I know it's hard to do something that will last 20+ years, and maybe design choices from the 90's weren't the best ideas...
There are foundational issues that need to be addressed. A clean install of windows ruined by its foundation.
The amount of failures I'm seeing are just unacceptable. We can all agree who is mostly to blame, but that won't help fix the years of rot we're looking at.
I do believe this can be fixed, but it's going to require removing old, vulnerable crap and rebuilding with a better base
The bandaid fix approach used over the last 20 years has obviously failed the test of time
It may look OK on the outside, but it's lipstick on a pig. Eventually someone pays for the underlying issues.
I just wish that didn't have to be us
So here I am on a Sunday morning, begrudgingly cleaning up a mess someone else created
I promise to secure and protect my windows better than the contractor that came before me
Because these issues are the direct result of profit seeking, laziness, and probably ineptitude 😡
• • •
Missing some Tweet in this thread? You can try to
force a refresh
In Azure AD, we have a few different types of groups
The main group types are security and Microsoft 365 groups, but in Exchange we also have distribution lists which are mail enabled groups with no security context
Each group also has an assigned and dynamic membership type
Now, before we start creating groups, I need to warn you that Microsoft stupidly believes any user should be able to create groups, both security and M365 types
What you should know is that they can select any email address they want 😱
1) MSA passwords are incredibly strong and rotate frequently enough that Kerberoasting is near impossible (especially with AES)
2) The password can be retrieved on one server and used on another, pass the hash/ticket still works..
OK, first, let's find out if you have a KDS root key set up. Run Powershell on a machine with the Active Directory Powershell Module installed and run this: