Inside Enterprise Security: AD Tiering & Privileged Access with Viktor Hedberg [MVP - MCT]

Inside Enterprise Security: AD Tiering & Privileged Access with Viktor Hedberg [MVP - MCT]

In this episode of the m365.fm podcast, Mirko Peters sits down with cybersecurity expert Viktor Hedberg to explore one of the most critical — and misunderstood — areas of enterprise IT security: Active Directory tiering, privileged access, identity protection, and defending modern hybrid environments. With years of experience in incident response, offensive security, Active Directory hardening, and enterprise defense at Truesec, Viktor brings practical, real-world insights into how organizations can dramatically improve their security posture before attackers exploit their weaknesses. The conversation begins with Viktor sharing his personal journey into cybersecurity. Unlike many traditional security professionals, Viktor did not come from a university background. Instead, he worked his way from helpdesk and system administration into consultancy and incident response, gaining deep technical knowledge of Windows, Active Directory, infrastructure, and enterprise security along the way. That hands-on experience became the foundation for understanding both how to secure systems and how attackers compromise them.

WHY ACTIVE DIRECTORY IS STILL A MASSIVE TARGET

One of the strongest themes throughout the episode is the fact that Active Directory is far from dead. Despite the rise of Microsoft Entra ID, cloud-first environments, and SaaS adoption, Active Directory still remains the backbone of identity and access management in countless organizations worldwide. Viktor explains why attackers continue targeting Active Directory environments:
  • Cached credentials
  • Password hashes stored locally
  • Kerberos tickets
  • Overprivileged accounts
  • Weak administrative separation
  • Poor tiering implementation
  • Excessive lateral movement opportunities
The discussion highlights how many organizations unknowingly expose highly privileged accounts simply by allowing administrators to sign into workstations, laptops, and servers without restrictions. Viktor explains that in many environments, compromising a single endpoint can ultimately lead to full domain compromise because of how Windows authentication and credential storage work internally.

UNDERSTANDING AD TIERING

A major focus of the episode is understanding the concept of Active Directory administrative tiering. Viktor breaks down how organizations can separate systems and administrative responsibilities into different security tiers to limit credential exposure and reduce the blast radius during an attack. The discussion explores:
  • Tier 0 systems
  • Tier 1 servers
  • Endpoint administration
  • Domain controllers
  • Entra Connect servers
  • PKI infrastructure
  • Administrative boundaries
  • Credential isolation
One of the key lessons from the episode is that organizations often underestimate which systems actually belong in Tier 0. Viktor explains why systems like Microsoft Entra Connect, PKI servers, SCCM infrastructure, and identity synchronization services can effectively become equivalent to domain controllers from a security perspective.

THE DANGER OF BUILT-IN ACTIVE DIRECTORY GROUPS

Another critical topic is the misuse of built-in Active Directory groups. Viktor shares real-world examples where organizations accidentally introduced major privilege escalation paths by using groups like:
  • Print Operators
  • Backup Operators
  • Server Operators
  • Account Operators
The episode explains why many administrators misunderstand the true permissions behind these legacy groups and how attackers can abuse them to gain elevated access inside the domain. This section serves as a strong reminder that convenience and lack of visibility often create the biggest enterprise security risks.

MODERN ATTACKERS ARE CHANGING THEIR STRATEGY

One of the most fascinating discussions in the episode focuses on how modern attackers operate today. According to Viktor, traditional offensive tools like Mimikatz, Metasploit, and obvious malware payloads are becoming less common because modern EDR solutions detect them more effectively. Instead, attackers increasingly:
  • Use native Windows tooling
  • Abuse PowerShell
  • Leverage SSH on Windows
  • Blend into normal system activity
  • Exploit legitimate administration features
  • Hide inside normal enterprise traffic
Viktor shares examples of how attackers can abuse built-in Windows functionality to bypass monitoring while avoiding traditional malware detection methods entirely. The episode highlights why defenders must understand Windows internals — not just security products — to properly defend enterprise environments.

WHY DEFENDER FOR IDENTITY MATTERS

Throughout the conversation, Viktor repeatedly emphasizes the importance of Microsoft Defender for Identity and proper security monitoring. The discussion covers:
  • Identity-based attack detection
  • Correlation between endpoint and identity events
  • Privileged account monitoring
  • Threat visibility
  • Hybrid identity protection
  • Security telemetry
  • Custom indicators
  • Advanced detection strategies
Viktor explains why organizations need both endpoint visibility and identity visibility to properly understand modern attacks. The episode also explores why simply purchasing security products is not enough if organizations fail to configure them correctly or actively monitor their environments.

WHAT TO DO DURING A CYBER ATTACK

One of the most practical parts of the episode is Viktor’s advice on incident response. When organizations suspect an attack, Viktor strongly recommends:
  • Do not shut systems down
  • Disconnect network access if necessary
  • Preserve forensic evidence
  • Avoid destroying logs
  • Contact incident response professionals quickly
  • Keep systems intact for investigation
He explains how many organizations accidentally make investigations harder by turning off firewalls, rebooting systems, or deleting evidence before responders arrive. The conversation provides valuable insight into how professional incident response teams approach compromised environments and why preserving evidence is absolutely critical.

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.

Det här avsnittet är hämtat från ett öppet RSS-flöde och publiceras inte av Podme. Det kan innehålla reklam.

Avsnitt(706)

Your AI Agents Are Orphaned- The Structural Shift to Agent ID

Your AI Agents Are Orphaned- The Structural Shift to Agent ID

Artificial intelligence is changing enterprise identity faster than most organizations realize. Every week, new AI agents are being deployed across Microsoft 365 tenants, accessing SharePoint, Microso...

11 Juli 1h 4min

The Architecture of Agility: Bicep at Scale

The Architecture of Agility: Bicep at Scale

Modern cloud platforms don't fail because Azure isn't powerful enough—they fail because governance, automation, and developer experience weren't designed to scale together. In this episode of the M365...

11 Juli 1h 25min

Designing the Future. AI, UX, and the Next Generation of Microsoft Power Platform with Tchesco Ayih [MVP-MCT]

Designing the Future. AI, UX, and the Next Generation of Microsoft Power Platform with Tchesco Ayih [MVP-MCT]

In this episode of the M365 Podcast, Mirko Peters sits down with Tchesco Ayih, Microsoft MVP, Microsoft Certified Trainer (MCT), international speaker, mentor, and Power Platform expert. Tchesco share...

10 Juli 50min

Azure Bicep Fundamentals for Real Projects

Azure Bicep Fundamentals for Real Projects

Learning Azure Bicep is easy. Building infrastructure that survives real-world enterprise environments is something entirely different. In this episode of the M365 FM Podcast, host Mirko Peters explor...

10 Juli 1h 17min

Beyond Prompt a Page: Building Enterprise-Ready AI Experiences in Power Apps with Sara Lagerquist [MVP]

Beyond Prompt a Page: Building Enterprise-Ready AI Experiences in Power Apps with Sara Lagerquist [MVP]

Artificial Intelligence is changing how organizations build business applications, but moving beyond simple demos requires much more than adding a chatbot or generating code with AI. In this episode o...

9 Juli 45min

ARM Templates Were a Mistake: Lessons from the Bicep Shift

ARM Templates Were a Mistake: Lessons from the Bicep Shift

Infrastructure as Code transformed cloud computing by replacing manual portal clicks with version-controlled, repeatable deployments. But while Azure Resource Manager (ARM) templates represented a maj...

9 Juli 1h 19min

Can Google Sheets Beat Excel: Microsoft MVP David Benaim Settles the Debate

Can Google Sheets Beat Excel: Microsoft MVP David Benaim Settles the Debate

For decades, Microsoft Excel has been the undisputed king of spreadsheets. It powers everything from personal budgets to enterprise reporting, financial modeling, and business intelligence. But Google...

8 Juli 52min

LinkedIn + Dynamics 365: The Architecture of Modern Selling

LinkedIn + Dynamics 365: The Architecture of Modern Selling

Modern B2B sales is undergoing a fundamental transformation. For years, organizations have treated LinkedIn and Dynamics 365 as separate systems. One platform managed relationships and professional ne...

8 Juli 1h 14min

Populärt inom Politik & nyheter

svenska-fall
tv4-nyheterna-story
p3-krim
aftonbladet-krim
flashback-forever
aftonbladet-daily
rss-krimstad
motiv
de-fyras-gang
spar
rss-sanning-konsekvens
rss-vad-fan-hande
mannen-utan-spar
rss-aftonbladet-krim
rss-expressen-dok
kungligt
olyckan-inifran
rss-krimreportrarna
grans
rss-flodet