@scottalanmiller said in Active Directory Domain name:

@stacksofplates said in Active Directory Domain name:

@dbeato said in Active Directory Domain name:

@scottalanmiller said in Active Directory Domain name:

used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).

The Majority if not all did add the .local, .lan and others, unless you think all CA are scams then I wouldn't say they are a scam.

Yeah from a quick search looks like at least GoDaddy and Digicert offered them.

Nov 2015 is when CA/Browser Forum set the standard to not allow internal domains. So looks like most if not all would have supported it before that.

https://cabforum.org/internal-names/

Damn, that's a major security hole! So I could go get a cert issued for a domain someone else used and there had to be zero verification since.... there was nothing to verify!

Yup.

@pmoncho said in Anyway I can Learn AD?:

@WrCombs said in Anyway I can Learn AD?:

@pmoncho said in Anyway I can Learn AD?:

wrcombs.com is available. Go register it for a year at godaddy (or whoever) for $12.

Then, like @thwr pointed out in his list, use something like ad.wrcombs.com as your AD domain.

doesn't sound horrible. thanks.

Welcome. Staying away from .local domains, plus knowing you are not using somebody else's domain will make your life SO MUCH easier. No need to start learning bad habits in the beginning.

^ this

Discussion on the policy side of this is over here:

https://mangolassi.it/topic/20894/policies-vs-network-access-control

@scottalanmiller said in Server 2012 PS: Script to find OU path:

@dbeato he's looking for NTG admin accounts on someone else's domain.

Good!

@eddiejennings said in Logging Domain user authentication failures:

@travisdh1 said in Logging Domain user authentication failures:

@eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need.

I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing.

We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure.

Ah. What an ..... effective use of resources.

Good luck, ExtraHop is very nice, but like every other tool, it's useless untill deployed properly.

@eddiejennings said in Domaing Joining Windows Servers:

@tim_g said in Domaing Joining Windows Servers:

Seems odd you'd have the least secure systems on the domain, the client computers... and not have the most secure systems on the domain, the servers. With your DC and hypervisor being on the domain, how many times have those been compromised? Do you not update your servers? Do they all have internet access

To my knowledge they haven't been. No. All servers receive Windows updates. Yes.

And I agree, this is odd. This, and so many other things, are being fixed one bite at a time.

Set your firewall to drop outbound traffic from servers that don't need Internet access. Point those servers to a local WSUS server for updates. Allow the WSUS server to get out to Internet. You can set local policy and point servers to WSUS, if they aren't domain joined. That way, servers can be updated but lower attack vector as they cannot get online.

@dbeato said in AD User Tool: Bulk AD User:

@Dashrender Then, he needs to force it with Powershell no just a GUI....

Agreed.