Microsoft Exchange and Active Directory Blog
Users are often added to the local "Administrators" group on servers or PCs to give users admin rights on the corresponding computers. Although this is the easiest way to configure admin rights for a user account, it is unfortunately easy to lose track. Here is an example of the members of the local administrator group of a server: The users ... Read more
This third part of the article series "Simple measures for more security in AD" deals with the passwords of local administrator accounts. In many environments, the local administrator passwords are always the same, but this sometimes opens the door to malware and makes lateral movement possible or at least simplifies it. Different passwords for the ... Read more
I have already described the basic functionality of Admin Tiers in Part 1 of this article series; this article will now focus on setting up Admin Tiers in an existing environment. Basically, it makes sense if at least one Admin Host has already been installed. By and large, this article is first of all about ... Read more
Part 1 of this article series has already presented measures to improve the security of the Active Directory. The next articles are now dedicated to the implementation of these measures within an existing Active Directory using an example environment. This article will first deal with the Admin Host. Introduction The fictitious company "FrankysWebLab" can be used as an example here. Read more
To increase security within the Active Directory, small organizational measures in conjunction with free tools are usually sufficient. Many widespread attack vectors can at least be significantly curbed with a few small changes and fairly simple measures. The word "attacker" often appears in the following article, but "attacker" does not necessarily mean a ... Read more
Especially in larger and above all older Active Directory environments, a large number of authorizations and delegations accumulate over time. These often include authorizations with orphaned SIDs, for example if the user has already been deleted but the ACL still exists. Many people are familiar with these orphaned SIDs from file servers and their authorization structure. In order to ... Read more
There is currently a security vulnerability in all Exchange Server versions, which makes it possible to obtain domain administrator authorizations via EWS or, for example, to redirect emails. What makes this vulnerability particularly critical is that it can be exploited remotely. The attacker only needs to have access to a mailbox on the Exchange Server. Since the EWS API and often also ... Read more
I have now received several emails regarding the migration of domain controllers that are still running an older operating system. Most of the emails are about retaining the IP address of the original domain controller. The environments described in the e-mails were all similar, only the operating system on which the original domain controller was running ... Read more
I have now received a number of inquiries asking how several companies can share an Active Directory. The last inquiry was about a company that had bought out another company. The companies should now share the infrastructure. In the standard setting of an Active Directory, however, all users ... Read more
We have recently introduced a new ERP in our company, which also includes the complete personnel administration. The software uses MS-SQL Server as a database. As our IT process is very complex for a new user and little things are often forgotten, I have tried to automate the creation as much as possible. ... Read more
