Share this page!

Nathan McNulty Profile picture
Twitter logo
15 Aug, 4 tweets, 2 min read
I'd like to talk about #windows for a minute

I know it's hard to do something that will last 20+ years, and maybe design choices from the 90's weren't the best ideas...

There are foundational issues that need to be addressed. A clean install of windows ruined by its foundation.
The amount of failures I'm seeing are just unacceptable. We can all agree who is mostly to blame, but that won't help fix the years of rot we're looking at.

I do believe this can be fixed, but it's going to require removing old, vulnerable crap and rebuilding with a better base
The bandaid fix approach used over the last 20 years has obviously failed the test of time

It may look OK on the outside, but it's lipstick on a pig. Eventually someone pays for the underlying issues.

I just wish that didn't have to be us
So here I am on a Sunday morning, begrudgingly cleaning up a mess someone else created

I promise to secure and protect my windows better than the contractor that came before me

Because these issues are the direct result of profit seeking, laziness, and probably ineptitude 😡

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
16 Jul
It's finally time to learn about Groups in Azure AD :)

Groups are foundational components for granting access to resources, email delivery, and even assigning licenses within Azure AD.

But first, you need users, so if you haven't yet, go create some :)

In Azure AD, we have a few different types of groups

The main group types are security and Microsoft 365 groups, but in Exchange we also have distribution lists which are mail enabled groups with no security context

Each group also has an assigned and dynamic membership type
Now, before we start creating groups, I need to warn you that Microsoft stupidly believes any user should be able to create groups, both security and M365 types

What you should know is that they can select any email address they want 😱

Let's start here: portal.azure.com/#blade/Microso…
Read 20 tweets
Nathan McNulty Profile picture
25 May
Let's learn about Users in Azure AD :)

In this thread, I'm covering the Azure Portal and Powershell modules. We'll look at Graph API later (setup required).

If you haven't already signed up for a M365 dev account, check the thread below and follow along!
whoami

I've been managing AAD/O365 for almost a decade, and I absolutely can (and will) be wrong

Please correct me, nerd snipe, whatever your style is, if you see something wrong or have suggestions

I want value here for beginners and veterans alike, but we start with basics
So, let's get started by logging into portal.azure.com with the Global Admin (GA) account for our developer tenant

In the middle of the dashbord, you'll see a link to View Azure Active Directory. Go ahead and click on that ;)

On the left, click Users, then click New User
Read 21 tweets
Nathan McNulty Profile picture
19 May
Did you know that you can get a free M365 E5 subscription with 25 user licenses to learn, create automation, and develop applications?

I know most folks never get the chance to admin this stuff, so sign up now, and let's walk through this together :)

developer.microsoft.com/en-us/microsof…
Upon visiting the Microsoft 365 Dev Center, it will ask you to sign in with your Microsoft account.

This will be the Microsoft account that your developer tenant will be associated with, but not the one you use to log into it.

You should see something like this 👇 Image
So we simply fill out a few forms that let Microsoft know what we intend to do.

Please do not abuse this or use it for business purposes.

I build automation scripts, test SSO like SAML/OIDC with various apps, and build documentation for sharing with others for learning. ImageImageImage
Read 10 tweets
Nathan McNulty Profile picture
6 Feb
I'm seeing another big push by vendors that their solution will fix education's ransomware woes

You can't make up for poor operational management by buying products

Do these free things first, then consider purchases that scale your staff

Note: #6 is for non-AD bound devices
1. For email filtering, I have a nice series here you can borrow ideas from:

blog.opsecedu.com/using-transpor…

For Office macros, it's how something like 90% of ransomware starts (rest is unpatched remote access).

At least block macros from the Internet:

microsoft.com/security/blog/…
3. Attackers move around your network easily when you have the same admin accounts on many machines. Make them all unique and make them work for it.

LAPS is a simple, effective way to do this.

blog.nowmicro.com/2018/02/28/con…

See @RyanLNewington's free LAPS Web:
github.com/lithnet/laps-w…
Read 10 tweets
Nathan McNulty Profile picture
5 Feb
You really should use (g)MSA's instead of user accounts for services, IIS, scheduled tasks, SQL, etc.

Even if you have a cred vault that rotates and handles dependencies, MSA's are probably still better.

Read Steve's thread for how they work, then this one for how to use them.
First, a couple of things Steve didn't mention:

1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)

2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this:

Get-KDSRootKey

If you get nothing, then run this:

Add-KDSRootKey –EffectiveImmediately

Now wait 10 hours.. seriously :(
Read 10 tweets
Nathan McNulty Profile picture
3 Feb
I could write a book...

You gain expertise through the process of fixing things, sometimes the things you break - don't fear mistakes.

As your expertise gets deeper, you find new exotic ways of breaking things where even Stack Overflow won't save you.

Here's a few of mine :)
First week on a new job, ran a driver cleanup script for ConfigMgr 2007 and forgot the params - dumped the entire driver catalog

Deployed apps based on UTC instead of local time

$list | % { Restart-Computer $_ } while the server I was running it from was in the list...
Filtered in Graylog to push a new client config without realizing it included some servers. New log sources flooded Graylog with 200GB of data.

Set up a mail flow rule to catch spoofing (from header contains domain) but forgot to specify from external... QT'd my outbound email.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @NathanMcNulty has new unrolls!

Check out other threads from @NathanMcNulty!

Read all threads by @NathanMcNulty

:(