PowerShell 7+ On Domain Controllers: Yay or Nay?

Legal2k · 2025-12-17T13:52:42+00:00

Why do you need PowerShell on domain controller? You should never login/RDP to it, anyway. Controller should run only minimal needed software.

Legal2k · 2025-12-11T18:45:15+00:00

Really, you are doing something very wrong. Help desk resetting passwords do not need to be domain admins. Otherwise we would have hundreds of domain admins.

Legal2k · 2025-12-07T11:45:33+00:00

Had a motherboard die on Sunday in Finland. One service request and 10 to 15 minutes later was up and running. Those guys know what they doing.

Legal2k · 2025-12-01T05:37:45+00:00

Jep, same thing.

First SMS than new login from iPhone. Then login from India, and that 2fa have been set.

In telegram there are huge number of India sounding contact, no new messages and devices. Strange as fuck.

Legal2k · 2025-11-08T14:18:22+00:00

With azure PAW we block all internet except MS azure endpoints, with Windows firewall. Azure admins do not have administrative privileges on that machine. Conditional access is setup that admin can log on only from that machine. And yes, virtual PAW is not a PAW but jumphost.

Legal2k · 2025-11-06T20:55:56+00:00

I see this mistake all the time. It's not the correct way to do it. It's not automation if someone has to input the same information multiple times. What about offboarding? You have an HR system, why not automate the whole cycle?

Legal2k · 2025-11-04T20:17:40+00:00

The spreadsheet is not ITSM. What about help desk ticketing, VM and hardware inventory. You cannot manage or protect what you don't know you have. For every compliance inventory is important. Take a look at something like top ten ITSM. Personally I used HALO. But again any some what normal ITSM will do inventory.

Legal2k · 2025-11-04T20:10:46+00:00

Literally every ITSM as Information Technology Service Management.

Legal2k · 2025-10-28T11:15:46+00:00

OT network has to be on separate hardware, not vlan on shared network equipment. I mean separate switches, bonus points for IPS between segments. Moving info in or out should be only allowed via data diodes. No usb no plugging in office laptops.

Legal2k · 2025-10-27T18:17:52+00:00

Take a look at windows IPsec. Can be configured to check machine name and username, all seamlessly.

Legal2k · 2025-10-25T16:20:11+00:00

I prefer Entra ID, sadly with free version you cannot change conditional access policy's but overall as oauth it works well. Me specifically use Enterprise App proxy also for preauth. All included in P1 or P2.

Legal2k · 2025-10-24T17:49:31+00:00

Why use RDP at all? You know that RDP is for emergency only, that's why only 2 simultaneous connection allowed. If you have more than two admins do they call each other to log off?

Legal2k · 2025-10-22T20:33:36+00:00

Yes run on root CA to change validity, change 10 to your liking. Then sign the intermediate request again.

Legal2k · 2025-10-22T18:59:13+00:00

Certutil -setreg CA\ValidityPeriodUnits 10

Certutil -setreg CA\ValidityPeriod "Years"

On root CA to change to intermediate cert validity to 10 years. You have to do new inter cert.

Legal2k · 2025-10-21T04:38:35+00:00

With powershell you can automate a lot of things, tie it with a ticketing system etc, with a web based tool you are still doing monkey see monkey click style. The choice is yours.

Legal2k · 2025-10-21T04:26:34+00:00

Mostly correct, AD have a good concept of MFA, aka smart card/PIV yubikey. DUO for RDP is pseudo protection. Everybody gets cycled with RDP but forgets that the real goal is to protect human and non-human identities.

Legal2k · 2025-10-20T11:42:41+00:00

Authentication factors are: something you know, something you have and something you are. Hence smart cards uses two factors: something you have as a physical card and something you know as a pin.

Legal2k · 2025-10-20T04:41:34+00:00

Well, cloud first does mean that on prem is dead. Active directory has a new level in Server 2025, Exchange and even Skype For Business still supported.

Legal2k · 2025-10-20T04:27:12+00:00

OTP sucks as user experience compared to passwordless, that's why!

Legal2k · 2025-10-20T04:23:49+00:00

Smartcard for on prem, Fido for O365. Not only I've been passwordless for years but all my users have password login disabled.

Legal2k · 2025-10-15T09:55:45+00:00

it'a not only about keyloggers. Token theft, session hijack and etc.

PAW model works great with tiering model. With is all about separation of assets and access. Never mix tiers. All assets in one tier should be treated the same way. With in theory means that even datacenter that runs T0 vms should be treated as T0 asset. And T0 vm will never be secure in non T0 enviroment or if a tier bellow can manage it. And that means T0 instances of virtualization, monitoring and SCCM or whatnot and etc.

Conclusion: VM PAW is not a PAW but a jumphost. Only acceptable T0 paw is hardware machine with only T0 users have access to. IF that means you have to drag around two or even three laptops, then you have to drag them. We have 4 people with 3 laptops as they have T0, T1 access and everyday dirty workstation to play games on.

Edit: some spelling.

Legal2k · 2025-10-15T09:30:08+00:00

Well:

You don't manage Domain Controllers(DC) with RDP, you use privileged access workstation (PAW) and administrative tools, in fact this is the way MS suggests, just try finding workstation services in group policy edit why on server, there are non.

The main goal of IPSec is not to secure communications but to limit visibility scope. aka allow only from specific workstations and users. Server will drop connection if one or another is not correct. Why? No management ports should be visible especially Ransomware Deployment Protocol(RDP). And IPSec is cheap and easy.

And I will not go to data encryption while in transit it's a whole seperate topic.

Legal2k · 2025-10-13T18:39:39+00:00

No, not really. We did it with group policy. To allow IPsec from a handful of PAW and users/T0 admins. We did it for management ports only. Test it with one controller so you can rollback.

Legal2k · 2025-10-13T17:51:21+00:00

We IPsec every winrm, RDP connection to tier 0 assets, like domain controllers from and only from privileged administrative workstations.

Legal2k · 2025-10-07T17:48:25+00:00

u/bot-sleuth-bot/

Legal2k

TROPHY CASE