With Windows Server 2012 R2 and Windows 8.1, Microsoft introduced a feature in Active Directory Domain Services called the Protected Users group. You can use it to limit the availability of outdated authentication protocols, weak encryption algorithms and delegation to sensitive user accounts. Interesting stuff, but I feel there’s some things you should know about … Continue reading "Ten things you need to be aware of before using the Protected Users Group"
Category: What's New
What's New
New features in Active Directory Domain Services in Windows Server 2012 R2, Part 2: Protected Users
In Active Directory, all Domain Controllers are equal, but some are more equal than others. As you gain experience in managing networking environments, you’ll find the same principle is true for user accounts: all user accounts are equal, but some are more equal than others… For instance, some colleagues to whom these accounts belong, require … Continue reading "New features in Active Directory Domain Services in Windows Server 2012 R2, Part 2: Protected Users"
New features in Active Directory Domain Services in Windows Server 2012 R2, Part 1: Introduction
Microsoft has invested three years of development time in Windows Server 2012 and has introduced a slew of Active Directory features, including claims-based authorization to files and folders, a new licensing solution, safe virtualization, Kerberos armoring, cross-forest KCD and group MSAs. I’ve published a whitepaper on this stuff last year. Hot on the heels of … Continue reading "New features in Active Directory Domain Services in Windows Server 2012 R2, Part 1: Introduction"
Security Thoughts: LSASS Protection in Windows 8.1 and Windows Server 2012 R2
I’ve written about Pass-the-Hash (PtH) attacks before. Today, I’m writing on the cleanup mechanisms to remove lingering password(hashe)s from Windows, that Microsoft has introduced with Windows 8.1 and Windows Server 2012 R2. These mechanisms help protect against Pass-the-Hash (PtH) attacks.
A first look at Windows 8.1 Update 1 (build 9600.16596)
Last night, during SuperBowl XLVIII, a version of Windows 8.1 Update 1 was, inadvertently, released to the web. While this release focuses on the integration between Windows Phone and Windows for the desktop, laptop and tablet, it also features a slew of User Interface (UI) improvements for those still on the fence on The New … Continue reading "A first look at Windows 8.1 Update 1 (build 9600.16596)"
New features in Active Directory Domain Services in Windows Server 2012, Part 20: Dynamic Access Control (DAC)
For the last years, we’ve been modeling the business into group memberships and their associated access control lists. For some organizations this has even led to changing the way they performed business from before they automated their business processes. For other organizations, this has resulted in token bloat. It’s time someone changed that and introduced … Continue reading "New features in Active Directory Domain Services in Windows Server 2012, Part 20: Dynamic Access Control (DAC)"
New features in Active Directory Domain Services in Windows Server 2012, Part 19: Offline Domain Join Improvements
With Windows 7 and Windows Server 2008 R2 Microsoft introduced a new Active Directory feature called Offline Domain Join (ODJ). This feature allows for clients to be joined to an Active Directory domain, without the need of having a direct connection to any of the Domain Controllers for the Active Directory domain.
New features in Active Directory Domain Services in Windows Server 2012, Part 15: Deferred Index Creation
As already mentioned in the previous blog post on RID Improvements in Windows Server 2012, Active Directory environments are sometimes cathedrals of Microsoft technology; they’re big, they’re old and a lot of effort has been put into them to get them into the shape they’re in today.
New features in Active Directory Domain Services in Windows Server 2012, Part 9: Connected Accounts
Windows 8 and Windows Server 2012 are cloud-optimized Operating Systems. One of the areas where this is visible is the ability to connect domain accounts to Microsoft accounts (formerly known as Windows Live IDs). In this blogpost I’ll show you how this functionality works and how you can disable this functionality altogether or granularly with … Continue reading "New features in Active Directory Domain Services in Windows Server 2012, Part 9: Connected Accounts"
New features in Active Directory Domain Services in Windows Server 2012, Part 8: Group MSAs (gMSAs)
Back in Windows Server 2008 R2, Managed Service Accounts (MSAs) solved the problem of unsecure service accounts. Managing them was a nightmare, even if you knew what you were doing. Now, In Windows Server 2012, Microsoft addresses a couple of these challenges This blogposts shows how.