Users having admin rights on *their* desktop is no where near as big as a problem as your support staff having admin rights on *all* desktops. To stop ransomware we need to move away from super-charged admin rights that work everywhere. 💣 Start by removing domain admins from the local admins group of every computer. Windows adds them by default when a PC is first joined to the domain. Setup a group policy to remove them. Domain admins need to be an admin of DCs only. Talk about an overprivileged account! 😫

Here's a digest of my understanding of #CVE-2020-1472 for the Microsoft Netlogon secure channel vulnerability and what you need to do to protect yourself. Thread. ⬇️ Firstly, what's the issue? Well it seems an attacker could essentially become a domain admin, without needing to authenticate to the DC. They just need line-of-site. Yikes.

[Thread] We discovered the Palo Alto SAML vulnerability (CVE-2020-2012). There's lots of confusion about the role of the 'Disable cert validation' check box in this issue. TLDR; Having this turned off is standard, expected, and not bad practice. Patch your PA, and leave this off. To understand this properly, we need to understand how SAML works, specifically the 'POST binding' mechanism mostly commonly used in SAML setups today. There are two parties in a SAML trust, the identity provider (IDP) and the service provider (SP).