Viktor Hedberg 🛡💻

219 domain admins.

@techspence But, everything just "works" then..?

Never, ever, under any circumstance should the built-in domain Administrator account be a service account.

🔧 Jobbar du med Microsoft‑teknik? Då är Experts Live Sweden 2026 konferensen du inte vill missa. Registrera dig: expertslive.se Communitydrivet. Ideellt. Fullt fokus på Microsoft‑stacken. #Microsoft #ELSE26 #ExpertsLive

@NITESHRAJPOOT @PyroTek3 MS Creates a baseline policy if you have P1 licenses on a tenant level. But in short, any user that can "benefit" from the feature needs to have a license assigned.

@PyroTek3 Do u need per user Entra ID p1/pe licence to implement this CAP ór only 1 licence for org is enough to implement this policy 🤔

If you aren't using it, it's best to disable Device Code Flow via Conditional Access: learn.microsoft.com/en-us/entra/id… #EntraIDSecurityTip

@AdamTheRock1 @horizon_secured Beg to differ, don't try to do it all at once. Get the structure in place in parallell to the existing env, and migrate into the tiering structure. Done it that way for 50+ companies worldwide the last couple of years.

@horizon_secured And very hard to implement, esp if an existing domain.

🔒 Secure Bits 💡 Do you want to protect your critical assets from vulnerabilities in user infrastructure and the threats that exploit them? Achieve this with the 𝗧𝗶𝗲𝗿𝗶𝗻𝗴 𝗠𝗼𝗱𝗲𝗹. Categorize your Windows Infrastructure into Tiers based on asset criticality. 𝗧𝗶𝗲𝗿 𝟬: The most critical assets, affecting the entire Windows Infrastructure. 𝗧𝗶𝗲𝗿 𝟭: Application infrastructure, affecting client infrastructure. 𝗧𝗶𝗲𝗿 𝟮: User infrastructure, the first point of contact with threats. 👉Follow the Tiering Model thoroughly and implement Access Restrictions. 💡For example, a Tier 0 admin (𝗗𝗼𝗺𝗮𝗶𝗻 𝗮𝗱𝗺𝗶𝗻) should not be able connect to servers or devices in Tier 1 and Tier 2. This effectively protects your environment and contains attacks within specified Tiers. #SecureBits #ActiveDirectory #WindowsSecurity #Windows #Microsoft #CyberSecurity #HorizonSecured @BlueTeamDave

Azure Bastion CVE-2025-49752 👀 CVSS Score: 10/10 Affected: All Azure Bastion deployments prior to the security update released on November 20, 2025 zeropath.com/blog/azure-bas…

@UK_Daniel_Card Why bother hacking stuff and spending $ on some 0-day or whatever, when admin/admin, cisco/cisco or whatever gives you what you need? 😅

Key things seen in ransomware incidents: 1) VPN does not require MFA 2) Standard User VPN access gives access to management interfaces 3) LDAP access leads to domain admin via: Passwords in description fields, kerberoasting and other common escalation points (but seriously the above is major) 4) the backup servers are primary corp domain joined 5) the vcenter servers are primary corp domain joined this gives the threat actor the ability to: > destroy your backups > destroy your virtual infrastructure > delete/encrypt your data > exfiltrate the data

@NathanMcNulty I only use PIN inside Windows Hello for Business 😁

cyber awareness month is off to a great start

@NathanMcNulty 😅😅

@headburgh We're going to see some *really* secure environments

What the... 🐉?

@rucam365 Also gives you total control of the clean source principle, and chain of trust. Something AVD/VDI/W365 does not.

@rucam365 Forget physical PAWs for each Tier, easiest compromise is to have the laptop as a Hyper-V host and run each PAW as individual VMs on it, including your companion device 😁.

Most IT teams, including mature ones, aren’t gonna adopt physical dedicated PAWs and it’s not reasonable to assert they should. What have been your most successful compromises for this?

@reprise_99 Not 5 words, but 200+% of the company were DA. Domain Users and Domain Computers were members of DA. "Everything worked fine, until we got hacked"

Give a cyber security worker nightmares in five words, I’ll start. Domain controller also runs Citrix

I'm just going to leave this here, as I keep seeing surprised faces when I tell people about Windows Hello multifactor unlock. Yes, you can enforce 2️⃣ factors to unlock your Windows machine! See for yourself. #user-experience" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/windows/…

🎉 A warm welcome to all the new MVPs! 🎉 You’ve joined a global community of passionate experts, builders, and changemakers who go above and beyond to share knowledge, support others, and drive innovation. Whether you’re leading user groups, writing code, creating content, or empowering your local tech ecosystem—your impact matters. And now, you’re officially part of the MVP family. 🙌 Let’s celebrate YOU. Drop a 👋 and let us know where you're from or what community you're most excited to engage with! #MVPBuzz #MicrosoftMVP

What's a red flag in IR 🚩? My colleague @mikael_nystrom takes you through some of the tools of the trade. Read more here: truesec.com/hub/blog/resto…

A series about red flags, what they are and why you need to care @Truesec @mikael_nystrom truesec.com/hub/blog/resto…

Restore and Repair – Don’t Build New After an Incident @Truesec https://www.truesec.comhub/blog/restore-and-repair-dont-build-new-after-an-incident

@Microsoft365 🫵

Send us a 🫵 and we’ll send you a PowerPoint Night topic based on your profile

🤣