The Entra admin centre is open by default to anyone with a tenant account. Standard users sign in, see the dashboard, browse the user list, view group memberships. They can’t…
Part 3 of the Entra Connect series. We’ve covered the prerequisites (Part 1) and staged the installer files (Part 2). Now we need a server to run Entra Connect on.…
The Print Spooler service (spoolsv.exe) runs by default on every Windows host. It manages print jobs, talks to printers, and historically has been one of the most fertile sources of…
The built-in local Administrator account ships with two predictable properties: well-known RID 500 (predictable SID) and the literal name 'Administrator'. The Accounts: Rename administrator account security policy lets you change the name across every domain-joined computer with one GPO. This article walks the workflow: create a Computer-scoped GPO linked to the OU containing your endpoints, navigate to Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options, set Accounts: Rename administrator account with a deliberately neutral name (Operator, BuildAcct, etc.), run gpupdate /force on a target, verify in Computer Management - Local Users and Groups. Includes the GPO naming convention (C_ / U_ / CU_), the names to avoid (Admin, SuperUser, anything containing 'admin'), and the common pitfalls (linking at the domain root, picking a guessable name, confusing the local rename with the Domain Administrator rename).
Re-enable Windows Defender Firewall on a Windows Server with one cmdlet per profile. Get-NetFirewallProfile reads the per-profile state (Domain / Private / Public); Set-NetFirewallProfile -Enabled True flips them all on at once. Covers the three profiles, the read-then-set-then-verify pattern, the rest of the per-profile properties (default actions, logging, notifications), per-rule operations (New-NetFirewallRule, Get-NetFirewallRule, Enable/Disable), and the common pitfalls (turned off for testing, disabled only one profile, GPO override, block-all-outbound footgun).
Working reference for Cisco IOS device-access hardening. The bare-minimum local-auth setup (enable secret, login local, transport input ssh, access-class on VTY, service password-encryption, security passwords min-length), SSH config (2048-bit RSA, ip ssh version 2, public-key auth via pubkey-chain), brute-force defense with login block-for, full AAA stack with RADIUS and the critical local fallback, NTP with authentication and Loopback source-interface, privilege levels vs the modern parser-view RBAC alternative, and the 10-item hardening checklist (no Telnet, weak keys, missing fallback, default communities, etc.).
Audit and harden Active Directory against breached passwords using Lithnet Password Protection and the Have I Been Pwned compromised hash list. Covers installing Lithnet PP on a Domain Controller, syncing the HIBP store, running the Audit-Passwords.ps1 script to find pwned accounts, and configuring the GPO that rejects new pwned passwords on every set/change.
