Quickly find potential Kerberoast victims

Read up on the Kerberoast approach to bruteforce the passwords of service accounts, and find out which of your service accounts would be an interesting target.

Do you have plaintext passwords in your Azure deployments?

If you are developing deployments for Azure you will encounter situations where you need to use passwords and other data that needs to stay hidden. Azure has plenty of facilities for this, but sometimes people can be tempted to take shortcuts. So, for one of the projects I’m involved in there was a suspicion that…


The Active Directory 2016 PAM Trust: how it works, and why it should come with a safety advisory

We have long been working on increasing security in the design and operations of Active Directory. In each release from Windows Server 2003, 2008 and up to 2012 R2 you can see steps taken: better encryption, additional Kerberos features, deprecation of old protocols, etc. With Windows Server 2016 we have taken a next step, and…


Get rid of accounts that use Kerberos Unconstrained Delegation

Suppose you are managing an enterprise Active Directory. You will have people at your desk that need you to configure something in AD to support their applications: GPOs, service accounts, OUs and permissions, etc. Sometimes they will ask for Kerberos Delegation, a nebulous technology that is generally not well understood by admins or developers. There are…


How admins can cheat at changing their password

Here is a little known trick that you can do if you have AD permissions to manage your own account: when you are prompted to change your password when its age has expired, do this: Start AD Users & Computers, and find your account. Open the Accounts tab, check the box next to “User must…