Event banner
Event details
There are far more paths into AD for an attacker than most people realise....
Absolutely Peter, and it's tough to even scratch the surface in 30 minutes.
- The one if find an awful lot of is stale unused accounts with excessive privileges left lying around....
I am following the idea of this on-premises: Domain admins are removed from all local admin groups on all servers (current default is this group is included). And in exchange admin can dynamically grab server specific AD groups if they require local admin rights.
It is complex but so far I hope it will reducing the attack surface and lateral movement. What do you think?
Also removing the ability to run debugging as Administrator so hopefully before lsasso is in place, prevent hash thefts. Do you think this does the trick before we get LSASS protection with Windows 11 / WS 2025?- Absolutely... Would LAPS not assist as well or is not deployable on servers?
- I am a huge fan of the Windows LAPS. It is easy, have excellent logging. In the concept I am not considering local admins such as .\administrator but the members being in Domain Admin group, shall only be able to manage AD DS not the entire fleet (by inherited local group "administrators" granting domain admin full local admin rights). Sorry if this was not clear. Do you see the difference, Peter?
