Prioritize by impact - remote access, such as VPN, needs immediate consideration. Keep an eye on Patch Tuesday notes or similar for your OS's, evaluate and rush the critical ones.
Get to automating OS patches, even if it's just test/dev first.
Applications are a whole different struggle. I watch our TVM in Defender for Endpoint and cry...
PDQ, PatchMyPC, and others are out there at a cost I don't think you could actually save money by doing in house. Some tools are worth paying for to scale your staff.
8. I can't stop singing praises for @mysmartlogon's PingCastle
It's so simple, hundreds of K12 sysadmins have been using it to make very meaningful improvements.
Most of the issues covered in this thread are things his singular tool identifies for you:
1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)
2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this:
I like Matthew a lot, but I don't feel this is a "dumb overreaction."
As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students, I would love to shed some light on the difficulties Zoom has created for us.
First, let's start with Zoombombing. The answer seems very simple - let's add a password. The problem is that many places allowed teachers to go create their own accounts, and we had to rely on them reading email from IT.
For those of us who do have an admin console to control settings, sure we can change the settings to add a password, but that only affects future meetings (according to the console), not past meetings.
Again, communicating to teachers to change existing meetings? This is hard.