David Horák

🔒 Secure Bits 💡 𝗗𝗶𝗱 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄 𝘆𝗼𝘂 𝗰𝗮𝗻 𝗴𝗶𝘃𝗲 𝘀𝗼𝗺𝗲𝗼𝗻𝗲 𝘁𝗵𝗲 𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝘁𝗼 𝗮𝗱𝗱 𝗺𝗲𝗺𝗯𝗲𝗿𝘀 𝘁𝗼 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻𝘀… 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗯𝗲𝗶𝗻𝗴 𝗮 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻? Yes — with just a single command. This technique abuses 𝗔𝗱𝗺𝗶𝗻𝗦𝗗𝗛𝗼𝗹𝗱𝗲𝗿, which acts as a security template for privileged accounts and groups in Active Directory. Every ~60 minutes, the process 𝗰𝗼𝗽𝗶𝗲𝘀 𝘁𝗵𝗲 𝗔𝗖𝗟 from the AdminSDHolder object to protected groups such as: ▪️ Domain Admins ▪️ Enterprise Admins ▪️ Schema Admins ▪️ and other protected accounts If an 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿 𝗺𝗼𝗱𝗶𝗳𝗶𝗲𝘀 𝘁𝗵𝗲 𝗔𝗖𝗟 𝗼𝗻 𝗔𝗱𝗺𝗶𝗻𝗦𝗗𝗛𝗼𝗹𝗱𝗲𝗿, they can grant themselves permissions like WriteMembers. ➡️ 𝗥𝗲𝘀𝘂𝗹𝘁: They can add themselves to Domain Admins or other privileged groups whenever they want — 𝗲𝘃𝗲𝗻 𝗶𝗳 𝘁𝗵𝗲𝘆 𝗮𝗿𝗲 𝗻𝗼𝘁 𝗺𝗲𝗺𝗯𝗲𝗿𝘀 𝘆𝗲𝘁. This creates a stealthy persistence mechanism that many administrators never check. 𝗔𝗻𝗱 𝘁𝗵𝗮𝘁’𝘀 𝘁𝗵𝗲 𝗽𝗿𝗼𝗯𝗹𝗲𝗺. If you don’t know these techniques exist, you’re very unlikely to look for them during normal administration. 🎓 𝗧𝗵𝗮𝘁’𝘀 𝗲𝘅𝗮𝗰𝘁𝗹𝘆 𝘄𝗵𝘆 𝗜 𝗰𝗿𝗲𝗮𝘁𝗲𝗱 𝗺𝘆 𝗻𝗲𝘄 𝘀𝗵𝗼𝗿𝘁 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗰𝗼𝘂𝗿𝘀𝗲. It focuses on helping administrators and defenders detect dangerous Active Directory scenarios, including: ▪️ Hidden persistence techniques ▪️ Dangerous misconfigurations ▪️ Common attacker abuse paths The course has a clear outcome: 𝗰𝗿𝗲𝗮𝘁𝗲 𝗮 𝘀𝗶𝗺𝗽𝗹𝗲 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝘁𝗼𝗼𝗹 𝗼𝗳 𝘆𝗼𝘂𝗿 𝗼𝘄𝗻 🚀 𝗘𝗮𝗿𝗹𝘆 𝗔𝗰𝗰𝗲𝘀𝘀 𝗶𝘀 𝗻𝗼𝘄 𝗼𝗽𝗲𝗻 & 𝘆𝗼𝘂 𝗰𝗮𝗻 𝗿𝗲𝗰𝗲𝗶𝘃𝗲: ✅ 50% discount ✅ Active Directory Security Checklist 📅 Planned release: March 2026 ⏳ Early Access closes: 22.3.2026 💬 𝗟𝗲𝗮𝘃𝗲 𝗮 𝗰𝗼𝗺𝗺𝗲𝗻𝘁 if you want to join the Early Access list. #ActiveDirectory #CyberSecurity #SecureBits #BlueTeam #WindowsSecurity #HorizonSecured

𝗜’𝗺 𝗲𝘅𝗰𝗶𝘁𝗲𝗱 𝘁𝗼 𝗮𝗻𝗻𝗼𝘂𝗻𝗰𝗲 𝘁𝗵𝗮𝘁 𝗜’𝗹𝗹 𝗯𝗲 𝘀𝗽𝗲𝗮𝗸𝗶𝗻𝗴 𝗮𝘁 𝗦𝗣𝗔𝗡 𝗖𝘆𝗯𝗲𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗔𝗿𝗲𝗻𝗮 𝟮𝟬𝟮𝟲! 🇭🇷 🎤 𝗧𝗮𝗹𝗸: 𝘈𝘤𝘵𝘪𝘷𝘦 𝘋𝘪𝘳𝘦𝘤𝘵𝘰𝘳𝘺 𝘗𝘰𝘴𝘵-𝘔𝘰𝘳𝘵𝘦𝘮: 𝘈𝘴𝘴𝘶𝘮𝘱𝘵𝘪𝘰𝘯𝘴 𝘷𝘴 𝘙𝘦𝘢𝘭𝘪𝘵𝘺 In this session, I’ll walk through three high-impact Active Directory vulnerabilities — two of them I discovered — that still exist in real environments, but are either unknown or not discussed enough. Along the way we’ll challenge a few common “everyone knows this” assumptions… and I’ll also run a short quiz with prizes 🎁 📍 𝗪𝗵𝗲𝗻 & 𝘄𝗵𝗲𝗿𝗲: • Thursday, 21 May 2026 • 15:00 – 15:45 • Watchtower Arena • More info: spanarena.eu If you’re there, come say hi — I’ll be around after the talk for a chat. #ActiveDirectory #WindowsSecurity #CyberSecurity #Infosec #Conference #SpanArena #HorizonSecured

🚧 𝗡𝗲𝘄 𝗖𝗼𝘂𝗿𝘀𝗲 𝗜𝗻𝗰𝗼𝗺𝗶𝗻𝗴: 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗧𝗵𝗿𝗲𝗮𝘁 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 Short, practical, hands on course with clear outcome — and Early Access is open now! In this course I will show you how simply create a detection mechanism which alerts you, when your defined state of Active Directory changes. Step by step. 𝗖𝗼𝘂𝗿𝘀𝗲 𝗶𝗻𝗰𝗹𝘂𝗱𝗲𝘀: 🔒 Learn about misconfigurations, threats and persistence methods 🧪 PowerShell script used for the detection mechanism 🖥️ Step by step guide how to put it all together 𝗝𝗼𝗶𝗻 𝗯𝗲𝗳𝗼𝗿𝗲 𝟮𝟳.𝟯.𝟮𝟬𝟮𝟲 𝗮𝗻𝗱 𝗴𝗲𝘁: 🎁 Extra discount 50% 🎁 AD security checklist 👉 If you're interested, 𝗱𝗿𝗼𝗽 𝗮 𝗰𝗼𝗺𝗺𝗲𝗻𝘁 𝗼𝗿 𝗗𝗠 𝗺𝗲 and I’ll make sure you're on the list. #ActiveDirectory #CyberSecurity #BlueTeam #WindowsSecurity #InfrastructureSecurity

🔒 Secure Bits 💡 𝗨𝗽𝗱𝗮𝘁𝗶𝗻𝗴 𝗦𝗲𝗰𝘂𝗿𝗲 𝗕𝗼𝗼𝘁 𝗰𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲𝘀 𝗼𝗻 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗲𝘀 (𝘱𝘵. 3) Last puzzle in this series is 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴. Because as you can see, this process is 𝗻𝗼𝘁 𝘁𝗿𝗶𝘃𝗶𝗮𝗹 𝗼𝗿 𝘀𝘁𝗿𝗮𝗶𝗴𝗵𝘁𝗳𝗼𝗿𝘄𝗮𝗿𝗱. Some devices will go through smoothly, others will hit different errors depending on firmware / platform / history — and that’s the worst case. That’s why 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗶𝘀 𝗰𝗿𝘂𝗰𝗶𝗮𝗹: you need a central view of where each device is in the process. ⸻ 🧭 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵𝗲𝘀 (pick what fits your environment): 🔹 manual checks 🔹 PowerShell checks 🔹 startup script that uploads status to a file share 🔹 scheduled tasks / inventory tooling 🔹 … In my demo 𝗜 𝘂𝘀𝗲𝗱 𝘁𝘄𝗼 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵𝗲𝘀: a PowerShell status collector from my friend André Estêvão (thanks!) - that is the first example, and Microsoft’s sample script that writes results to a file share + GPO - that is the second example. Your “best” option depends on how you manage servers and how you want to store/report results. ⸻ ✅ 𝗪𝗵𝗮𝘁 𝘁𝗼 𝘁𝗿𝗮𝗰𝗸: 1️⃣ 𝗘𝘃𝗲𝗻𝘁 𝗟𝗼𝗴 (𝗦𝘆𝘀𝘁𝗲𝗺) 1808 → success / device is updated (certs applied to firmware) 1801 → not applied to firmware (still not updated / blocked) 1795 → firmware handoff error (platform/firmware problem) There are more events, but in my tests these three were the ones I ran into most often. 2️⃣ 𝗥𝗲𝗴𝗶𝘀𝘁𝗿𝘆 𝗸𝗲𝘆𝘀 𝘏𝘒𝘌𝘠_𝘓𝘖𝘊𝘈𝘓_𝘔𝘈𝘊𝘏𝘐𝘕𝘌\𝘚𝘠𝘚𝘛𝘌𝘔\𝘊𝘶𝘳𝘳𝘦𝘯𝘵𝘊𝘰𝘯𝘵𝘳𝘰𝘭𝘚𝘦𝘵\𝘊𝘰𝘯𝘵𝘳𝘰𝘭\𝘚𝘦𝘤𝘶𝘳𝘦𝘉𝘰𝘰𝘵 🔹 AvailableUpdates 0x0 → nothing being performed 0x5944 → deploy all needed certs + boot manager update (full rollout trigger) 𝘏𝘒𝘌𝘠_𝘓𝘖𝘊𝘈𝘓_𝘔𝘈𝘊𝘏𝘐𝘕𝘌\𝘚𝘠𝘚𝘛𝘌𝘔\𝘊𝘶𝘳𝘳𝘦𝘯𝘵𝘊𝘰𝘯𝘵𝘳𝘰𝘭𝘚𝘦𝘵\𝘊𝘰𝘯𝘵𝘳𝘰𝘭\𝘚𝘦𝘤𝘶𝘳𝘦𝘉𝘰𝘰𝘵\𝘚𝘦𝘳𝘷𝘪𝘤𝘪𝘯𝘨 🔹 UEFICA2023Status NotStarted → update hasn’t run InProgress → update running / mid-flight Updated → update completed 🔹 UEFICA2023Error → error code (if any) 🔹 UEFICA2023ErrorEvent → event ID tied to the error ⸻ 𝗜𝗿𝗼𝗻𝗶𝗰𝗮𝗹𝗹𝘆, I fought the most with monitoring on 𝗔𝘇𝘂𝗿𝗲 𝗩𝗠𝘀 in my demo — I couldn’t get reliable signals that matched what the documentation suggests. Nothing initiated, nothing done, and the MS script didn’t help me explain why. If anyone has cracked that in a clean way, I’d love to compare notes. These are the 𝗺𝗼𝘀𝘁 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝗽𝗹𝗮𝗰𝗲𝘀 to look for signals/status. ⸻ 📌 𝗪𝗵𝗮𝘁’𝘀 𝗻𝗲𝘅𝘁 Next week I’m going to merge all three parts into a single field notes document you can follow end-to-end. But one more time: these posts are 𝗻𝗼𝘁 𝗼𝗳𝗳𝗶𝗰𝗶𝗮𝗹 𝗴𝘂𝗶𝗱𝗲𝘀 — just field notes from admins who had to go through it in real environments, so you can be better prepared. #WindowsServer #SecureBoot

🔒 Secure Bits 💡 𝗧𝗵𝗲 “𝗧𝗿𝘂𝘀𝘁𝗲𝗱 𝗣𝗮𝘁𝗵” 𝗣𝗼𝗹𝗶𝗰𝘆 𝗧𝗵𝗮𝘁 𝗕𝗿𝗼𝗸𝗲 𝗢𝗢𝗕𝗘 This was a weird one—and it took a while to figure out. I was working on my 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗯𝗮𝘀𝗲𝗹𝗶𝗻𝗲𝘀 and came across a recommendation to enable: 𝘊𝘰𝘮𝘱𝘶𝘵𝘦𝘳 𝘊𝘰𝘯𝘧𝘪𝘨𝘶𝘳𝘢𝘵𝘪𝘰𝘯\𝘈𝘥𝘮𝘪𝘯𝘪𝘴𝘵𝘳𝘢𝘵𝘪𝘷𝘦 𝘛𝘦𝘮𝘱𝘭𝘢𝘵𝘦𝘴\𝘞𝘪𝘯𝘥𝘰𝘸𝘴 𝘊𝘰𝘮𝘱𝘰𝘯𝘦𝘯𝘵𝘴\𝘊𝘳𝘦𝘥𝘦𝘯𝘵𝘪𝘢𝘭 𝘜𝘴𝘦𝘳 𝘐𝘯𝘵𝘦𝘳𝘧𝘢𝘤𝘦 🛠️ “𝗥𝗲𝗾𝘂𝗶𝗿𝗲 𝘁𝗿𝘂𝘀𝘁𝗲𝗱 𝗽𝗮𝘁𝗵 𝗳𝗼𝗿 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗲𝗻𝘁𝗿𝘆” Sounded good, tested fine, so I rolled it out to production. Then the 𝘀𝘁𝗿𝗮𝗻𝗴𝗲 𝗯𝘂𝗴 𝗵𝗶𝘁… Admins started reporting broken OOBE screens for local administrator accounts. No matter what we tried—every path led back to the same 𝘂𝗻𝘂𝘀𝗮𝗯𝗹𝗲 𝘀𝗰𝗿𝗲𝗲𝗻. 𝗧𝘂𝗿𝗻𝘀 𝗼𝘂𝘁: 🔹 The policy blocked the UAC secure desktop prompt that’s supposed to show up 🔹 That left us stuck in OOBE with no way to proceed ✅ Disabling the policy fixed it immediately. 💡𝗙𝘂𝗻 𝘁𝘄𝗶𝘀𝘁: Microsoft later clarified they 𝗻𝗲𝘃𝗲𝗿 𝗼𝗳𝗳𝗶𝗰𝗶𝗮𝗹𝗹𝘆 𝗿𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗲𝗱 this setting. (ehm...gpedit.msc...). But it used to be recommended for some time by other agencies. So — if you're building or reviewing your baselines, 𝗸𝗲𝗲𝗽 𝗮𝗻 𝗲𝘆𝗲 𝗼𝗻 𝘁𝗵𝗶𝘀 𝗼𝗻𝗲. It might save you a few hours of unexpected troubleshooting. Have you ever enabled this setting? Let me know 👇 #SecureBits #GroupPolicy #WindowsSecurity #CredentialUI #OOBE #GPO #HorizonSecured @BlueTeamDave

𝗗𝗲𝗳𝗮𝘂𝗹𝘁 → 𝗛𝗮𝗿𝗱𝗲𝗻𝗲𝗱 Real configs. Real fixes. Windows & AD security. Can your 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻𝘀 𝗹𝗼𝗴 𝗶𝗻 𝘁𝗼 𝗲𝗻𝗱𝗽𝗼𝗶𝗻𝘁𝘀? 𝗧𝗵𝗲𝘆 𝘀𝗵𝗼𝘂𝗹𝗱𝗻’𝘁. Disable it. Build multiple tiers with separate privileged accounts for each tier and 𝗿𝗲𝘀𝘁𝗿𝗶𝗰𝘁 𝗮𝗰𝗰𝗲𝘀𝘀 with GPO so higher tiers cannot log on to lower tiers ✅. In practice for example, your 𝗧𝟬 (𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻) 𝗮𝗰𝗰𝗼𝘂𝗻𝘁 𝗺𝘂𝘀𝘁 𝗻𝗼𝘁 𝘁𝗼𝘂𝗰𝗵 𝗲𝗻𝗱𝗽𝗼𝗶𝗻𝘁𝘀. The goal is to prevent any contact between high-value credentials and lower tiers. Endpoints sit closest to the internet and the attacker, and you don’t want high privileged credentials cached there—this is a very simple and 𝗳𝗮𝘀𝘁 𝗲𝘀𝗰𝗮𝗹𝗮𝘁𝗶𝗼𝗻 𝗽𝗮𝘁𝗵 ⚠️. This isn’t a nice-to-have. It’s a 𝗰𝗼𝗿𝗲 𝗽𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲 of securing Active Directory. Train the mindset and do it properly even if it takes more time. Want a short, practical walkthrough of this principle? 𝗜 𝗰𝗼𝘃𝗲𝗿 𝗶𝘁 𝗶𝗻 𝗮 𝗳𝗿𝗲𝗲 𝗰𝗼𝘂𝗿𝘀𝗲 — academy.horizon-secured.com/p/windows-infr… 𝙇𝙚𝙖𝙧𝙣 • 𝘽𝙪𝙞𝙡𝙙 • 𝘿𝙚𝙛𝙚𝙣𝙙 #ActiveDirectory #Windows #WindowsSecurity #CyberSecurity #PrivilegedAccess #HorizonSecured @BlueTeamDave

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟯𝟴.𝟭% of environments I assessed 𝗵𝗮𝘃𝗲 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗙𝗶𝗿𝗲𝘄𝗮𝗹𝗹 𝘁𝘂𝗿𝗻𝗲𝗱 𝗢𝗙𝗙 I often joke in my courses that the first thing admins do on a new Windows device is disable the firewall. 𝗨𝗻𝗳𝗼𝗿𝘁𝘂𝗻𝗮𝘁𝗲𝗹𝘆… it’s not really a joke. It’s the sad reality. 🧱 𝗪𝗵𝘆? For historical reasons, many admins still believe Windows Firewall “breaks things” — especially older apps. So 𝘁𝗵𝗲𝘆 𝗷𝘂𝘀𝘁 𝘀𝗵𝘂𝘁 𝗶𝘁 𝗱𝗼𝘄𝗻. But that mindset is outdated, and in 2026, it’s time we do better. 𝗦𝗼𝗺𝗲 𝗳𝗮𝗰𝘁𝘀: ➡️ By default, Windows Firewall is more open than closed — it won’t block much. ➡️ But it can slow down a malware movement. ➡️ And you can configure it exactly as needed — quickly and easily via Group Policy. 𝗛𝗼𝘄 𝘁𝗼 𝗱𝗼 𝗶𝘁 𝗿𝗶𝗴𝗵𝘁: 1️⃣ Stop turning it off — leave it ON by default 2️⃣ Define inbound rules only for what’s needed 3️⃣ You can also control outbound rules 4️⃣ Use GPO to enforce: • Apply local firewall rules: No • On endpoints: Inbound connections: Block all connections 🔗 And if you need a 𝗹𝗶𝘀𝘁 𝗼𝗳 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗽𝗼𝗿𝘁𝘀 𝗻𝗲𝗲𝗱𝗲𝗱, I got something for you: academy.horizon-secured.com/p/ad-network-p… 𝗔𝗻𝗱 𝗱𝗼𝗻’𝘁 𝗳𝗼𝗿𝗴𝗲𝘁 — Windows Firewall can log everything. You can see what’s being blocked and adjust rules accordingly. ⚠️ It’s hard to take “Zero Trust” seriously when we’re still disabling built-in firewalls and saying "we have perimeter firewall, we don’t need this"... Small steps. Big impact. Turn it back on. 💬 Still disabling it in your environment? Why? #FromTheField #WindowsSecurity #Firewall #ActiveDirectory #BlueTeam #CyberSecurity #HorizonSecured #ZeroTrust @BlueTeamDave

🔒 Secure Bits 💡 𝗬𝗼𝘂 𝗺𝗶𝗴𝗵𝘁 𝘄𝗮𝗻𝘁 𝘁𝗼 𝘁𝘂𝗿𝗻 𝗼𝗳𝗳 𝗘𝗻𝘁𝗿𝗮 𝗖𝗼𝗻𝗻𝗲𝗰𝘁 𝗦𝗲𝗮𝗺𝗹𝗲𝘀𝘀 𝗦𝗦𝗢. 𝗛𝗲𝗿𝗲'𝘀 𝘄𝗵𝘆. In many hybrid Microsoft 365 tenants, Seamless SSO is still enabled — even though it’s no longer needed in modern Entra ID environments. Nothing looks broken. Users sign in just fine. And that’s exactly why this often goes unnoticed. 🤔 𝗪𝗵𝘆 𝗯𝗼𝘁𝗵𝗲𝗿? Seamless SSO introduces an 𝗮𝗱𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗺𝗲𝗰𝗵𝗮𝗻𝗶𝘀𝗺 that most environments don’t actually need anymore. Modern Windows 10/11 devices already rely on 𝗣𝗿𝗶𝗺𝗮𝗿𝘆 𝗥𝗲𝗳𝗿𝗲𝘀𝗵 𝗧𝗼𝗸𝗲𝗻𝘀 (𝗣𝗥𝗧) for seamless access. Keeping Seamless SSO expands attack surface unnecessarily — without delivering any value. Seamless SSO relies on Kerberos-based authentication. It uses a special on-prem AD computer account: 𝗔𝗭𝗨𝗥𝗘𝗔𝗗𝗦𝗦𝗢𝗔𝗖𝗖. That account holds a 𝘀𝗵𝗮𝗿𝗲𝗱 𝘀𝗲𝗰𝗿𝗲𝘁 between on-prem AD and Entra ID. If the secret gets compromised, it weakens your identity trust boundary. 🛠️ 𝗘𝘃𝗮𝗹𝘂𝗮𝘁𝗲 𝗶𝗳 𝘆𝗼𝘂 𝘀𝘁𝗶𝗹𝗹 𝗻𝗲𝗲𝗱 𝗦𝗲𝗮𝗺𝗹𝗲𝘀𝘀 𝗦𝗦𝗢 - Do you have Hybrid Entra Join + Windows 10/11? - Are you trying to use Modern authentication wherever you can? - No legacy domain-joined-only scenarios? If the answer to above questions is yes, Seamless SSO is likely not needed. 🛡️ 𝗗𝗶𝘀𝗮𝗯𝗹𝗲 𝗦𝗲𝗮𝗺𝗹𝗲𝘀𝘀 𝗦𝗦𝗢 𝗶𝗻 𝗘𝗻𝘁𝗿𝗮 𝗖𝗼𝗻𝗻𝗲𝗰𝘁 𝗦𝘆𝗻𝗰 - Edit Microsoft Entra Connect configuration in the 𝘊𝘩𝘢𝘯𝘨𝘦 𝘶𝘴𝘦𝘳 𝘴𝘪𝘨𝘯-𝘪𝘯 section - Uncheck 𝘌𝘯𝘢𝘣𝘭𝘦 𝘴𝘪𝘯𝘨𝘭𝘦 𝘴𝘪𝘨𝘯-𝘰𝘯 - Monitor sign-in behavior - Validate PRT-based authentication continues to work - Delete the AZUREADSSOACC afterwards ⚠️ 𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 - First, check whether Seamless SSO is active using 𝘈𝘶𝘥𝘪𝘵 𝘒𝘦𝘳𝘣𝘦𝘳𝘰𝘴 𝘚𝘦𝘳𝘷𝘪𝘤𝘦 𝘛𝘪𝘤𝘬𝘦𝘵 𝘖𝘱𝘦𝘳𝘢𝘵𝘪𝘰𝘯𝘴 GPO and logs - Communicate with users before changing auth flows ✅ If you’re aiming for Zero Trust and cloud-native identity, 𝘀𝘁𝗮𝗿𝘁 𝗿𝗲𝗺𝗼𝘃𝗶𝗻𝗴 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗽𝗮𝘁𝗵𝘀 you no longer need. If a feature exists only “because it always did”, it’s time to question it. 💬 Have you already disabled Seamless SSO or is it still running quietly in your environment? 𝘈𝘶𝘵𝘩𝘰𝘳 𝘰𝘧 𝘵𝘩𝘦 𝘱𝘰𝘴𝘵: @strnad10 #Microsoft365 #EntraID #EntraConnect #HybridIdentity #SecureBits #HorizonSecured #CyberSecurity #CloudSecurity

🔒 Secure Bits 💡 𝗗𝗼 𝘆𝗼𝘂 𝘂𝘀𝗲 𝗥𝗗𝗣? There’s a 𝘀𝘂𝗿𝗽𝗿𝗶𝘀𝗶𝗻𝗴 𝗿𝗶𝘀𝗸 you might not be thinking about — and it’s already on your machine. When you use Remote Desktop (𝗥𝗗𝗣) via the 𝗠𝗦𝗧𝗦𝗖 client, any credentials you enter can be retrieved in plaintext in the process 𝗺𝗲𝗺𝗼𝗿𝘆. That means your domain admin password could be sitting there, waiting to be pulled — no keylogger needed. 📌 You can’t just flip a setting to 𝗱𝗶𝘀𝗮𝗯𝗹𝗲 this. But there are some 𝘄𝗮𝘆𝘀 𝘁𝗼 𝗿𝗲𝗱𝘂𝗰𝗲 𝘁𝗵𝗲 𝗿𝗶𝘀𝗸: 1️⃣ 𝗨𝘀𝗲 𝗮 𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗪𝗼𝗿𝗸𝘀𝘁𝗮𝘁𝗶𝗼𝗻 (𝗣𝗔𝗪) — ideally a physical machine, even if you run a VM PAW on top of it. 2️⃣ 𝗔𝘃𝗼𝗶𝗱 𝗥𝗗𝗣 — not always practical in Windows environments. 3️⃣ 𝗨𝘀𝗲 𝗠𝗙𝗔 — if there’s no password typed, there’s no password to grab from memory. 🔐 That’s one reason I started 𝗰𝗼𝗹𝗹𝗮𝗯𝗼𝗿𝗮𝘁𝗶𝗻𝗴 𝘄𝗶𝘁𝗵 Systola. I tested their platform, 𝗦𝘆𝘀𝘁𝗼𝗟𝗢𝗖𝗞, which brings 𝗻𝗮𝘁𝗶𝘃𝗲 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝗹𝗲𝘀𝘀 𝗺𝘂𝗹𝘁𝗶-𝗳𝗮𝗰𝘁𝗼𝗿 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 to the Windows ecosystem — including RDP, Windows login, SAML, Radius, and more. It’s simple, works as expected, and the pricing is very reasonable. 🧪 𝗪𝗮𝗻𝘁 𝘁𝗼 𝘁𝗿𝘆 𝗶𝘁? Link in comments. Here’s how it works: 1. Open the page → you’ll see the license options (one is free). 2. Click Request demo. 3. Systola will create your eval account and send access so you can install and test. If you give it a spin, 𝘁𝗲𝗹𝗹 𝗺𝗲 𝗵𝗼𝘄 𝗶𝘁 𝗴𝗼𝗲𝘀 — I can help and may be able to arrange a discount for paid tiers. Do you use MFA for RDP sessions? #WindowsSecurity #SecureBits #MFA #CyberSecurity #BlueTeam #HorizonSecured

🚨 𝗛𝗼𝗿𝗶𝘇𝗼𝗻 𝗔𝗹𝗲𝗿𝘁 – 𝗙𝗲𝗯𝗿𝘂𝗮𝗿𝘆 𝟮𝟬𝟮𝟲 𝗣𝗮𝘁𝗰𝗵 𝗧𝘂𝗲𝘀𝗱𝗮𝘆 February brings 𝟲 𝗮𝗰𝘁𝗶𝘃𝗲𝗹𝘆 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝗲𝗱 𝘇𝗲𝗿𝗼-𝗱𝗮𝘆𝘀, primarily focused on security feature bypass and privilege escalation. 𝗧𝗿𝗮𝗰𝗸𝗲𝗱 𝗖𝗩𝗘𝘀: 🔸 CVE-2026-21514 🔸 CVE-2026-21510 🔸 CVE-2026-21513 🔸 CVE-2026-21525 🔸 CVE-2026-21533 🔸 CVE-2026-21519 Multiple SYSTEM-level 𝗲𝗹𝗲𝘃𝗮𝘁𝗶𝗼𝗻-𝗼𝗳-𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲 issues and 𝘂𝘀𝗲𝗿-𝗶𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝗼𝗻 𝗱𝗼𝗰𝘂𝗺𝗲𝗻𝘁 𝗮𝘁𝘁𝗮𝗰𝗸𝘀 are already being exploited in the wild — making endpoint patch prioritization critical. 𝗙𝘂𝗹𝗹 𝗯𝗿𝗲𝗮𝗸𝗱𝗼𝘄𝗻 and insights available in this month’s 𝗛𝗼𝗿𝗶𝘇𝗼𝗻 𝗔𝗹𝗲𝗿𝘁: 🔗 horizon-secured.com/newsletter/ #HorizonAlert #Cybersecurity #PatchTuesday #ZeroDay

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟰𝟮.𝟵% of infrastructures I’ve assessed 𝗱𝗼 𝗻𝗼𝘁 𝗽𝗿𝗼𝗽𝗲𝗿𝗹𝘆 𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗦𝗶𝘁𝗲𝘀 𝗮𝗻𝗱 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗜 𝗼𝗳𝘁𝗲𝗻 𝘀𝗲𝗲 𝘁𝘄𝗼 𝗰𝗮𝘀𝗲𝘀: ▪️ admins configure it “how they feel,” or ▪️ they don’t configure it at all. Both are wrong. If you have multiple sites (DCs in multiple physical locations), 𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲 𝗔𝗗 𝗦𝗶𝘁𝗲𝘀 𝗮𝗻𝗱 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝘁𝗼 𝗺𝗶𝗿𝗿𝗼𝗿 those locations. 𝗪𝗵𝘆: ✅ It helps you set replication properly across locations. ✅ Devices can contact the nearest DC—but only if you also define Subnets and tie them to a site. 𝗞𝗲𝗲𝗽 𝗶𝘁 𝘀𝗶𝗺𝗽𝗹𝗲: ▪️ In most cases, leave the replication topology at default—the KCC will create and adapt the topology once sites are defined. Manual connection links can get complicated. ▪️ Set intersite replication to Change Notification System (AD Configuration partition). ▪️ Create sites to match physical locations, move DCs accordingly, and map subnets to sites. Nothing more. 𝗪𝗵𝗮𝘁’𝘀 𝘆𝗼𝘂𝗿 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵 𝗳𝗼𝗿 𝘁𝗵𝗶𝘀? #Sites #CyberSecurity #Infrastructure #Hardening #BlueTeam #HorizonSecured #FromTheField @BlueTeamDave

🎄 𝗖𝗵𝗿𝗶𝘀𝘁𝗺𝗮𝘀 𝗚𝗶𝘃𝗲𝗮𝘄𝗮𝘆 On Sunday 21.12.2025 I’ll draw 𝟯 𝘄𝗶𝗻𝗻𝗲𝗿𝘀 𝗳𝗿𝗼𝗺 𝘁𝗵𝗲 𝗰𝗼𝗺𝗺𝗲𝗻𝘁𝘀 — one prize each: 🎁 Winner #1: Windows Infrastructure Security (full course) 🎁 Winner #2: Building a Secure Active Directory (hands-on course) 🎁 Winner #3: 3 paid mini-courses 𝗛𝗼𝘄 𝘁𝗼 𝗲𝗻𝘁𝗲𝗿: 👍 Like this post + 💬 Comment (e.g., “IN” or tag a teammate). That’s it. I’ll announce the winners on 21.12.2025. Good luck & happy hardening! 🔐 #Christmas #Giveaway #HorizonSecured #Cybersecurity

Last quarter I rolled out Microsoft Copilot to 4,000 employees. $30 per seat per month. $1.4 million annually. I called it "digital transformation." The board loved that phrase. They approved it in eleven minutes. No one asked what it would actually do. Including me. I told everyone it would "10x productivity." That's not a real number. But it sounds like one. HR asked how we'd measure the 10x. I said we'd "leverage analytics dashboards." They stopped asking. Three months later I checked the usage reports. 47 people had opened it. 12 had used it more than once. One of them was me. I used it to summarize an email I could have read in 30 seconds. It took 45 seconds. Plus the time it took to fix the hallucinations. But I called it a "pilot success." Success means the pilot didn't visibly fail. The CFO asked about ROI. I showed him a graph. The graph went up and to the right. It measured "AI enablement." I made that metric up. He nodded approvingly. We're "AI-enabled" now. I don't know what that means. But it's in our investor deck. A senior developer asked why we didn't use Claude or ChatGPT. I said we needed "enterprise-grade security." He asked what that meant. I said "compliance." He asked which compliance. I said "all of them." He looked skeptical. I scheduled him for a "career development conversation." He stopped asking questions. Microsoft sent a case study team. They wanted to feature us as a success story. I told them we "saved 40,000 hours." I calculated that number by multiplying employees by a number I made up. They didn't verify it. They never do. Now we're on Microsoft's website. "Global enterprise achieves 40,000 hours of productivity gains with Copilot." The CEO shared it on LinkedIn. He got 3,000 likes. He's never used Copilot. None of the executives have. We have an exemption. "Strategic focus requires minimal digital distraction." I wrote that policy. The licenses renew next month. I'm requesting an expansion. 5,000 more seats. We haven't used the first 4,000. But this time we'll "drive adoption." Adoption means mandatory training. Training means a 45-minute webinar no one watches. But completion will be tracked. Completion is a metric. Metrics go in dashboards. Dashboards go in board presentations. Board presentations get me promoted. I'll be SVP by Q3. I still don't know what Copilot does. But I know what it's for. It's for showing we're "investing in AI." Investment means spending. Spending means commitment. Commitment means we're serious about the future. The future is whatever I say it is. As long as the graph goes up and to the right.

Last week our CISO asked me to present on “zero trust architecture.” I don’t know what that means. I make $340,000 a year. I haven’t touched a firewall since Obama’s first term. But I have a CISSP. I passed by memorizing acronyms. I still don’t know what half of them stand for. I opened my presentation with “assume breach.” Everyone nodded gravely. I said “defense in depth” three times. The board was captivated. Then a junior analyst raised her hand. She asked how we’d implement microsegmentation. I felt a cold sweat. I said, “Great question. Let’s take that offline.” She persisted. I said we should “leverage AI-driven solutions.” She asked which ones. I said, “The cloud-native ones.” She looked confused. I told her confusion was natural. I said, “Security is a journey, not a destination.” The CEO started clapping. I don’t know why. But others joined in. The analyst stopped asking questions. I ended with “security is everyone’s responsibility.” This meant it was no one’s responsibility. Especially not mine. We got breached two weeks later. I blamed the analyst for “creating a culture of doubt.” She got put on a PIP. I got promoted to VP. Resilience isn’t about preventing failure. It’s about surviving it. Preferably while others don’t.

🎁 A little early for Christmas presents — but Patch Tuesday delivered 3 Zero-Days anyway.

Honored to be a Microsoft MVP (Enterprise & Platform Security). I’ll keep sharing practical Windows & Active Directory security via @horizon_secured. Thank you for the support. #MicrosoftMVP #MVPBuzz #WindowsSecurity #ActiveDirectory #BlueTeam #CyberSecurity

🔒 Secure Bits 💡 Do you want to protect your critical assets from vulnerabilities in user infrastructure and the threats that exploit them? Achieve this with the 𝗧𝗶𝗲𝗿𝗶𝗻𝗴 𝗠𝗼𝗱𝗲𝗹. Categorize your Windows Infrastructure into Tiers based on asset criticality. 𝗧𝗶𝗲𝗿 𝟬: The most critical assets, affecting the entire Windows Infrastructure. 𝗧𝗶𝗲𝗿 𝟭: Application infrastructure, affecting client infrastructure. 𝗧𝗶𝗲𝗿 𝟮: User infrastructure, the first point of contact with threats. 👉Follow the Tiering Model thoroughly and implement Access Restrictions. 💡For example, a Tier 0 admin (𝗗𝗼𝗺𝗮𝗶𝗻 𝗮𝗱𝗺𝗶𝗻) should not be able connect to servers or devices in Tier 1 and Tier 2. This effectively protects your environment and contains attacks within specified Tiers. #SecureBits #ActiveDirectory #WindowsSecurity #Windows #Microsoft #CyberSecurity #HorizonSecured @BlueTeamDave

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟱𝟳.𝟭% of infrastructures I’ve assessed 𝗱𝗼𝗻’𝘁 𝗽𝗲𝗿𝗳𝗼𝗿𝗺 𝗮𝗻𝘆 𝗿𝗲𝗴𝘂𝗹𝗮𝗿 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝘀𝗰𝗮𝗻𝗻𝗶𝗻𝗴 𝗼𝗿 𝗽𝗲𝗻𝗲𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝘁𝗲𝘀𝘁𝗶𝗻𝗴. That number is surprisingly high — especially when so many great tools are available for free. Even if you're not doing a full pentest, there’s still 𝗮 𝗹𝗼𝘁 𝘆𝗼𝘂 𝗰𝗮𝗻 𝗱𝗼 𝗼𝗻 𝘆𝗼𝘂𝗿 𝗼𝘄𝗻. This becomes especially important if your Active Directory is 5+ years old. Admins come and go, 𝗯𝗮𝗱 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀 𝗮𝗰𝗰𝘂𝗺𝘂𝗹𝗮𝘁𝗲, and over time, you’re left with a 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗹𝗲 𝘀𝗲𝘁𝘂𝗽. Even a one-admin environment can suffer from tunnel vision. 𝗬𝗼𝘂 𝘀𝗵𝗼𝘂𝗹𝗱 𝗿𝗲𝗴𝘂𝗹𝗮𝗿𝗹𝘆 𝗿𝗲𝘃𝗶𝗲𝘄 whether your environment still aligns with security best practices. Here are some tools I’ve personally used and can recommend: 🔹 𝗔𝗗𝗣𝗿𝗼𝗯𝗲 — my own tool to scan Active Directory for vulnerabilities and persistence techniques 🔹 𝗣𝘂𝗿𝗽𝗹𝗲 𝗞𝗻𝗶𝗴𝗵𝘁 (Semperis) — scans for AD vulnerabilities and misconfigurations 🔹 𝗙𝗼𝗿𝗲𝘀𝘁 𝗗𝗿𝘂𝗶𝗱 (Semperis) — a lighter, targeted version focused on AD paths 🔹 𝗕𝗹𝗼𝗼𝗱𝗛𝗼𝘂𝗻𝗱 (SpecterOps)— one of the most powerful tools to find privilege escalation paths (even referenced in CIS materials) 🔹 𝗣𝗶𝗻𝗴𝗖𝗮𝘀𝘁𝗹𝗲 (Netwrix Corporation) — great for auditing your AD and identifying weaknesses This isn’t a sponsored list — just tools I trust and have 𝗽𝗼𝘀𝗶𝘁𝗶𝘃𝗲 𝗲𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲 𝘄𝗶𝘁𝗵. ✅ 𝗣𝗶𝗰𝗸 𝗼𝗻𝗲 𝗮𝗻𝗱 𝗴𝗶𝘃𝗲 𝘆𝗼𝘂𝗿 𝗔𝗗 𝗮 𝗰𝗵𝗲𝗰𝗸𝘂𝗽 — even a quick scan can reveal major issues. #ActiveDirectory #Vulnerabilities #Misconfigurations #ADTools #FreeTools @BlueTeamDave

🔒Secure Bits💡 Do you often struggle with 𝗽𝗼𝗿𝘁 𝗼𝗽𝗲𝗻𝗶𝗻𝗴𝘀 for 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 and 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆? Do you want to do it properly without excessive port openings ? I have created a document, that describes 𝗻𝗲𝘁𝘄𝗼𝗿𝗸 𝗽𝗼𝗿𝘁𝘀 in 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲𝘀 for subscribers on my Teachable academy. You can join the academy for free and download this document. There is more of a free content there and I am going to add more, so it is a bargain ! :) 👉DOWNLOAD HERE: academy.horizon-secured.com/p/free-resourc… #Windows #Cybersecurity #networkports #ActiveDirectory @BlueTeamDave

📝 𝗟𝗼𝗴 𝘄𝗵𝗮𝘁 𝗺𝗮𝘁𝘁𝗲𝗿𝘀. 𝗗𝗲𝘁𝗲𝗰𝘁 𝘄𝗵𝗮𝘁 𝗺𝗮𝘁𝘁𝗲𝗿𝘀. Most environments either log too little (miss attacks) — or log too much (SIEM noise + $$). 🎯 This free mini-course shows you how to 𝘁𝘂𝗻𝗲 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 & 𝗔𝗗 𝗮𝘂𝗱𝗶𝘁𝗶𝗻𝗴 the right way — fast. 𝗬𝗼𝘂’𝗹𝗹 𝗹𝗲𝗮𝗿𝗻 𝘁𝗼: 🔹 Configure Advanced Audit Policy for high-value events (Windows & AD) 🔹 Use Sysmon with a proven, real-world baseline 🔹 Validate & de-noise your logs so alerts actually mean something 🔹 Build an auditing strategy with ThreatLog (optimized baselines) ⛔ Zero fluff. ✅ Built from real pentests & blue-team audits. 🚀 𝗘𝗻𝗿𝗼𝗹𝗹 𝗳𝗿𝗲𝗲 → academy.horizon-secured.com/p/active-direc… Or just leave a comment and I’ll enroll you from my side. #ActiveDirectory #WindowsSecurity #BlueTeam #DFIR #SIEM #SOC #Sysmon #AuditPolicy #ThreatDetection #CyberSecurity @BlueTeamDave