We Must Fundamentally Transform Our Approach to Security

This week, we have a different style of article.  In this post, folks step back and look at “big picture” strategy rather than the technical/tactical details of IT operations.  This broadly collaborative effort about Identity and Security was developed over a long period of time with input from many people across MCS, PFE and the Cybersecurity groups… Read more

SHA-1 Deprecation and Changing the Root CA’s Hash Algorithm

Hi, Rick Sasser here, with what was intended to be a quick blurb on security that back references one of my original posts on Choosing a Hash and Encryption Algorithm for a new PKI? and somehow turned out to be the labor equivalent of about a week, counting everyone who chipped in on it, and… Read more

RPC Endpoint Mapper Returns Dynamic Port Incorrectly When Active Directory is Configured to Use Static Port

Hi Folks, Gary Green, Lakshman Hariharan and Rick Sasser here with a new post on RPC. The purpose of this post is to draw attention to an issue that our friends in the Directory Services team have uncovered where the RPC Endpoint Mapper (EPM) returns a dynamic port incorrectly instead of the static Active Directory… Read more

Six Audit Mistakes Everyone Seems To Make With Windows Server

Hi, this is Richard Sasser 'Rick', MCM, Red shirted dude (security guy). This might seem like old data, but you’d be surprised how many people looked at Security Auditing in Windows Server 2008 and 2008R2, saw that the old policies applied, and subsequently just checked the box and moved forward. Auditing changed. Auditing changed a… Read more

Service Principal Name Attribute Limitations

Jim Kelly here [edited by Richard P. Sasser], I've talked to a few customers and engineers lately, asking about character and entry limitations with the ServicePrincipalName Attribute. It is a common practice to use the same security principal to run multiple instances of an application, such as SQL. In order for Kerberos to work properly… Read more

How LastLogonTimeStamp is Updated with Kerberos S4u2Self

Introduction Hi! My name is Richard Sasser, or Rick, as I prefer, and I’m a Microsoft Certified Master for Active Directory and I work on the Platforms DSE team. I do a lot of security related work, and consult frequently on Public Key Infrastructures and Authentication issues. I don’t blog as often as I should,… Read more

Choosing a Hash and Encryption Algorithm for a new PKI?

I frequently get asked to consult on building out new Public Key Infrastructures here in Premier Field Engineering. One of the things that I get asked commonly is “How do I choose a key length and Hash Algorithm?”. That’s a complex question, that generally is difficult to answer, but I thought I might collect “Some… Read more