Mahdi Tehrani

This is part 4 of “Designing a delegation model in Active Directory”. In this video, Mahdi explains how to proceed to perform the mirroring of Access Control Lists (ACLs) using the newly created groups. By mirroring ACL, we mean to assign the same delegation the users had but this time instead of relying on old groups or using the direct delegation, it is done using the created groups we created in part 3 of this series. Mahdi also explains that the cleanup needs to be done in order to remove the old unwanted ACLs.

This is part 3 of “Designing a Delegation Model in Active Directory”. If you watched part 1 and part 2, you have studied the environment and you know what needs to be done. In this video the actual stuff is happening. The groups will be created and based on this groups, the actual delegation will be done on Active Directory. This delegation is done by using PowerShell scripts.

This is part 2 of “Designing a delegation model in Active Directory”. In Part 1, Mahdi discussed the general concepts of delegation and why even delegation based on least privilege is a must in Active Directory. In this part, he explains the different methods of applying delegation in Active Directory and suggests a framework based on the concepts of least privilege. This framework can be expanded to include other areas of infrastructure. For example, the same concepts can be used to implement the least privilege delegation to manage the VMware solution or Azure Resources. However, the focus here is Active Directory.

In this video series about Active Directory best practices, Madhi discusses how to create a clean delegation model that can be easily manageable according to the concepts of least privilege and zero trust. This video, part 1, explains why Active Directory delegation plays a key role in security of the environment and AD itself. The key point to note is that the delegation model can be expanded to cover other areas of your infrastructure and not only AD. This is more likely a framework based on the concepts of least privilege.

In the previous three parts of this series on Active Directory tiering, I helped you understand tiering and how Tier 1 and Tier 2 should be implemented. This video is for the Tier 0 section, which is the most important part of the tiering because you’ll learn how to perform the segregation for the most sensitive servers of your environment. In this video, I will also present a way to have different subcategories of servers, and then you can implement this concept in your Tier 1 as well.

As discussed in Enhance Active Directory Security with Tiering, Part 1 and Enhance Active Directory Security with Tiering, Part 2, in order to have fair security against pass-the-hash attacks on Active Directory, you can implement tiering to have different levels based on how sensitive data are. This video is devoted to Tier1 servers (a server shared between two teams for their file sharing, an IIS server for a development team, etc.).

In order to have fair security against pass-the-hash attacks on Active Directory, you can implement tiering to have different levels based on data sensitivity. In this video, I discuss the second level of tiering. The scope for tier 2 includes the workstations and applying settings via GPO to block unauthorized access.

In this video, which is part 1 of this series, I discuss Active Directory security and specifically credential theft, which happens frequently when we are dealing with a ransomware attack. Credential theft is a main target which attackers can perform by gaining access to a server or PC and use that access (pass the hash) to hop to another server. I'll explain this problem, called lateral movement, in the video. Finally, we will discuss Active Directory tiering which is a solution to logical segmentation of resources and divide them into Tier 0, Tier 1 and Tier 2.

In this part 2 video, I'll walk through examples using gMSA in an environment. I'll explore a case of using gMSA as a service and also explain using it as a scheduled task. I also discuss how to troubleshoot the authorization part of the gMSA to understand why your gMSA is not working correctly.

Learn how a gMSA (group Managed Serviced Account) can be helpful to replace old service accounts. You’ll learn about the under-the-hood features of gMSAs as I discuss how to create and assign them. Also, I will show how we can have gMSAs under services.msc and run schedule tasks with them. You’ll also see how to troubleshoot them using PSExec.

Azure Key Vault can store keys, secrets and certificates and use them securely in the cloud. This video describes how to configure them. Similar methods exist that use the same principal, but they are outdated. Learn how to apply the least privilege concept to our Key Vault using the Key Vault delegation model to have a better control and security over the items store in the Key Vault. Finally, the video ends discussing two use cases for using secrets in Azure Key Vault.

Some users store credentials including the password for a specific service account inside a PowerShell script in real-world production. This poses a highly vulnerable issue where an attacker can simply grab the credentials and use them. In this video, I discuss how we can use a privileged credential in your PowerShell script in a more secure way using a certificate and Azure Key Vault.