Blueprinting Zero Trust From: Strategy to Execution with Jerry Chapman
Welcome back to Guardians of the Directory! In this episode, Craig Birch is joined once again by Zero Trust expert Jerry Chapman for a deep dive into the Zero Trust Blueprint—a practical model to help organizations shift from theory to execution. Jerry shares insights from his work as Co-Chair of the CISA Zero Trust Working Group and provides a clear framework covering assessment, strategy, roadmap development, and execution phases.Together, they explore:The critical role of business assets and protect surfacesThe importance of session management, privilege access, and standing permission hygiene in Active DirectoryCommon pitfalls organizations face as they mature their Zero Trust implementationsHow Zero Trust applies equally to human and non-human identities (including AI!)The value of visibility, automation, and governance in maintaining Zero Trust momentumIf you're looking for a realistic, actionable guide to embedding Zero Trust in your enterprise—and especially within Active Directory environments—this episode is your blueprint.Resources Mentioned:CISA Zero Trust Maturity ModelCISA Zero Trust Working GroupMicrosoft Entra PIMNext-gen IGA and Certificate Lifecycle ManagementGuest Bio:Jerry Chapman is a cybersecurity veteran with over 25 years of experience in identity and Zero Trust. He serves as a Co-Chair for the CISA Zero Trust Working Group and is a recognized thought leader in strategy-driven security.
--------
30:09
--------
30:09
AdminSDHolder in Active Directory: Hidden Risks and Persistent Threats
In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down the often-misunderstood AdminSDHolder object in Active Directory and why it's a high-value target for attackers. Learn how the SDProp process uses it to secure privileged groups—and how misconfigurations or legacy permissions can open the door to persistent access.🔍 What you’ll learn:What AdminSDHolder and SDProp really doWhy this object matters for securing protected groupsHow attackers abuse it for persistenceHow to identify dangerous ACLs and misconfigurationsPowerShell tips to simplify your audit🛠️ PowerShell script to audit AdminSDHolder will be posted in the video description/comments.💡 If AdminSDHolder is compromised, your admin model is too.Subscribe for more quick-hit insights on Active Directory and Entra ID security.Powershell:Import-Module ActiveDirectory# DCSync-related GUIDs$dcsyncGUIDs = @( [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", [Guid]"89e95b76-444d-4c62-991a-0facbeda640c")# Noisy identities to ignore$noisyAccounts = @( "NT AUTHORITY\SELF", "NT AUTHORITY\SYSTEM", "NT AUTHORITY\Authenticated Users", "NT AUTHORITY\INTERACTIVE", "BUILTIN\Pre-Windows 2000 Compatible Access", "Everyone")# AdminSDHolder ACL retrieval$domainNC = (Get-ADDomain).DistinguishedName$adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC"$adminSDHolder = Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor$acl = $adminSDHolder.nTSecurityDescriptor# Admin group membership mappingfunction Get-AdminGroupMembers { param([string[]]$groupNames) $members = @() foreach ($name in $groupNames) { $group = Get-ADGroup -Identity $name $members += Get-ADGroupMember -Identity $group.DistinguishedName -Recursive | ForEach-Object { $_.SamAccountName } } return $members | Sort-Object -Unique}$adminGroups = @("Domain Admins", "Enterprise Admins", "Administrators")$adminMembers = Get-AdminGroupMembers -groupNames $adminGroups# Filter risky, non-default ACEs$dangerousACEs = $acl.Access | Where-Object { $_.AccessControlType -eq "Allow" -and -not ($noisyAccounts -contains $_.IdentityReference.Value) -and ( ($_.ActiveDirectoryRights -band "GenericAll") -or ($_.ActiveDirectoryRights -band "GenericWrite") -or ($_.ActiveDirectoryRights -band "WriteDacl") -or ($_.ActiveDirectoryRights -band "WriteOwner") -or ($_.ActiveDirectoryRights -band "CreateChild") -or ($_.ActiveDirectoryRights -band "Delete") -or ($_.ActiveDirectoryRights -band "DeleteTree") -or ($_.ActiveDirectoryRights -band "ExtendedRight") )}# Output$dangerousACEs | Select-Object ` IdentityReference, ActiveDirectoryRights, InheritanceType, ObjectType, @{Name="ACEType"; Expression={ if ($_.ActiveDirectoryRights -band "GenericAll") { "GenericAll" } elseif ($_.ActiveDirectoryRights -band "GenericWrite") { "GenericWrite" } elseif ($_.ActiveDirectoryRights -band "WriteDacl") { "WriteDacl" } elseif ($_.ActiveDirectoryRights -band "WriteOwner") { "WriteOwner" } elseif ($_.ActiveDirectoryRights -band "CreateChild") { "CreateChild" } elseif ($_.ActiveDirectoryRights -band "Delete") { "Delete" } elseif ($_.ActiveDirectoryRights -band "DeleteTree") { "DeleteTree" } elseif ($_.ActiveDirectoryRights -band "ExtendedRight") { if ($dcsyncGUIDs -contains $_.ObjectType) { "DCSync" } else { "ExtendedRight" } } else { "Other" } }}, @{Name="IsAdminGroupMember"; Expression={ $sam = $_.IdentityReference.Value.Split("\")[-1] $adminMembers -contains $sam }} | Format-Table -AutoSize
--------
6:45
--------
6:45
Admin Accounts with SPNs — Hidden Risk Behind Kerberoasting
🔍 Admin Accounts with SPNs — Hidden Risk Behind Kerberoasting | Directory Insights in 10 MinutesIn this episode, Craig Birch breaks down a major Active Directory security blind spot: Kerberoasting via privileged accounts with SPNs (Service Principal Names).You'll learn how attackers exploit these accounts — and how to find, assess, and fix the risk without breaking your apps.Straightforward, no fluff — just practical identity security guidance.🛠️ What You’ll Learn🔐 What SPNs are — and why they matter⚠️ How attackers use them in Kerberoasting attacks🖥️ Why ADUC isn’t enough for visibility💻 PowerShell + LDAP filters for fast discovery🧠 SDProp and how it flags privileged accounts🤝 Why app owner collaboration is critical🔁 Safer alternatives: gMSAs, strong passwords, and role reviews❌ Why auto-remediation can break things💡 PowerShell SpotlightpowershellCopyEditGet-ADUser -LDAPFilter "(&(admincount=1)(servicePrincipalName=*))" -Properties servicePrincipalName | Select-Object Name, servicePrincipalNameUse this to find privileged accounts with SPNs — the ones most at risk of Kerberoasting.✅ Quick TakeawaysScript it — don’t rely on ADUCNever auto-remove SPNs without impact analysisTalk to app owners before changesHarden service accounts or switch to gMSAsMonitor SDProp-marked accounts to shrink attack surface💬 Found this helpful? Like, share, or comment! Got a topic you want us to cover in 10 minutes or less? Drop it below — we’re listening.
--------
5:15
--------
5:15
Kerberos Pre-Auth: Hidden AD Risk
In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down one of the most overlooked Active Directory misconfigurations: the "Do not require Kerberos pre-authentication" setting.🔍 Why it matters:Enables AS-REP Roasting attacks using tools like Hashcat or John the RipperAllows silent user enumeration without authentication failuresCan go undetected by SIEMs and security logs🛠️ What you'll learn:How this setting weakens AD securityHow attackers abuse it for initial access and password crackingHow to detect and remediate affected accounts using PowerShell🧠 Practical, fast, and built for real-world AD admins—no fluff.▶️ Chapters: 00:00 - Intro00:45 - Why “Do Not Require Pre-Auth” Is Dangerous02:30 - AS-REP Roasting Explained03:20 - Finding Vulnerable Accounts (GUI + PowerShell)05:40 - Remediation Script Walkthrough08:20 - Final Recommendations📥 PowerShell Script:# Import the Active Directory moduleImport-Module ActiveDirectory# Find user accounts that do not require Kerberos preauthentication$users = Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth# Display the accounts that do not require Kerberos preauthentication$users | Select-Object Name, SamAccountName, UserPrincipalName# Pause for confirmation before remediationRead-Host -Prompt "Press Enter to remediate these accounts"# Remediate all accounts by setting DoesNotRequirePreAuth to $falseforeach ($user in $users) { Set-ADAccountControl -Identity $user -DoesNotRequirePreAuth $false}
--------
7:27
--------
7:27
Directory Insights in 10 Minutes: Remediating DES Encryption in Active Directory
Welcome to another episode of Directory Insights in 10 Minutes, powered by Guardians of the Directory. In this quick-hitting session, host Craig Birch walks through the process of identifying and remediating accounts in Active Directory that still rely on outdated Kerberos DES encryption.🔐 DES is insecure and easily exploited by attackers. Craig shows you how to detect and update these accounts using both GUI and PowerShell—so you can act fast to protect your environment.👉 If you find this helpful, give us a like, drop a comment, and suggest a topic for a future episode!Why DES-only encryption is dangerous in modern AD environmentsHow to detect DES accounts using PowerShellRemediation using Set-ADUserAccountControlUpgrading users to use stronger AES encryptionFast, actionable tips to secure your Active Directory🛠️ Key Takeaways:Why DES-only encryption is dangerous in modern AD environmentsHow to detect DES accounts using PowerShellRemediation using Set-ADUserAccountControlUpgrading users to use stronger AES encryptionFast, actionable tips to secure your Active Directory
Guardians of the Directory is the podcast for everything Active Directory security, management, and recovery. Join us as we dive into best practices, recent security events, listener Q&As, and expert interviews to equip you with the skills needed to protect your AD environment. Whether you’re an IT pro or a cybersecurity enthusiast, each episode delivers actionable insights to help you stay informed and secure. Become a Guardian of the Directory and tune in to strengthen your defenses!
Listen to Guardians of the Directory, All-In with Chamath, Jason, Sacks & Friedberg and many other podcasts from around the world with the radio.net app
Ireland