Deploy & Configure AGPM

In this post, we deploy Advanced Group Policy Manager, configure it to use a Group Managed Service Account and use least privileged models to restrict the service account permissions.

Enable Recycle Bin & Get ready for GMSA

Before we get too deep in to configuring our nice domain service, we will enable a useful feature. The Recycle Bin. This allows us to quickly and easily restore an object we accidentally delete. Enabling the recycle bin just requires a forest functional of 2008 R2 or higher. We provisioned full 2016 so lets enable […]

NetBIOS and SMB1 – Kill them with fire

With the recent attacks of WannaCry and NotPeyta, SMB1 has been shown to have the security features of a chocolate fire guard. NetBIOS Name resolution is the equivelant of shouting for Bob in a room of people and accepting the first person who replies “Yes thats me!” Given we are putting together a nice secure […]

Security Logs – Archive them off

So, we have set up previously OMS to act as our Log Correlation Engine. We receive alerts depending on events and all works well. The only downside is that the retention period for logs is restricted, 31 days for a paid OMS plan. What if we have been compromised for a while and for whatever […]

Starting to harden the environment

The first thing we will tackle are the issues raised by the Microsoft Best Practice Analyser. A lot of these issues are more generic to Windows devices so what we will do is create a new “Default Domain Policy” which will apply throughout. Start by opening the Group Policy Management Console, on the left navigate […]