Detailed Course Outline
- Review of best practices from the MasterClass Securing Active Directory FastPass.
- LAPS for domain controllers - does NOT work - but it does!
We show you how to secure the DSRM password rolling and encrypted incl. password history! - DSRM-User: From emergency administrator to domain admin:
What a simple registry hack can do and what you should do about it... - Unified Write Filter - a completely unknown solution for Windows 10/11 clients: Kiosk mode for professionals and for Privileged Admin Workstation - PAWs with "sheriff cards")
- Multi-tenant Active Directory - how to hide organizational units (Ous) for administrators who should not see them: Object List
No one dares to do it - how to show you how to do it and how the pros do it! - MBAM & Bitlocker: Bitlocker on Steroids
Microsoft BitLocker Administration and Monitoring 2.5 - even if the extended support ends in 2026 - MBAM is absolutely worth a look! - Hiding TIER-0 admins via Powershell
What I can't see, I can't attack....
How to hide your crown jewels... - Bloodhound: Hunting for Privileges
Install and use Bloodhound - let's hunt for privileges! - PAM feature with Server 2016: JEA & JIT
Just enough Administration with JustInTime Administration
With Server 2016 came - for most undiscovered - the PAM feature:
Privileged Access Management for Users: Time-to-Live for Administrators who manage the Tickets - When it should be less:
Authentication Silos & Authentication Policies
Who, How, Where, and When... - Build, maintain and administer tier models en detail
Tier and ESAE model in practice. - Windows Defender for Identity
- Lithnet Active Directory Password Protection
- DNS-SEC - Run DNS in a highly secure way
Trust-Anchors
DNS over https ( DoH ) - SMB encryption AES 256
Operate SMB highly secure - UNC Hardening
- From DNS-Admin to DomainAdmin
How to go from small to big... - LocalAccountTokenFilterPolicy
- LDAP-S, signing and channel binding
What exactly is it about and why LDAP-S is not LDAP-signing... - LDAP-S and SSL V2, V3 and TLS V1 - what then now
LDAP-S en detail - "Notes from the field - our experience from 10 years of hardening Active Directory
- LAPS
- Protected Users
- KRBTGT Reset
- PingCastle
- Questions from the participants