#activedirectorysecuritytips search results

All of the #ActiveDirectorySecurityTips I posted here are now located on ADSecurity.org adsecurity.org/?tag=activedir…

Limit membership in the DNSAdmins group since this group is able to "execute" DLLs on Domain Controllers (by design). adsecurity.org/?p=4064 Original research & post: medium.com/@esnesenon/fea… #ActiveDirectorySecurityTips

#ActiveDirectorySecurityTips Run this AD module cmd: Get-ADGroupMember 'Administrators' -Recursive | % {Get-ADUser $_ -prop ServicePrincipalName} | Where {$_.ServicePrincipalName} Investigate & remove any SPNs on 'people' accounts. Determine why service accounts are AD admins.

There's more but this is a solid start. A couple of previous tweets on this: #ActiveDirectorySecurityTips

* Add service accounts to a group and restrict logon type via GPO (just realized I have never written about this) experts-exchange.com/questions/2908… #ActiveDirectorySecurityTips

* Rotate local admin passwords using LAPS adsecurity.org/?p=1790 * Block local account (including RID 500) network access to systems. docs.microsoft.com/en-us/windows-… docs.microsoft.com/en-us/windows-… #ActiveDirectorySecurityTips

* Ensure appropriate AD auditing adsecurity.org/?p=3377 * Review domain Administrators membership * Review the "Default" GPOs for inappropriate rights adsecurity.org/?p=3700 * Review AD permissions github.com/cyberark/ACLig… #ActiveDirectorySecurityTips

* Block AD Admins from logging onto non-DA systems using GPOs docs.microsoft.com/en-us/windows-… * Add all AD Admins to the Protected Users group to provide additional protections (including Kerberos delegation attack mitigation) docs.microsoft.com/en-us/windows-… #ActiveDirectorySecurityTips

Sweet ;) #ActiveDirectory #activedirectorysecuritytips #GroupPolicy #auditing by @0gtweet

On Domain Controllers, LDAP Signing & LDAP Channel Binding become mandatory security settings. portal.msrc.microsoft.com/en-us/security… Test & Enable these before Microsoft Enables by Default: support.microsoft.com/en-us/help/935… support.microsoft.com/en-us/help/403… #ActiveDirectorySecurity #activedirectorysecuritytips

Looking for a Windows Server administrator? Check this out, Lakunzo will setup and configure your server and roles on @fiverr #activedirectory #activedirectorysecuritytips #DNS #DHCP #NAT fiverr.com/s2/9fdc8f3570?…

Must read if you are interested in securing your environment against various attacks 😍 #BlueTeam #activedirectorysecuritytips #redteam #sysadmin

Pro Tip: Listening to Amon Amarth makes AD Roaming Profiles load faster on Windows XP SP1 #activedirectorysecuritytips

Active Shooter Considerations for Off-Duty Police. calibrepress.com/2019/08/are-yo… #activedirectorysecuritytips #activeshootercalifornia #IACP #ILEETA

Configure Azure AD Connect Step By Step #Azure #microsoft #activedirectorysecuritytips #youtube @youtube #MicrosoftTeams @Azure #database #cloud #clouds #CloudComputing youtu.be/xYrleawy_CQ

#ActiveDirectorySecurityTips Run this AD module cmd: get-adgroupmember 'Account Operators' -Recursive The Account Operators group should not be used. Custom delegate instead. This group is a great "backdoor" priv group for attackers. Microsoft even says don't use this group!

Remember when @PyroTek3 started tweeting out components of the Trimarc Active Directory Security Assessment (#ActiveDirectorySecurityTips)? Pepperidge farm remembers... 😀 We check these & so do attackers.

#ActiveDirectorySecurityTips Run this AD module cmd: get-adgroupmember Administrators -Recursive | select DistinguishedName Ask Why? for: * Service accounts * Accounts/groups from another forest * Computer accounts (remove) * Normal users * Accounts with SPNs (work to remove)

#ActiveDirectorySecurityTips Run this AD module cmd: get-aduser krbtgt -prop Created,PasswordLastSet,msDS-KeyVersionNumber * PW should change 2x every year. * If Created = PWLastSet, then work to change soon. * KeyVersionNum typically identifies how many times PW changed (n-1).

#ActiveDirectorySecurityTips Run this AD module cmd: get-adgroupmember Administrators -Recursive | select DistinguishedName Ask Why? for: * Service accounts * Accounts/groups from another forest * Computer accounts (remove) * Normal users * Accounts with SPNs (work to remove)

#ActiveDirectorySecurityTips Run this AD module cmd: Get-ADGroupMember 'Administrators' -Recursive | % {Get-ADUser $_ -prop ServicePrincipalName} | Where {$_.ServicePrincipalName} Investigate & remove any SPNs on 'people' accounts. Determine why service accounts are AD admins.

#ActiveDirectorySecurityTips Run this AD module cmd: get-aduser Administrator -prop PasswordLastSet,LastLogonDate,servicePrincipalName (change name as needed) * PW should change every year. * If there's a SPN, get this removed ASAP. * Account should not have a recent logon.

#ActiveDirectorySecurityTips Run this AD module cmd: get-aduser krbtgt -prop Created,PasswordLastSet,msDS-KeyVersionNumber * PW should change 2x every year. * If Created = PWLastSet, then work to change soon. * KeyVersionNum typically identifies how many times PW changed (n-1).

#ActiveDirectorySecurityTips Run this AD module cmd: get-adgroupmember 'Account Operators' -Recursive The Account Operators group should not be used. Custom delegate instead. This group is a great "backdoor" priv group for attackers. Microsoft even says don't use this group!

All of the #ActiveDirectorySecurityTips I posted here are now located on ADSecurity.org adsecurity.org/?tag=activedir…

Pro Tip: Listening to Amon Amarth makes AD Roaming Profiles load faster on Windows XP SP1 #activedirectorysecuritytips

Limit membership in the DNSAdmins group since this group is able to "execute" DLLs on Domain Controllers (by design). adsecurity.org/?p=4064 Original research & post: medium.com/@esnesenon/fea… #ActiveDirectorySecurityTips

On Domain Controllers, LDAP Signing & LDAP Channel Binding become mandatory security settings. portal.msrc.microsoft.com/en-us/security… Test & Enable these before Microsoft Enables by Default: support.microsoft.com/en-us/help/935… support.microsoft.com/en-us/help/403… #ActiveDirectorySecurity #activedirectorysecuritytips

Remember when @PyroTek3 started tweeting out components of the Trimarc Active Directory Security Assessment (#ActiveDirectorySecurityTips)? Pepperidge farm remembers... 😀 We check these & so do attackers.