AD: Nitty Gritty of Fine-Grained Password Policies

Hey everyone, Theron (aka T-) here, Senior Consultant with Microsoft Consulting Services (MCS) specializing in Active Directory. Fine-Grained Password Policies (FGPP) have been around for a while, but in my experience with various customers, they aren't used often, if at all. This post is an attempt to simplify them, provide some details and list some … Continue reading AD: Nitty Gritty of Fine-Grained Password Policies

The new way to avoid exposing port 3389 in Azure – Bastion!

Microsoft has released the public preview for Azure Bastion, allowing an additional factor and separate subnet to be your protection from the hordes of hackers who scan the Internet every day looking for open port 3389 with easy passwords or vulnerable patch-level. And things are simpler for you as well - no more unnecessary PIP's … Continue reading The new way to avoid exposing port 3389 in Azure – Bastion!

Quick blog – Importing Updates into WSUS – CVE-2019-1367

a Question that was raised this week by quite a few customers is around importing updates into the SCCM environment, that are not available on WSUS, but are on Microsoft Update. The below steps will guide you through the steps to get the updates into the environment quickly As per the CVV article, there are … Continue reading Quick blog – Importing Updates into WSUS – CVE-2019-1367

Using SCCM DCM Feature to monitor GPO application in the environment

The Issue A Common issue that keeps being experienced across customer sites, is the application of Group Policies on machines By default when a GPO is created and linked, it should apply to all the machines that the policy was linked to, and in most cases this works pretty perfectly, however, how do you know … Continue reading Using SCCM DCM Feature to monitor GPO application in the environment

Security – Transport Layer Security(TLS) 1.2 Calculation

Enabling TLS and SSL on Windows machines requires you to set registry keys. https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi 2. If you want to enable more than one (In case you are scared not using TLS 1.1 or 1.0 will break your websites), you need to add up the values in Calculator in Programmer mode and choosing HEX (800+200+20) = … Continue reading Security – Transport Layer Security(TLS) 1.2 Calculation

Step by Step: Enforce Require LDAP Signing on domain controllers. Part 1

Introduction: One of the security settings that Microsoft recommend applying on domain controllers is to Require LDAP Signing. Requiring LDAP signing is one policy setting that can be applied on a few seconds using group policy, but what is the impact of applying this setting in your production environment? In most customer environments I visited, … Continue reading Step by Step: Enforce Require LDAP Signing on domain controllers. Part 1

Field Notes: The case of buried Active Directory Account Management Security Audit Policy events

Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system.  As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment.  Auditing should identify attacks (successful or not) that pose a threat to your network, and … Continue reading Field Notes: The case of buried Active Directory Account Management Security Audit Policy events