Share this page!

Nathan McNulty Profile picture
Twitter logo
3 Feb, 4 tweets, 1 min read
I could write a book...

You gain expertise through the process of fixing things, sometimes the things you break - don't fear mistakes.

As your expertise gets deeper, you find new exotic ways of breaking things where even Stack Overflow won't save you.

Here's a few of mine :)
First week on a new job, ran a driver cleanup script for ConfigMgr 2007 and forgot the params - dumped the entire driver catalog

Deployed apps based on UTC instead of local time

$list | % { Restart-Computer $_ } while the server I was running it from was in the list...
Filtered in Graylog to push a new client config without realizing it included some servers. New log sources flooded Graylog with 200GB of data.

Set up a mail flow rule to catch spoofing (from header contains domain) but forgot to specify from external... QT'd my outbound email.
Don't fear mistakes, fear not having the practice and experience of fixing them.

As you move up, the impact of systems breaking gets exponentially worse, and those experiences will help you recover more quickly.

Failing is part of the journey, and owning it is good for us :)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
6 Feb
I'm seeing another big push by vendors that their solution will fix education's ransomware woes

You can't make up for poor operational management by buying products

Do these free things first, then consider purchases that scale your staff

Note: #6 is for non-AD bound devices
1. For email filtering, I have a nice series here you can borrow ideas from:

blog.opsecedu.com/using-transpor…

For Office macros, it's how something like 90% of ransomware starts (rest is unpatched remote access).

At least block macros from the Internet:

microsoft.com/security/blog/…
3. Attackers move around your network easily when you have the same admin accounts on many machines. Make them all unique and make them work for it.

LAPS is a simple, effective way to do this.

blog.nowmicro.com/2018/02/28/con…

See @RyanLNewington's free LAPS Web:
github.com/lithnet/laps-w…
Read 10 tweets
Nathan McNulty Profile picture
5 Feb
You really should use (g)MSA's instead of user accounts for services, IIS, scheduled tasks, SQL, etc.

Even if you have a cred vault that rotates and handles dependencies, MSA's are probably still better.

Read Steve's thread for how they work, then this one for how to use them.
First, a couple of things Steve didn't mention:

1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)

2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this:

Get-KDSRootKey

If you get nothing, then run this:

Add-KDSRootKey –EffectiveImmediately

Now wait 10 hours.. seriously :( Image
Read 10 tweets
Nathan McNulty Profile picture
12 Jul 20
This is such an awesome writeup, but it's missing one thing - remediation steps

Some AD admins may know how to fix these issues, but it's fair to assume some do not.

I'd also highly recommend using PingCastle by @mysmartlogon as it audits most of this and more.

Thread time!
@mysmartlogon 1) Remove user rights to join devices to AD

Powershell: Set-ADDomain -Identity <Domain> -Replace @{"ms-DS-MachineAccountQuota"="0"} -Verbose
GPO: Modify Default Domain Controller Policy and remove Authenticated Users from the user rights assignment (1st pic)
ADSI: (2nd pic)
Instead, consider setting up bind accounts per tier/group/service and delegate to appropriate OU's:
moderndeployment.com/correct-domain…

Also, change binding to create objects in an OU with strict policies:
redircmp "OU=Bind,DC=Domain,DC=Com"

redirusr can be used for users if you want.
Read 17 tweets
Nathan McNulty Profile picture
6 Apr 20
Re: NYC blocking Zoom

I like Matthew a lot, but I don't feel this is a "dumb overreaction."

As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students, I would love to shed some light on the difficulties Zoom has created for us.
First, let's start with Zoombombing. The answer seems very simple - let's add a password. The problem is that many places allowed teachers to go create their own accounts, and we had to rely on them reading email from IT.

Is that ever 100% effective?

For those of us who do have an admin console to control settings, sure we can change the settings to add a password, but that only affects future meetings (according to the console), not past meetings.

Again, communicating to teachers to change existing meetings? This is hard.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @NathanMcNulty has new unrolls!

Check out other threads from @NathanMcNulty!

Read all threads by @NathanMcNulty