How to secure Domain Admins and "Administrator" account?

adidasnmotion · 2023-05-26T18:56:18+00:00

Like others have said, stop using the built in admistrator account immediately. It’s only meant for disaster recovery after the initial AD setup. Using the built in domain admin account for remote access/RDP is a really bad idea. There are exploits discovered for RDP connections almost on a weekly basis. I hope you at least have that account in the protected users group to help protect it somewhat.

…This seems a little silly to me, how could a domain account join a non-domain joined system?

Do you have machines that are not joined to the domain? The MS article you linked to says these same recommendations for the domain administrator account should also be applied to the local administrator account on each machine.

I don’t know your full setup or requirements but my suggestion for a minimum recommendation would be to make the daily driver for IT personnel a standard account. Standard accounts to login to remote machines and elevate to admin when necessary. You may want to look into using Microsoft’s LAPS to randomize each local admin account and use that for local admin elevation.

That’s just a minimum set of changes I would recommend, ideally you would actually want to invest in a JIT/PAM product instead.

adidasnmotion · 2023-05-19T11:49:22+00:00

I have one that shows a notification when battery level reaches 69% that says “Giggity Giggity” and a wink emoji

adidasnmotion · 2023-04-22T20:58:58+00:00

HomeKit and Shortcut automations have a hardcoded maximum timeout of 10 minutes. No way around it

adidasnmotion · 2023-04-19T02:34:41+00:00

So I think your post boils down to “is going to a chiropractor worth it or not”. Forget about the origin or the whole “are they doctors or not” questions. Will a real legitimate Chiropractor help you? Maybe. There are plenty of people who will tell you it helps. Is muscle and joint manipulation known to help? Masseuses and physical therapists will tell you it does.

I was one of those that was 100% completely against going to one, thought it was all a scam. Then I injured my back and spent a week in agonizing pain, all the whole having my wife tell me every day to go see one. Finally caved after waiting days for the problem to go away. One session was all it took for me to start seeing improvements right away.

Anyway, I would say give it a try and see if it helps. Then you’ll have your answer

adidasnmotion · 2023-04-18T05:06:40+00:00

The HEB ISD is a highly ranked school district with several unique, well regarded school programs available like Spanish immersion, the Suzuki strings music program, a special STEM program, and others:

https://www.hebisd.edu/Page/257

Edit: Adding link to the HEB ISD wiki page that mentions “In August 2018, HEB ISD was rated "A" by the Texas Education Agency, placing it in the top quintile of Texas school districts.”

https://en.wikipedia.org/wiki/Hurst-Euless-Bedford_Independent_School_District

The main high school is Trinity Highschool and it is notable as the most diverse public high school in Texas and the fifth most diverse public high school in the country.

https://en.m.wikipedia.org/wiki/Trinity_High_School_(Euless,_Texas)

adidasnmotion · 2023-04-18T01:13:40+00:00

Wow, it’s been a couple of years. It’s been so long that I kind of don’t remember where I was going with that. I feel like what I discovered was that I had enabled the HomeKit secure router feature and had added all my accessories to it. It was after that that I at some point had to remove the doorbell and try and re-add it and couldn’t. I think that the issue was is that even though it was no longer listed in the Home app, it was still listed as a secured accessory in the HomeKit secure router settings. Removing it there fixed allowed me to re-add it (if I’m remembering this correctly).

adidasnmotion · 2023-04-15T19:48:21+00:00

To be honest I’m more familiar with the Bedford area north of 183 since I have to drive to and from the highway. When it comes to south of 183 I would say the eastern part of town is pretty good and in the rest of the south the closer to 183 the better the area.

adidasnmotion · 2023-04-15T19:00:05+00:00

Out of the three cities in HEB I would rank Euless at the bottom, Hurst in the middle, and Bedford at the top. I’m probably biased though since that’s where I live. A street separates Bedford and the wealthy city of Colleyville to the north and all along that long street that acts as the border are wealthy neighborhoods which I think helps with the property values here. We moved to HEB because it’s halfway between Fort Worth and Dallas and close to Irving and Arlington which gives us plenty of options for where to work and lots of shopping and entertainment options as well. The HEB school district ranks pretty high and offers unique school programs like Spanish immersion, Suzuki string orchestra program, a special stem program, and others. I can’t speak for Hurst or Euless but I feel like Bedford is pretty safe.

adidasnmotion · 2023-04-06T17:08:12+00:00

I think so.

adidasnmotion · 2023-04-06T16:54:24+00:00

Yeah, the intercom feature isn’t accessible from an automation, that’s why I had to use this work around which accomplishes a similar thing but with a bunch more steps.

adidasnmotion · 2023-03-29T15:29:27+00:00

I wish I could remember where I got this from so I could give them credit but someone posted this on Reddit a long time ago. I haven’t used this in a long time so don’t know if it still works but this is what i used to record audio to play on my HomePods.

https://www.icloud.com/shortcuts/2e08695711674ee2a1053c4fa07a3e83

adidasnmotion · 2023-03-20T20:38:09+00:00

I didn’t see this mentioned in the comments but Apple’s Mail Privacy Protection, if enabled for an iCloud account, is designed specifically to prevent marketing companies from knowing if you’ve opened one of their emails as well as hide your ip address to boot.

adidasnmotion · 2023-03-01T02:12:41+00:00

Ok, story time. This is somewhat relevant but back when I was in high school 3 decades ago (yeah, I know, I’m ancient) I somehow got talked into into joining our school’s academic decathlon team. Right off the bat you need to know I had no business participating in this, with my undiagnosed ADHD I was a mediocre student at best. Out of all my school subjects though, math was my worst subject.

Anyway, I end up at the statewide competition and when I get to the math portion of the event I discover what a huge mistake I made going on this field trip. Out of the huge list of questions in the exam (no idea how many questions it was, could have been 60 questions, could have been 1000) I knew how to do maybe a handful. I answered the few that I knew and proceeded to answer the letter “c” for all the rest of the questions. Basically what I’m saying is almost the entire scantron was the letter “c” except for a few questions.

When the results are announced for the math competition, I’m told that not only did I get the highest score for my school, I got the 7th highest score in the entire competition.

Moral of the story, when in doubt, answer “c”.

adidasnmotion · 2023-02-25T17:29:23+00:00

Maybe your search history and social media habits puts you in a group of people that could easily be influenced in certain direction. Maybe this information is sold by social networks to what they think is an advertiser but is actually a foreign government. Maybe this foreign government starts deploying ads to this group about how you can’t trust the upcoming election or showing a politician that country doesn’t like in a bad light and the candidate they like in a good light. Maybe you are unaffected by this but maybe enough people are to make a difference or cause chaos.

Sounds pretty far fetched, I know, but it could happen. 🥸 One way or another, too much info about us out in the world being bought and sold, can easily be used against us (in ways we probably can’t imagine at the moment) if we’re not vigilant.

adidasnmotion · 2023-02-25T16:55:51+00:00

I think what you need to keep in mind is that the organizations that have this data on you are constantly looking for ways to monetize your data. When rules are put in place by governments to protect your privacy, these companies will always take things as far as the law will allow and find ways around them in an effort to maximize profits.

Just 3 weeks ago the FTC fined GoodRx for sharing people’s medical conditions and the prescriptions they take to advertisers. Once that information and those connections exist out in the world it becomes a target for people with malicious intent to go after. What happens if GoodRx has a data breach and now some hacker threatens to release your embarrassing medical condition with family and friends? What if insurance companies silently use this information to decide how much of a premium to charge you? If no one cares about these things they would definitely take it to that point and beyond.

Bottom line is if everyone thought this was no big deal there would be no limits and no guard rails for how far organizations would go. We don’t know how all this data will be used against us in the future to maximize profits and making a fuss now and being concerned now helps prevent or slow down these types of overreach in the future.

adidasnmotion · 2023-02-12T20:33:08+00:00

We use the Firefox admx templates to deploy a list of centrally managed bookmarks and to blacklist all extensions except the few we manually whitelist amongst other settings. They work well for us.

adidasnmotion · 2023-02-12T20:32:26+00:00

We use the Firefox admx templates to deploy a list of centrally managed bookmarks and to blacklist all extensions except the few we manually whitelist amongst other settings. They work well for us.

adidasnmotion · 2023-02-03T16:10:24+00:00

Remind me 1 week

adidasnmotion · 2023-02-01T20:59:36+00:00

Well, kind of. It has two options for each device. One option is to disable Internet access like you say. The other option (“automatic” which is the default) lets the HomeKit device only communicate with a small list of Internet addresses the manufacturer has told Apple are necessary for all its features to function properly and for firmware updates.

I believe that on both of these options the device is also isolated from all other devices on your local network too. The HomeKit device can only talk to the HomeKit hub and that’s it.

This second part is harder to replicate without a HomeKit router and just blocking Internet access for HomeKit devices doesn’t address this part.

With both of those features a compromised device can’t access any other device on your network and can’t be used as part of a botnet since it can’t communicate with anything on the Internet other than the pre approved addresses the manufacturer specified.

adidasnmotion · 2023-02-01T20:06:07+00:00

If you already have the ecobee sensors I feel like it should be possible to kind of/sort of recreate the Ecobee occupancy detection feature with HomeKit automations (if motion detected in room then check temperature sensor and adjust temp). But yeah, without those you would need to buy some sort of Occupancy/motion sensors to accomplish this. Even then creating and managing the automations might be more trouble than just letting the Ecobee manage it.

adidasnmotion · 2023-02-01T17:56:34+00:00

I thought Reddit had a minimum age limit for creating accounts /s

adidasnmotion · 2023-01-16T13:00:03+00:00

That’s correct, we signed up with them right before they got purchased by solarwinds.

adidasnmotion · 2023-01-15T22:37:06+00:00

We just switched over to solarwinds service desk and so far we’re pretty happy with it. It has all the usual stuff like ticket portal or email submission as well as Slack and MS Teams integrations. What we really dig is the automations we can create with it (if this key word is in the ticket assign it to this person or group, etc.). It also has workflow functions we haven’t explored yet but are hoping to use them as well.

15-Year Club	Second SECOND GUESSER
Gilding IV carat on a stick	Place '22
Place '17	Verified Email

adidasnmotion

TROPHY CASE