In the previous three parts of this series on Active Directory tiering, I helped you understand tiering and how Tier 1 and Tier 2 should be implemented. This video is for the Tier 0 section, which is the most important part of the tiering because you’ll learn how to perform the segregation for the most sensitive servers of your environment. In this video, I will also present a way to have different subcategories of servers, and then you can implement this concept in your Tier 1 as well.
As discussed in Enhance Active Directory Security with Tiering, Part 1 and Enhance Active Directory Security (Entra ID) with Tiering, Part 2, in order to have fair security against pass-the-hash attacks on Active Directory, you can implement tiering to have different levels based on how sensitive data are. This video is devoted to Tier1 servers (a server shared between two teams for their file sharing, an IIS server for a development team, etc.).
In order to have fair security against pass-the-hash attacks on Active Directory, you can implement tiering to have different levels based on data sensitivity. In this video, I discuss the second level of tiering. The scope for tier 2 includes the workstations and applying settings via GPO to block unauthorized access.
In this video, which is part 1 of this series, I discuss Active Directory (Entra ID) security and specifically credential theft, which happens frequently when we are dealing with a ransomware attack. Credential theft is a main target which attackers can perform by gaining access to a server or PC and use that access (pass the hash) to hop to another server. I'll explain this problem, called lateral movement, in the video. Finally, we will discuss Active Directory tiering which is a solution to logical segmentation of resources and divide them into Tier 0, Tier 1 and Tier 2.
Service accounts are essential for Active Directory service and application support. With such high privileges, service accounts are often leveraged in cyberattacks, which requires them to be secured.
In this part 2 video, I'll walk through examples using gMSA in an environment. I'll explore a case of using gMSA as a service and also explain using it as a scheduled task. I also discuss how to troubleshoot the authorization part of the gMSA to understand why your gMSA is not working correctly.
Data and security breaches within Microsoft 365 can have severe financial and reputational consequences for organizations, making robust data protection strategies imperative. To identify and respond to breaches, organizations should monitor user activities and system alerts, regularly audit security logs, and seek expertise when needed. Liam offers some best practices.
Learn how a gMSA (group Managed Serviced Account) can be helpful to replace old service accounts. You’ll learn about the under-the-hood features of gMSAs as I discuss how to create and assign them. Also, I will show how we can have gMSAs under services.msc and run schedule tasks with them. You’ll also see how to troubleshoot them using PSExec.
Azure Key Vault can store keys, secrets and certificates and use them securely in the cloud. This video describes how to configure them. Similar methods exist that use the same principal, but they are outdated. Learn how to apply the least privilege concept to our Key Vault using the Key Vault delegation model to have a better control and security over the items store in the Key Vault. Finally, the video ends discussing two use cases for using secrets in Azure Key Vault.
Azure Active Direcotry (Azure AD) provides benefits for managing applications such as single sign-on, application provisioning, security and conditional access, reporting and monitoring, business-to-business and business-to-consumer collaboration, and more. For organizations, restricting access to an Azure AD application as an administrator is key for increased security, compliance, adherence to the principle of least privilege, and application performance.
This "how-to" article teaches you how to use PowerShell to block Microsoft 365 (Office 365) user accounts in case of security threats. Besides giving you the necessary cmdlets, it also contains a 6-minute video version of the article.
Some users store credentials including the password for a specific service account inside a PowerShell script in real-world production. This poses a highly vulnerable issue where an attacker can simply grab the credentials and use them. In this video, I discuss how we can use a privileged credential in your PowerShell script in a more secure way using a certificate and Azure Key Vault.