Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Sean Metcalf Profile picture
Sean Metcalf
@PyroTek3
Microsoft Certified Master #ActiveDirectory & former Microsoft MVP. Founder/CTO @TrimarcSecurity. He/Him. Work requests:https://t.co/VRrL9cUKFv #BLM
Jul 2 18 tweets 9 min read
Windows Server 2025 Active Directory Updates Thread!

Server 2025 is in preview, so I took a look at updated features, specifically Active Directory, with a focus on security features.

Article:
What's new in Windows Server 2025 (preview)


#AD2025🧵learn.microsoft.com/en-us/windows-… This is an interesting update to #AD2025 & may be helpful with honeypot account/honeytoken scenarios to ensure that honeypot accounts show recent logons.

Here's a relevant article for reference:
hub.trimarcsecurity.com/post/the-art-o…
Image
Jun 2, 2023 17 tweets 3 min read
A little over 7 years ago I decided to embark on a journey which I named "Trimarc", with the goal of helping improve enterprise security for organizations and companies around the world

In this thread I will share some of my thoughts about my approach and goals Trimarc has performed security assessments for hundreds of environments & have seen some really, really interesting things.

One key goal for Trimarc is sharing information with the community.
In many ways, I had achieved this goal with ADSecurity.org
Mar 4, 2022 6 tweets 3 min read
Let's talk about something that is rarely mentioned in these conversations: VMware.

"100 percent of Fortune 500 and Fortune Global 100 companies use VMware"

VMware hosts servers (including AD Domain Controllers) in most sizable companies. It's rarely secured appropriately. What do companies get wrong with VMware security?
* not limiting net access to vCenter/ESXi systems
* not restricting management protocols (Shell, SSH, DCUI, etc)
* not using lockdown mode or host profiles
* not patching VMware systems
* Root account pw not unique & complex
Mar 3, 2022 4 tweets 2 min read
Agree to disagree. Active Directory can be secured. Biggest issues tend to be with administration, overpermissioned rights, legacy config, & service accounts no one wants to change.

I have personally seen some of the largest most complicated AD environments. They can be improved AD is the best product Microsoft has released & its ease of deployment & uptime tends to be its detriment. This means that AD gets less attention & resources than things like network & Exchange.
I was once asked by an IT manager (50k person org), “we need 1 person for AD right?”
Oct 5, 2021 12 tweets 3 min read
Here's the really crazy thing:

NO service account should be in Domain Admins in 2021.

Take a journey with me in this Thread to see why... Domain Admins:
Full AD Admin rights (through membership in the domain's Administrators group) +
Local admin rights (default) on domain joined computers (workstations & servers) +
explicit ACLs on some privileged AD objects

Administrators:
Admin rights to AD (not on computers)
Oct 5, 2021 100 tweets 10 min read
Watching F9 (Fast & Furious 9) The Saga tonight.
imdb.com/title/tt543313…
Sep 20, 2021 26 tweets 5 min read
Tweet Thread on Resumes & Interviewing & things I look for (IT/Infosec focused).

I have likely seen hundreds of resumes (aka CVs) and interviewed many dozens of people in various positions. Here's what I've learned. Resume (1)
It can get you "in the door" for an interview or you can get lost among the pile.

Resumes can be tough since everyone's experience is different. Try to stay at or under 2 pages - most reviewers will only skim the top of page 1
Resume clinics are great to help optimize
Dec 14, 2020 16 tweets 6 min read
SolarWinds is only the latest system attack that results in a large scale compromise. Attackers target these systems because they have widespread and long-standing access.

Any system that has some level of admin rights across your environment is vulnerable.

THREAD follows SolarWinds can monitor pretty much any system/device on typical networks &there is value to doing so.

Originally SolarWinds used SNMP (en.wikipedia.org/wiki/Simple_Ne…) to get system status. As more checks & status added, more capability was needed which means agent/remoting capability
Apr 20, 2020 77 tweets 20 min read
Tonight’s movie Great, now I need to change my password
Jan 17, 2020 6 tweets 5 min read
Mitigation: "Active Directory Configuration"
That's right. Tighten up AD and leverage to mitigate typical attack methods:
[thread follows] * Block AD Admins from logging onto non-DA systems using GPOs
docs.microsoft.com/en-us/windows-…

* Add all AD Admins to the Protected Users group to provide additional protections (including Kerberos delegation attack mitigation)
docs.microsoft.com/en-us/windows-…

#ActiveDirectorySecurityTips
Aug 30, 2019 11 tweets 5 min read
Please share in this thread some defensive techniques that are relatively simple to configure/deploy that has a high success rate (low false positives).

I'll start:
* Detect Kerberoasting:
trimarcsecurity.com/single-post/Tr…

* Detect PW Spraying:
trimarcsecurity.com/single-post/20…

#BlueTeam * Deploy LAPS to automatically rotate local Administrator passwords on Windows computers
adsecurity.org/?p=1790
microsoft.com/en-us/download…
Mar 6, 2019 4 tweets 2 min read
[Thread]
Enterprise password vaults (CyberArk, SecretServer, etc) can be useful but when they store privileged AD credentials, the security of that system needs to be protected like a DC.
adsecurity.org/wp-content/upl… When using the RDP (or RDP proxy), if the remote system the credential is used on is compromised, the credentials can be re-used (default). Changing the password mitigates reuse of the NTLM cred (pw hash), not existing Kerberos tickets (good for 10 hrs)
adsecurity.org/?p=2362