Standing local admin rights are one of the most reliably exploited footholds in real-world incidents. If a device with permanent admin access is compromised — via malware, phished session token,…
The previous post in this Entra ID Security pathway covered two of the three ways a user can become a local administrator on an Entra-joined device: the Global Admin auto-elevation…
Device Settings in the Microsoft Entra Admin Center is the single page where you configure how devices interact with your tenant: who can join them, how many they can have,…
By default, when a user joins or registers a device to Microsoft Entra ID, only their username and password are required. If those credentials are stolen (phishing, breach, brute force),…
When you join a Windows device to Microsoft Entra ID, four entities are automatically added to the local Administrators group on that device: The built-in Administrator account (always exists) ALL…
Sometimes the right policy is just block — not “require MFA,” not “require compliant device,” but a hard no. Common scenarios: an IP range tied to a known-malicious VPN, a…
Microsoft’s number-one recommended baseline Conditional Access policy is require MFA for any administrator. The premise is simple: admin accounts have the keys to the kingdom — if an attacker phishes…
Entra ID monitoring splits into two distinct surfaces: Audit Logs (changes — who did what to your tenant) and Sign-in Logs (access — who got in, from where, with what…
Networking from Scratch (lesson 12, the capstone) — the six stages of a typical intrusion (initial access, foothold, lateral movement, privilege escalation, C2 + persistence, exfil + impact), the protocols attackers actually use, and the highest-leverage defence at each stage. Closes out the foundation pathway.
The built-in local Administrator account ships with two predictable properties: well-known RID 500 (predictable SID) and the literal name 'Administrator'. The Accounts: Rename administrator account security policy lets you change the name across every domain-joined computer with one GPO. This article walks the workflow: create a Computer-scoped GPO linked to the OU containing your endpoints, navigate to Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options, set Accounts: Rename administrator account with a deliberately neutral name (Operator, BuildAcct, etc.), run gpupdate /force on a target, verify in Computer Management - Local Users and Groups. Includes the GPO naming convention (C_ / U_ / CU_), the names to avoid (Admin, SuperUser, anything containing 'admin'), and the common pitfalls (linking at the domain root, picking a guessable name, confusing the local rename with the Domain Administrator rename).
An orphaned SID is an ACL entry whose underlying user, group, or computer was deleted but the access control entry was left behind. They show up as raw S-1-5-21-... numbers on the Security tab of AD objects and clutter audit reports without breaking access control. This article ships a complete RemoveOrphanedSID-AD.ps1 PowerShell script that recursively walks AD objects, identifies ACEs whose IdentityReference is a domain-prefixed SID that no longer resolves, and either lists or removes them. Includes the two-pass workflow (list, then remove), the -WhatIf dry-run mode, the AD: PowerShell drive provider details, why RemoveAccessRuleSpecific is the right method, and the common pitfalls (running -Remove first, scoping to forest before testing on one OU, confusing this with file-system ACL cleanup).
Re-enable Windows Defender Firewall on a Windows Server with one cmdlet per profile. Get-NetFirewallProfile reads the per-profile state (Domain / Private / Public); Set-NetFirewallProfile -Enabled True flips them all on at once. Covers the three profiles, the read-then-set-then-verify pattern, the rest of the per-profile properties (default actions, logging, notifications), per-rule operations (New-NetFirewallRule, Get-NetFirewallRule, Enable/Disable), and the common pitfalls (turned off for testing, disabled only one profile, GPO override, block-all-outbound footgun).
