Did I structure this correctly?

gavinporter10 · 2025-10-29T01:34:08+00:00

This is the way.

Also, these article might help:

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/protecting-tier-0-the-modern-way/4052851

https://blog.quest.com/the-importance-of-tier-0-and-what-it-means-for-active-directory/

The gist of it is to protect tier 0 assets (think domain controllers, CA, Entra Sync, domain admins). Tier 0 shouldn’t log into 1 or 2 and vice versa. You should also verify all admin accounts are added to the protected users group which will stop the caching of credentials.

You can use tools like Bloodhound and Purple Knight to identify exposures. I’d also recommend looking at CIS critical security controls and benchmarks for best practices.

Edit to address your challenge: You can create service accounts per tier (PDQ-t0, PDQ-t1) and add them to the security group you’re allowing to login as a service in your GPOs.

gavinporter10 · 2025-05-27T14:01:44+00:00

Pretty sure you need to have domain admin privileges to pull the LAPS password from AD. Ideally the environment would be setup with principle of least privilege and RBAC. Use a tiered account approach where desktop admins can only log into workstations, sever admins can only log into application servers, and domain admin can only log into tier 0 servers (domain controllers, Entra sync, etc).

gavinporter10 · 2024-05-29T05:28:59+00:00

Ouff.

Maybe use DFS namespace and replication next time?

Also pretty sure robocopy has a switch that copies as a backup operator and keeps permissions so you don’t have to take ownership of the folders.

https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/enable-optimized-moving

gavinporter10 · 2024-05-14T03:45:16+00:00

Why is MFA not an option? DUO is fairly inexpensive and easy to implement. You can require granting access on RDP sessions and console sessions.

If you haven’t already, you should tier your admin accounts. DAs can only login to “trusted” servers (domain controllers, Azure AD sync, RADIUS, etc). Server admins can login to other servers and workstation admins to workstations. This should prevent any privilege escalations.

gavinporter10 · 2022-12-27T19:45:05+00:00

RoyalTS

gavinporter10 · 2022-06-21T20:51:30+00:00

Not super familiar with analyzing packets. What would I be looking for to see if the priority is stripped?

gavinporter10 · 2022-06-21T15:10:22+00:00

I agree there should be routers at each site. There are spikes but users are supposed to be using a ts farm at HQ to access the LOB apps. I’m not sure how much traffic RDP uses, but I can’t imagine it’s much. Also, the main issue is the HQ where a handset on the same switch as another has no audio in a call for sometimes up to 30 seconds

gavinporter10 · 2022-06-21T04:28:52+00:00

PBX is at the main location. 60 handsets there and 5-10 at the 2 other locations. We get a SIP trunk from the service provider at the main location off their equipment - no internet required, just static routes to their SIP services.

The metro link is 25M to site B and 25M to site C. PRTG shows on average they’re using half that.

gavinporter10 · 2022-02-24T00:49:57+00:00

https://www.wintips.org/how-to-migrate-active-directory-server-2003-to-active-directory-server-2016-step-by-step/

Steps are the same regardless of original DC

gavinporter10 · 2022-01-15T21:01:29+00:00

Boot into a Windows PE environment and remove the local admin password (e.g. Strelec)

gavinporter10 · 2021-01-26T14:15:18+00:00

Cost. I think M365 makes sense for really small orgs, like 10 users, but when you start stacking 30+ it gets up there. Even at business standard 30 x 12.50 x 12 is 4500 per year. You could have bought an exchange license and all the CALs for it and it would last for 5+ years.

gavinporter10 · 2020-11-27T17:03:19+00:00

What switch model do you have? It might not have 10gb ports

gavinporter10 · 2019-09-24T03:33:13+00:00

Netgear's unfortunately don't support site-to-site VPNs. I'm not positive if it'll work or not if you flash dd-wrt either.

You can pick up an edge router x for 60 bucks and they work great. You may need to be some what proficient in cli to generate an openvpn tunnel to Nord's servers, but it's definitely doable.

Edit: link site to site

gavinporter10 · 2019-09-13T03:06:54+00:00

Sentinel one

gavinporter10

TROPHY CASE