Sign up to save your podcasts
Or
Share Directory Insights in 10 Minutes: AD’s Biggest Misconfiguration – Fix It Now!
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Directory Insights in 10 Minutes: AD’s Biggest Misconfiguration – Fix It Now!
Directory Insights in 10 Minutes – Episode 1
🛡️ AD’s Biggest Misconfiguration – Fix It Now!
Description:
Welcome to the first episode of Directory Insights in 10 Minutes, brought to you by Guardians of the Directory. This series is all about cutting through the noise—no fluff, no filler—just real-world, practical security insights for Active Directory and Entra ID admins.
In this episode, we’re exposing the #1 misconfigured setting in Active Directory—one that attackers love and admins often overlook. Even today, in 2025, this security gap exists by default in every new AD deployment.
What You’ll Learn:
✅ Why the built-in Administrator account (RID 500) is vulnerable out of the box
✅ How attackers abuse Kerberos delegation to impersonate admin accounts
✅ Why Microsoft’s security guidance is buried in a 2,000-page document
✅ The one checkbox that removes this attack path instantly
✅ Why Protected Users group doesn’t fully mitigate this risk
🛠️ Quick Fix:
1️⃣ Go to RID 500 account properties
2️⃣ Under the Account tab, check "Account is sensitive and cannot be delegated."
3️⃣ Apply this setting to all administrative accounts
4️⃣ Implement this as part of your ongoing security process
View all episodes
By Guardian of the DirectoryDirectory Insights in 10 Minutes – Episode 1
🛡️ AD’s Biggest Misconfiguration – Fix It Now!
Description:
Welcome to the first episode of Directory Insights in 10 Minutes, brought to you by Guardians of the Directory. This series is all about cutting through the noise—no fluff, no filler—just real-world, practical security insights for Active Directory and Entra ID admins.
In this episode, we’re exposing the #1 misconfigured setting in Active Directory—one that attackers love and admins often overlook. Even today, in 2025, this security gap exists by default in every new AD deployment.
What You’ll Learn:
✅ Why the built-in Administrator account (RID 500) is vulnerable out of the box
✅ How attackers abuse Kerberos delegation to impersonate admin accounts
✅ Why Microsoft’s security guidance is buried in a 2,000-page document
✅ The one checkbox that removes this attack path instantly
✅ Why Protected Users group doesn’t fully mitigate this risk
🛠️ Quick Fix:
1️⃣ Go to RID 500 account properties
2️⃣ Under the Account tab, check "Account is sensitive and cannot be delegated."
3️⃣ Apply this setting to all administrative accounts
4️⃣ Implement this as part of your ongoing security process