Blog du Tristank

Migrating to https://blog.tristank.com/ . And still so terrific that 3 of 4 readers rated it "soporific"

How SLAM retrieves the computer’s Local Admin password

Simple: SLAM doesn’t retrieve the computer’s Local Admin password – LAPS does! SLAM is a Premier Operations Program offering (POP) for Securing Lateral Account Movement. It workshops credential theft mitigation (CTM) and counters lateral traversal with logon restrictions and firewall rules (among other protections)… but one key feature is deployment of LAPS, the Local Admin… Read more

How To (quickly) Tell If You’re 5 Years Out Of Date On Security Updates

There’s a fun indicator you can use to quickly evaluate whether you’ve been missing security updates for the last five years (ish) on older Operating Systems (i.e. Win2008-2008 R2), and it’s the build number. Not infallible, but then not often wrong. Helpful Table Of Problem Versions If you’d rather skip my rambling – and let’s… Read more

Krebs’ Immutable Truths of Data Breaches

A rationale for more stringent risk assessment. Or indeed any risk assessment for internet connected assets, regardless of size or perceived value to others. Krebs’s Immutable Truths About Data Breaches “There are some fairly simple, immutable truths that each of us should keep in mind, truths that apply equally to political parties, organizations and corporations… Read more

Website Security Suggestion: Get rid of cruft! (script included)

Right: One of my pet hates is cruft on a production website. Cruft is stuff – files – which has accumulated because nobody’s paying attention. Cruft includes sampleware. Developer experiments. Readmes. Sample configs. Backups of files which never get cleaned up. Just general accumulated stuff. It’s website navel lint. Hypertext hairballs. Cruft. Has. No. Place…. Read more

Simple IIS Kerberos Q&A

Posting a hopefully-useful tidbit. Hi Tristan, Do you have by any chance a guide on how to set up IIS for kerberos auth? I’m helping my customer and I’m a beginner with IIS. It is a farm of 6 IIS servers, they will be using a service acct. DNS is configured to do the following… Read more

Tip: Check that your Offline Root CA is actually Offline, mmkay?

I spend a fair whack of time chatting PKI and certificates with customers, and tyre-kicking their environments as part of the Active Directory Certificate Services Assessment (or ADCSA – available via Premier Support). Many customers have a fairly standard design, often deployed by a partner (it’s the “off the shelf plus customize” option), which includes… Read more

Custom Password Filters

Back from holiday now, and almost over the jetlag. Almost. A question came up today about Password Filter DLLs, and the documentation always seems to be hard to find, so I’ve popped up a quick summary of everything I know here. Back In The Day of NT4, there was an optional component that Microsoft provided… Read more