Kerberos Pre-Auth: Hidden AD Risk

Hybrid Identity is Broken: Rethinking AD, Entra ID & the Bridge in Between

Welcome to another episode of Guardians of the Directory, where we pull back the curtain on the real-world challenges in securing and managing Active Directory and hybrid identity environments. In this episode, Craig Birch is joined by Sander Berkouwer, identity veteran, Microsoft MVP, and author of the Active Directory Administration Cookbook, to have a brutally honest conversation about hybrid identity – and why it's more than just "messy"... it's broken. 💡 Key Takeaways: * Why Hybrid AD isn't just two directories, and how the real architecture adds a third (and sometimes fourth) layer of identity confusion. * What’s really going wrong with Entra Connect Sync, delegated permissions, PowerShell lifecycle issues, and administrative sprawl. * ADFS: still lingering, or finally on its way out? Why some orgs are stuck with legacy federation even today. * The harsh truth about identity governance: the promise of Entra ID Governance, and the licensing challenges that come with it. * What’s actually working for organizations today — and why baby-stepping IAM might be your smartest move yet. * The real impact of role sprawl, just-in-time access challenges, and why elevated rights still haunt hybrid AD deployments. * Fix or Fail: Craig and Sander rapid-fire common hybrid identity practices and decide what stays and what needs to go. * The one thing Sander would fix today if he could: a surprising insight into replication and its ripple effect on the hybrid identity stack. 🔧 Whether you're wrestling with federation headaches, struggling to consolidate IAM platforms, or just trying to get a handle on delegation and privilege creep, this episode lays out the problems — and a few practical ways forward.

Blueprinting Zero Trust From: Strategy to Execution with Jerry Chapman

Welcome back to Guardians of the Directory! In this episode, Craig Birch is joined once again by Zero Trust expert Jerry Chapman for a deep dive into the Zero Trust Blueprint—a practical model to help organizations shift from theory to execution. Jerry shares insights from his work as Co-Chair of the CISA Zero Trust Working Group and provides a clear framework covering assessment, strategy, roadmap development, and execution phases. Together, they explore: * The critical role of business assets and protect surfaces * The importance of session management, privilege access, and standing permission hygiene in Active Directory * Common pitfalls organizations face as they mature their Zero Trust implementations * How Zero Trust applies equally to human and non-human identities (including AI!) * The value of visibility, automation, and governance in maintaining Zero Trust momentum If you're looking for a realistic, actionable guide to embedding Zero Trust in your enterprise—and especially within Active Directory environments—this episode is your blueprint. Resources Mentioned: * CISA Zero Trust Maturity Model * CISA Zero Trust Working Group * Microsoft Entra PIM * Next-gen IGA and Certificate Lifecycle Management Guest Bio: Jerry Chapman is a cybersecurity veteran with over 25 years of experience in identity and Zero Trust. He serves as a Co-Chair for the CISA Zero Trust Working Group and is a recognized thought leader in strategy-driven security.

AdminSDHolder in Active Directory: Hidden Risks and Persistent Threats

In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down the often-misunderstood AdminSDHolder object in Active Directory and why it's a high-value target for attackers. Learn how the SDProp process uses it to secure privileged groups—and how misconfigurations or legacy permissions can open the door to persistent access.🔍 What you’ll learn:What AdminSDHolder and SDProp really doWhy this object matters for securing protected groupsHow attackers abuse it for persistenceHow to identify dangerous ACLs and misconfigurationsPowerShell tips to simplify your audit🛠️ PowerShell script to audit AdminSDHolder will be posted in the video description/comments.💡 If AdminSDHolder is compromised, your admin model is too.Subscribe for more quick-hit insights on Active Directory and Entra ID security.Powershell:Import-Module ActiveDirectory# DCSync-related GUIDs$dcsyncGUIDs = @( [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"89e95b76-444d-4c62-991a-0facbeda640c")# Noisy identities to ignore$noisyAccounts = @( "NT AUTHORITY\SELF", "NT AUTHORITY\SYSTEM", "NT AUTHORITY\Authenticated Users", "NT AUTHORITY\INTERACTIVE", "BUILTIN\Pre-Windows 2000 Compatible Access", "Everyone")# AdminSDHolder ACL retrieval$domainNC = (Get-ADDomain).DistinguishedName$adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC"$adminSDHolder = Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor$acl = $adminSDHolder.nTSecurityDescriptor# Admin group membership mappingfunction Get-AdminGroupMembers { param([string[]]$groupNames) $members = @() foreach ($name in $groupNames) { $group = Get-ADGroup -Identity $name $members += Get-ADGroupMember -Identity $group.DistinguishedName -Recursive | ForEach-Object { $_.SamAccountName } } return $members | Sort-Object -Unique}$adminGroups = @("Domain Admins", "Enterprise Admins", "Administrators")$adminMembers = Get-AdminGroupMembers -groupNames $adminGroups# Filter risky, non-default ACEs$dangerousACEs = $acl.Access | Where-Object { $_.AccessControlType -eq "Allow" -and -not ($noisyAccounts -contains $_.IdentityReference.Value) -and ( ($_.ActiveDirectoryRights -band "GenericAll") -or ($_.ActiveDirectoryRights -band "GenericWrite") -or ($_.ActiveDirectoryRights -band "WriteDacl") -or ($_.ActiveDirectoryRights -band "WriteOwner") -or ($_.ActiveDirectoryRights -band "CreateChild") -or ($_.ActiveDirectoryRights -band "Delete") -or ($_.ActiveDirectoryRights -band "DeleteTree") -or ($_.ActiveDirectoryRights -band "ExtendedRight") )}# Output$dangerousACEs | Select-Object ` IdentityReference, ActiveDirectoryRights, InheritanceType, ObjectType, @{Name="ACEType"; Expression={ if ($_.ActiveDirectoryRights -band "GenericAll") { "GenericAll" } elseif ($_.ActiveDirectoryRights -band "GenericWrite") { "GenericWrite" } elseif ($_.ActiveDirectoryRights -band "WriteDacl") { "WriteDacl" } elseif ($_.ActiveDirectoryRights -band "WriteOwner") { "WriteOwner" } elseif ($_.ActiveDirectoryRights -band "CreateChild") { "CreateChild" } elseif ($_.ActiveDirectoryRights -band "Delete") { "Delete" } elseif ($_.ActiveDirectoryRights -band "DeleteTree") { "DeleteTree" } elseif ($_.ActiveDirectoryRights -band "ExtendedRight") { if ($dcsyncGUIDs -contains $_.ObjectType) { "DCSync" } else { "ExtendedRight" } } else { "Other" } }}, @{Name="IsAdminGroupMember"; Expression={ $sam = $_.IdentityReference.Value.Split("\")[-1] $adminMembers -contains $sam }} | Format-Table -AutoSize

Admin Accounts with SPNs — Hidden Risk Behind Kerberoasting

🔍 Admin Accounts with SPNs — Hidden Risk Behind Kerberoasting | Directory Insights in 10 MinutesIn this episode, Craig Birch breaks down a major Active Directory security blind spot: Kerberoasting via privileged accounts with SPNs (Service Principal Names).You'll learn how attackers exploit these accounts — and how to find, assess, and fix the risk without breaking your apps.Straightforward, no fluff — just practical identity security guidance.🛠️ What You’ll Learn🔐 What SPNs are — and why they matter⚠️ How attackers use them in Kerberoasting attacks🖥️ Why ADUC isn’t enough for visibility💻 PowerShell + LDAP filters for fast discovery🧠 SDProp and how it flags privileged accounts🤝 Why app owner collaboration is critical🔁 Safer alternatives: gMSAs, strong passwords, and role reviews❌ Why auto-remediation can break things💡 PowerShell SpotlightpowershellCopyEditGet-ADUser -LDAPFilter "(&(admincount=1)(servicePrincipalName=*))" -Properties servicePrincipalName | Select-Object Name, servicePrincipalNameUse this to find privileged accounts with SPNs — the ones most at risk of Kerberoasting.✅ Quick TakeawaysScript it — don’t rely on ADUCNever auto-remove SPNs without impact analysisTalk to app owners before changesHarden service accounts or switch to gMSAsMonitor SDProp-marked accounts to shrink attack surface💬 Found this helpful? Like, share, or comment! Got a topic you want us to cover in 10 minutes or less? Drop it below — we’re listening.

Kerberos Pre-Auth: Hidden AD Risk

In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down one of the most overlooked Active Directory misconfigurations: the "Do not require Kerberos pre-authentication" setting.🔍 Why it matters:Enables AS-REP Roasting attacks using tools like Hashcat or John the RipperAllows silent user enumeration without authentication failuresCan go undetected by SIEMs and security logs🛠️ What you'll learn:How this setting weakens AD securityHow attackers abuse it for initial access and password crackingHow to detect and remediate affected accounts using PowerShell🧠 Practical, fast, and built for real-world AD admins—no fluff.▶️ Chapters: 00:00 - Intro00:45 - Why “Do Not Require Pre-Auth” Is Dangerous02:30 - AS-REP Roasting Explained03:20 - Finding Vulnerable Accounts (GUI + PowerShell)05:40 - Remediation Script Walkthrough08:20 - Final Recommendations📥 PowerShell Script:# Import the Active Directory moduleImport-Module ActiveDirectory# Find user accounts that do not require Kerberos preauthentication$users = Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth# Display the accounts that do not require Kerberos preauthentication$users | Select-Object Name, SamAccountName, UserPrincipalName# Pause for confirmation before remediationRead-Host -Prompt "Press Enter to remediate these accounts"# Remediate all accounts by setting DoesNotRequirePreAuth to $falseforeach ($user in $users) { Set-ADAccountControl -Identity $user -DoesNotRequirePreAuth $false}