporting paths and measurable improvements are included.
