1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)
2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this:
Get-KDSRootKey
If you get nothing, then run this:
Add-KDSRootKey –EffectiveImmediately
Now wait 10 hours.. seriously :(
First, create a security group (DVWA-Servers), then create the gMSA in Powershell:
You can grant "Log on as Service" permissions using secpol.msc, or Windows will do it for you when you add the gMSA to a service (leave password blank).
IIS
Open the IIS console, go to the Application Pool you want to use the gMSA on, and open Advanced Settings.
Scroll down to Identity and edit it to use a custom account. Specify your gMSA without a password and hit OK all the way out.
Grant folder permissions to the gMSA too
Scheduled Tasks
First, make sure you grant "Logon as batch" to the gMSA using secpol.msc.
Easy mode - create the task using the GUI and leave it as SYSTEM, then run cmd/PS as admin, and do this:
Now verify everything was updated in Task Scheduler and is working properly.
Don't forget permissions!
Running things as the MSA using PsExec is something I've never thought about.
Doing this allows you to "Get-Credential | Export-Clixml" a credential blob to disk for the MSA to use in scheduled tasks, or you could store certs for credential based auth.
I like Matthew a lot, but I don't feel this is a "dumb overreaction."
As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students, I would love to shed some light on the difficulties Zoom has created for us.
First, let's start with Zoombombing. The answer seems very simple - let's add a password. The problem is that many places allowed teachers to go create their own accounts, and we had to rely on them reading email from IT.
For those of us who do have an admin console to control settings, sure we can change the settings to add a password, but that only affects future meetings (according to the console), not past meetings.
Again, communicating to teachers to change existing meetings? This is hard.