Challenges & Proposed Solutions

The client faced challenges in managing and tracking ideas efficiently across various programs. The existing system lacked:

• Weak RSA Certificates in Use: Identify certificates with an RSA exponent less than 2048 bits or using SHA1, and replace them with modern equivalents (e.g., RSA 2048+/SHA256+).
• Lack of LAPS Enforcement: Implement LAPS to automatically manage and rotate local admin passwords.
• Admin Accounts Not in Protected Users Group: Move eligible privileged accounts into the Protected Users group.
• Unknown Delegated Accounts in Active Directory: Perform a delegation audit to identify and validate all accounts with delegated permissions. Remove or restrict access for accounts that are no longer required or whose roles cannot be justified.
• Print Spooler Service Running on Domain Controllers: Disable the Print Spooler service on all Domain Controllers unless explicitly required (e.g., by legacy applications or printer dependencies).
• Acceptance of NTLMv1 Authentication Protocol: Disable NTLMv1 support and enforce NTLMv2 or Kerberos-only authentication across the domain.
• SID History from Unknown Domains: Audit and remove SID History entries that are no longer valid or understood.
• LDAP Signing Not Enforced: Enforce LDAP Signing on all servers and clients to prevent unprotected LDAP communication.