The Zero Trust Zone

Episode 6 - ADCS: your greatest ally or biggest vulnerability?

Certificates are either your strongest authentication control or your biggest hidden liability. In Episode 6 of The Zero Trust Zone, I’m joined by identity expert Jake Hildreth to unpack the real-world security implications of Active Directory Certificate Services (AD CS). We discuss why PKI is often misunderstood, how certificate misconfigurations become high-impact attack paths, and how tools like Locksmith are helping organizations identify exposure before attackers do. From Zero Trust architecture to ESC abuse paths, this episode dives deep into the sense (and some nonsense) of certificates in modern enterprise security. Topics covered include: * Why AD CS has become a prime attack surface * Common certificate misconfigurations in enterprise environments * ESC vulnerabilities explained * Proactive PKI auditing and hardening strategies Resources mentioned: SpecterOps – Certified Pre-Owned: Abusing Active Directory Certificate Services https://posts.specterops.io/certified-pre-owned-d95910965cd2 [https://posts.specterops.io/certified-pre-owned-d95910965cd2] Jake Hildreth – LockSmith PowerShell Toolkit https://github.com/jakehildreth/Locksmith [https://github.com/jakehildreth/Locksmith] Michael Waterman – Top 10 PKI Recommendations by a Former Microsoft Security Engineer https://michaelwaterman.nl/2026/02/15/top-10-pki-recommendations-by-a-former-microsoft-security-engineer/ [https://michaelwaterman.nl/2026/02/15/top-10-pki-recommendations-by-a-former-microsoft-security-engineer/]

Episode 5 - When Passkeys hit real-world environments

What happens when passkeys hit real-world environments?In Episode 5, I’m joined by identity expert and Microsoft MVP Eric Woodruff to break down the practical implications of passkey adoption, the good, the bad, and the unexpected. We talk about: 🔹 What passkeys actually solve (and what they don’t) 🔹 Lessons learned from early deployments 🔹 Challenges, device sync issues, and recovery scenarios 🔹 How security teams should prepare for mainstream adoption This is a candid, no-fluff conversation packed with useful insights for anyone navigating the shift to passwordless and phishing-resistant authentication.

Episode 4 - When Active Directory Gets Hit

Active Directory is still at the heart of many organizations, and that makes it a prime target. When it gets compromised, the blast radius can be massive. In this episode of The Zero Trust Zone, we’re joined by legendary Microsoft MVP Jorge de Almeida Pinto, a seasoned expert in incident response and identity recovery, to unpack what really happens when AD goes down. * What makes AD so attractive to attackers * The phases of a real-world AD incident response * Lessons from the field: what goes wrong, and how to recover * Practical steps to prepare before disaster strikes For those who know Jorge, we'll - of course - also talk about his legendary script to roll the KRBTGT password, and what the new version holds for us! Whether you manage AD, defend identities, or just want to understand the stakes, this episode is a must-listen!

Episode 3 - Governance is not a bad word!

In this episode of The Zero Trust Zone, we tackle a topic many teams avoid—identity governance—and show why it’s absolutely essential in a Zero Trust world.Joining us is Microsoft MVP and identity expert Jan Vidar Elven, who breaks down how Microsoft Entra Identity Governance can help organizations automate, secure, and streamline access—without drowning in complexity.We discuss:🔹 What identity governance really means🔹 Key components like Lifecycle Workflows, Access Reviews, Entitlement Management, and PIM🔹 Where to start if you’re new to Entra ID Governance🔹 Common pitfalls and best practices from the field🔹 Why governance is critical to both security and complianceIf you’re dealing with access sprawl, compliance pressure, or just want to clean up your Entra tenant—this episode is for you.

Episode 2 - Guardian at the Gate: Bastion Tenants Explained

Welcome back to The Zero Trust Zone! In this episode, we’re joined by Microsoft MVP and identity security expert Thomas Naunheim to dive deep into a powerful Zero Trust design pattern: the bastion tenant. 👉 What is a bastion tenant? 👉 Why are more organizations isolating their admin identities into separate, hardened tenants? 👉 Is this a must-have security strategy—or just a legacy relic from on-prem Active Directory guidance? We break down what a bastion tenant really is, how it fits into your modern cloud architecture, and whether it's worth implementing in your own environment. For more information on the elements discussed in this episode, make sure to check out the following links: - https://www.entraops.com (https://www.cloud-architekt.net/entraops/) - https://www.glueckkanja.com/en/security/managed-red-tenant (Glueck Kanja)