And the same reminder again. You know why. 😅

📰 I’ve deployed Windows Shared PCs at multiple customers lately, so I wrote down everything that works. I cover OneDrive, WHfB, PDE, GSA, licensing + pratical tips from the field. Read it 👉 burgerhou.tj/gj4qtn #MSIntune #MVP #MVPBuzz #SharedPC #Windows11

AD Tiering simplified… T0 - Crown Jewels T1 - servers T2 - workstations T3 - Suzie in accounting who clicks every link possible

🔒 Secure Bits 💡 Have you ever heard of 𝗘𝗦𝗖 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀? I guess you have. If you're running 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 (𝗔𝗗 𝗖𝗦) and haven't audited it for ESC misconfigurations — you may be sitting on a 𝘁𝗶𝗰𝗸𝗶𝗻𝗴 𝘁𝗶𝗺𝗲 𝗯𝗼𝗺𝗯. 💣 🎯 ESC vulnerabilities (Enterprise PKI Escalation Paths) are incredibly 𝗰𝗼𝗺𝗺𝗼𝗻 and highly 𝗱𝗮𝗻𝗴𝗲𝗿𝗼𝘂𝘀. Yet… most environments I assess treat AD CS like a black box — “It’s working, so let’s not touch it.” But attackers love AD CS — it often lets them 𝗲𝘀𝗰𝗮𝗹𝗮𝘁𝗲 𝘁𝗼 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻 using just a basic user account. No exploits. Just misconfigurations. 𝗟𝗲𝘁’𝘀 𝗯𝗿𝗲𝗮𝗸 𝗱𝗼𝘄𝗻 𝗘𝗦𝗖𝟭 👇 ESC1 = Certificate Template Misconfig It lets a regular user request a certificate that can later be used to authenticate as someone else — including privileged users. 𝗧𝗼 𝗯𝗲 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗹𝗲, 𝗮𝗹𝗹 𝗼𝗳 𝘁𝗵𝗲𝘀𝗲 𝗮𝗿𝗲 𝘁𝗿𝘂𝗲: ✅ Non-privileged users can enroll in a certificate template ✅ Manager approval is not required ✅ No authorized signature is required ✅ The template supports client authentication (PKINIT, Smart Card, etc.) ✅ The requester can define the Subject Alternative Name (SAN) 𝗘𝗻𝗱 𝗿𝗲𝘀𝘂𝗹𝘁? A low-privileged user can impersonate anyone — including a Domain Admin — using the certificate. 🛠️ 𝗛𝗼𝘄 𝘁𝗼 𝗰𝗵𝗲𝗰𝗸 𝘆𝗼𝘂𝗿 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁: There are free tools for this: 🔹 ADProbe — My AD vulnerability scanner 🔹 Locksmith by Jake Hildreth — covers almost all ESC vulnerabilities 🔹 ... 🎯 There are 𝟭𝟲 𝗘𝗦𝗖𝘀 𝗶𝗻 𝘁𝗼𝘁𝗮𝗹. I’ll be covering them in upcoming Secure Bits posts. 👉 Did you already know what ESC1 was about? #ADCS #SecureBits #CyberSecurity #ActiveDirectory #RedTeam #BlueTeam #PKI #WindowsSecurity #HorizonSecured @BlueTeamDave

AdminSDHolder is kinda my jam. I wrote the e-book on it. If you work with Activity Directory, I highly recommend you give this a skim, or at least check the spoilers in the blog.

How to find insecure permissions in 3 easy steps. 1. Download ADeleg & ADeleginator 2. Run Invoke-ADeleginator 3. Review the report Identifying what could be a full domain compromise attack path is that simple. Link to ADeleg/ADeleginator & other AD security resources here 👇 go.spenceralessi.com/budget

70 cybersecurity project ideas from beginner to advanced level

LEARN FOR FREE

Wonka is a sweet Windows tool that extracts Kerberos tickets from the Local Security Authority (LSA) cache. github.com/Shac0x/Wonka

🔒 Secure Bits 💡 What is the 𝗗𝗻𝘀𝗨𝗽𝗱𝗮𝘁𝗲𝗣𝗿𝗼𝘅𝘆 group in Active Directory? It’s designed for very specific use cases — like when you have multiple DHCP servers that need to update the same DNS records. 💡 𝗛𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀: When a DHCP server registers a DNS record on behalf of a client, it becomes the owner of that record. But if another DHCP server tries to modify it, it's blocked — because it doesn't own the record. To "fix" this, Microsoft introduced the DnsUpdateProxy group, which allows records to be created 𝘄𝗶𝘁𝗵 𝘄𝗲𝗮𝗸𝗲𝗻𝗲𝗱 𝗔𝗖𝗟𝘀: 1️⃣ The first authenticated client to modify the record becomes the new owner. 2️⃣ If the updater is a member of DnsUpdateProxy, ownership and the loose ACLs persist. ⚠️ 𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗶𝘀 𝗿𝗶𝘀𝗸𝘆: With weakened ACL on the record, any authenticated client can potentially abuse it. And if DHCP is running on Domain Controllers, critical DNS records could be exposed. 𝗔 𝘀𝗮𝗳𝗲𝗿 𝗮𝗹𝘁𝗲𝗿𝗻𝗮𝘁𝗶𝘃𝗲: 🔹 Use Dynamic DNS Update Credentials — create a standard domain user 🔹 Configure all DHCP servers to use this account 🔹 (Note: gMSAs are not supported) 🔹 Avoid putting DHCP roles on Domain Controllers 🔹 Avoid using the DnsUpdateProxy group altogether 💬 Are you using DnsUpdateProxy group in your environment? #SecureBits #ActiveDirectory #Windows #CyberSecurity #DNS #DHCP #BlueTeam #HorizonSecured

useful wireshark filters

If you know me...you can probably guess what some (all?) of these topics might be... I'm going to be sharing how IT admins can make their environments harder to attack. In honor of Cybersecurity Awareness Month. Come hang out with us! Thursday 10/23 10am Mountain. Here's a link 🔗go.spenceralessi.com/pdq

This command lets you see EVERY Wifi network you've ever connected to.  + all the passwords (in plain text)! 😳

🔒 Secure Bits 💡 𝗞𝗲𝗿𝗯𝗲𝗿𝗼𝘀 𝗔𝘂𝘁𝗵 𝗙𝗮𝗶𝗹𝘂𝗿𝗲𝘀 𝗶𝗻 𝗠𝗶𝘅𝗲𝗱 𝗘𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁𝘀 (𝗪𝗦 𝟮𝟬𝟮𝟱 + 𝗪𝗦 𝟮𝟬𝟮𝟮 𝗗𝗖𝘀) Ran into this issue twice already — and it’s sneaky. So here’s what you should know 👇 If you’re running a mixed domain with 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝟮𝟬𝟮𝟮 𝗮𝗻𝗱 𝟮𝟬𝟮𝟱 𝗗𝗖𝘀, watch out for Kerberos authentication errors after password changes. 💥 𝗜𝘀𝘀𝘂𝗲: If a user’s password is changed on a WS 2025 DC, and they later try to authenticate against a WS 2022 DC — you may get: 🛑 𝗞𝗥𝗕𝟱_𝗞𝗗𝗖_𝗘𝗥𝗥_𝗘𝗧𝗬𝗣𝗘_𝗡𝗢𝗦𝗨𝗣𝗣 in Wireshark 🛑 Event ID 4771 with failure code 𝟬𝘅𝗘 in logs I experienced this in hardened environments with only AES enabled. It looks like WS 2025 may generate key material that WS 2022 cannot read or validate properly, 𝗰𝗮𝘂𝘀𝗶𝗻𝗴 𝗮𝘂𝘁𝗵 𝘁𝗼 𝗳𝗮𝗶𝗹 — even though everything looks configured correctly. ✅ Once passwords are changed back on WS 2022 DCs → things work again across both. 🔍 𝗛𝗼𝘄 𝘁𝗼 𝗱𝗲𝘁𝗲𝗰𝘁 𝗶𝘁: • Look for repeated ETYPE_NOSUPP errors in Wireshark • Review Event ID 4771 with 0xE code • Focus on accounts that recently changed passwords on WS 2025 DCs 🩹 𝗧𝗲𝗺𝗽𝗼𝗿𝗮𝗿𝘆 𝘄𝗼𝗿𝗸𝗮𝗿𝗼𝘂𝗻𝗱: • Rotate affected passwords on WS 2022 or older DCs • Or avoid mixed environments with WS 2025 DCs — for now I’ve seen this issue now multiple times, and spotted it discussed in a few community threads as well — 𝘀𝗼 𝗶𝘁’𝘀 𝗻𝗼𝘁 𝗶𝘀𝗼𝗹𝗮𝘁𝗲𝗱. ❓𝗔𝗻𝘆𝗼𝗻𝗲 𝗲𝗹𝘀𝗲 seeing similar problems? If you’re running WS 2016 or WS 2019 DCs in a mixed setup — are you affected too? #ActiveDirectory #Kerberos #WindowsServer #SecureBits #HorizonSecured #CyberSecurity #ADHardening

Remote Desktop credential delegation (SSO) not working after enabling Credential Guard – 4sysops 4sysops.com/archives/remote-…

Remove Default Microsoft Store Packages: Windows Debloat Done Right Now available in the Intune Settings Catalog!! The Remove Default Microsoft Store Packages policy gives admins a native and reliable way to remove built in Microsoft Store apps without the need to use fragile PowerShell scripts! It cleans up unwanted apps automatically during provisioning and on existing enrolled devices, giving you full control over what stays on Windows. Want to know when this policy actually activates and what happens behind the scenes? That is what the blog uncovers. patchmypc.com/blog/remove-de… #Intune #MSIntune #WindowsAutopilot #MicrosoftStore #Windows11

Stop Losing RDS Per-User CALs to Case Sensitivity: The Real Fix with msTS* LDAP Rights archy.net/stop-losing-rds-pe…

Active Directory hardening - sysadmin pain scale LAPS - like stepping on a Lego MFA for RDP to servers - like too much salt on your fries Disabling legacy auth - dreams haunted by windows logs Removing accounts from DA - resume generating events Tiered Security - therapy + goat farming, congrats you’ve made it

ATTENTION: Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft! Attackers have found a new method to trick end users into logging in to a malicious login page, intercepting tokens, and infiltrating the tenant. What makes this particularly sneaky is that they are using Microsoft URLs. The link they receive is forms.office.com/ followed by a value. Clicking that takes them to a strange URL with a PDF, which they then have to log in with their M365 account. And that's where the real danger lies. The URL ends in windows.net and is therefore considered valid. If you log in and the URL isn't login.microsoftonline.com, you can assume it's a bad one. Block the endpoint *.blob.core.windows.net entirely, and only allow access to the specific storage account you trust, like: <storage-account-name>.blob.core.windows.net Now that you're aware of this, please also set up company branding in your Microsoft 365 tenant! It helps users trust the sign-in page. When they see your logo and colors, they know it's safe. If they see a random portal, they'll think twice before entering their credentials! Read more: learn.microsoft.com/en-us/en… #Microsoft365 #EntraID #CloudSecurity #IdentityProtection

lets you update and activate old Windows versions after official support ends