Domain Security Recommendations

1st April 2023

These come from 7minsec, Brian Johnson makes an entertaining podcast which is unusual in the normally dry security space. Highly recommend. I love podcasts as i can listen while I do other less productive things like drive or try to get to sleep…. or watch CSI for the 4th time because it’s my wife’s turn to choose…. not that I’m bitter…

disable users adding pcs to the domain; Default DOMAIN Controllers policy, replace Authenticated Users with a stricter group(s)

smb signing
strong unique passwords + LAPS
run ping castle
disable insecure protocols; netbios, llmnr, mdns, smbv1
power up sql, find sql servers, stored procedures,
turn off print sharing, esp on DCs, ping castle scanners print spool

take local admin away from everyone
Pre-filter email (yes they are all a pain)
Use GPO to auto-install the chrome extension Ublock Origin see here

Change the KrbTgt password. I have done this a dozen times and never had a problem. Don’t change it 2x in rapid succession, leave 3 days before changing again.

Starting Audit Policy. These settings will not generate excessive logs. There are other settings, i don’t recommend enabling them until you have a reason.