Active Directory Hardening: 8 Controls Every Windows Admin Needs

by

TL;DR: Active Directory is still the identity backbone of most enterprises — and most AD environments are quietly insecure. This guide covers the high-impact controls every Windows admin should apply: tier model, LAPS, protected groups, KRBTGT rotation, GPO hardening, and audit logging. Apply them in order in a lab first.

1. Implement a tiered admin model

Microsoft’s tier model splits administration into three zones: Tier 0 (domain controllers, ADFS, PKI), Tier 1 (servers, applications), Tier 2 (workstations). Admins in each tier may only sign in to systems in that tier. This single change blocks most credential-theft attacks like Pass-the-Hash and Mimikatz lateral movement.

Implement with separate admin accounts per tier (e.g., jdoe-t0, jdoe-t1, jdoe-t2) and “Deny logon” GPOs that block cross-tier authentication.

2. Deploy Windows LAPS

Local administrator accounts often share the same password across an entire fleet — a single compromised workstation hands the attacker the keys to every machine. Windows LAPS (built into modern Windows) randomizes local-admin passwords per machine and stores them encrypted in AD or Entra ID.

Update-LapsADSchema
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=corp,DC=local"

Then deploy a GPO under Computer Configuration → Policies → Administrative Templates → System → LAPS.

3. Protect privileged groups

  • Keep Domain Admins, Enterprise Admins, and Schema Admins as small as possible — ideally zero standing members.
  • Use Privileged Access Workstations (PAWs) for any Tier 0 activity.
  • Audit membership of Protected Users group; add Tier 0 admins to it.
  • Implement Just-In-Time (JIT) elevation via Microsoft PIM or open-source equivalents.

4. Rotate the KRBTGT account password — twice

The KRBTGT account signs every Kerberos ticket in your domain. If an attacker ever got Domain Admin, they could mint Golden Tickets valid for years. Resetting KRBTGT invalidates those forever — and you must reset twice (waiting at least 12 hours between resets) to invalidate both the current and previous password hashes.

Use Microsoft’s official script: New-KrbtgtKeys.ps1. Schedule it twice a year minimum.

5. Disable legacy protocols

  • Disable SMBv1 everywhere — it’s the WannaCry vector.
  • Disable LLMNR and NetBIOS-NS via GPO — they enable trivial credential-relay attacks (Responder).
  • Disable NTLMv1; require NTLMv2 or Kerberos only.
  • Disable WDigest; it leaks plaintext passwords in memory.

6. Audit logging — actually useful events

Most environments either log nothing or everything (and miss the signal). Enable these high-value audit policies via GPO:

  • Account Logon → Credential Validation: Success/Failure
  • Account Management → User/Computer/Group changes: Success
  • Logon/Logoff → Logon, Logoff, Special Logon: Success/Failure
  • Privilege Use → Sensitive Privilege Use: Success
  • Object Access → File Share, Removable Storage: Success
  • Detailed Tracking → Process Creation (with command line): Success

Ship logs to a SIEM (Wazuh free, Microsoft Sentinel, Splunk). Without centralized logs, an attacker just deletes local logs after compromise.

7. Microsoft Defender + ASR rules

Modern Defender (with Microsoft 365 E3/E5 or standalone Defender for Endpoint) is competitive with any commercial EDR. Enable Attack Surface Reduction (ASR) rules: block Office child processes, block credential stealing from LSASS, block executable content from email — these alone stop most commodity ransomware.

8. Patch tier-0 first, fast

Patch domain controllers and management systems within 72 hours of a critical Microsoft update. Use a maintenance window — but don’t skip cycles. Most ransomware groups exploit n-day vulnerabilities, not zero-days.

Quick audit checklist

  • Tier 0/1/2 admin model documented and enforced
  • Windows LAPS deployed on all workstations and member servers
  • Domain Admins group ≤ 5 members, all in Protected Users
  • KRBTGT password rotated within last 6 months (twice)
  • SMBv1, LLMNR, NetBIOS-NS, WDigest disabled
  • Audit policies above enabled and shipped to SIEM
  • Defender ASR rules in Block mode
  • All DCs patched within last 30 days

FAQ

Should I move to Azure AD / Entra ID and abandon on-prem AD?

For most organizations, hybrid (sync via Entra Connect) is the right answer for years to come. Pure cloud is fine for greenfield, but legacy apps still rely on Kerberos and NTLM.

Is Microsoft Defender enough?

With ASR rules, EDR features (Defender for Endpoint P2), and a real SIEM — yes, for most SMBs. Larger environments may add CrowdStrike or SentinelOne for advanced hunting features.

How often should we run AD security assessments?

Annually at minimum. Use Microsoft’s free PingCastle or Purple Knight scans quarterly to catch drift.

Need an AD assessment?

We provide remote Active Directory security reviews with prioritized remediation roadmaps. Get in touch to schedule one.

Vicidial Installation Guide on Rocky Linux 9 (2026 Edition)

by

TL;DR: Vicidial remains the most powerful open-source predictive dialer and call-center platform — but installing it from scratch trips up most engineers. This guide walks through a clean Rocky Linux 9 install, network and firewall prep, the official install script, post-install hardening, and the first agent login. Plan for two to three hours, including reboot.

Prerequisites

  • Rocky Linux 9 (or RHEL 9) minimal install, fully updated
  • At least 4 vCPU, 8 GB RAM, 80 GB disk for <50 agents; scale up linearly
  • Public or static internal IP — Vicidial needs a stable address
  • Root access via SSH
  • SIP trunk credentials from your carrier (DID, username, password, host)

1. System prep

dnf update -y
dnf install -y epel-release wget vim net-tools
hostnamectl set-hostname vicidial.example.com
timedatectl set-timezone UTC
systemctl disable --now firewalld   # Vicidial uses iptables rules during install
setenforce 0
sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config

SELinux must be permissive during install; you can tune it back to enforcing afterwards with custom policies.

2. Download the Vicibox install script

cd /usr/src
wget https://www.vicidial.org/vicidial-install-12.x.tar.gz
tar xzf vicidial-install-12.x.tar.gz
cd vicidial-install-12.x
./install.pl

The script asks several questions: server role (single-server is fine to start), server IP, MySQL root password, and admin credentials. Accept defaults unless you know why you’re changing them.

3. Reboot and verify services

reboot
# after reboot:
systemctl status mariadb httpd asterisk
ss -tlnp | grep -E '5060|80|3306'

You should see MariaDB on 3306, Apache on 80, and Asterisk listening on 5060 (SIP) and 4569 (IAX2).

4. Configure your SIP trunk

Log in to the admin panel at http://your-server/vicidial/admin.php. Navigate to Admin → Carriers → Add. Use a config template like:

[carrier-XYZ]
type=peer
host=sip.carrier.com
username=YOUR_USER
secret=YOUR_PASS
fromuser=YOUR_USER
context=trunkinbound
disallow=all
allow=ulaw
allow=alaw
insecure=invite,port
nat=force_rport,comedia

Save and reload Asterisk: asterisk -rx "sip reload". Test registration with sip show registry.

5. Create your first campaign

Admin → Campaigns → Add. Pick an outbound campaign type, set dial method to RATIO (ratio-based) or ADAPT_HARD_LIMIT (adaptive predictive). Attach the carrier you created, set call-recording defaults, and assign a script.

6. Add an agent

Admin → Users → Add. Create a phone entry (Admin → Phones) with the agent’s softphone credentials. Agents log into http://your-server/agc/vicidial.php with their user/pass/campaign.

7. Post-install hardening

  • Re-enable firewalld and allow only required ports: 80/443 to web users, 5060/4569 + RTP range (10000–20000 UDP) to your carrier IPs only.
  • Block all SIP traffic at the firewall except from carrier IPs — drive-by SIP brute force is brutal.
  • Set strong passwords on every Vicidial admin user; change the default 6666 phone PIN.
  • Enable HTTPS via Let’s Encrypt; admin and agent panels send passwords in cleartext otherwise.
  • Set up daily MySQL backups: mysqldump --all-databases | gzip > /backup/vici-$(date +%F).sql.gz.

Common pitfalls

  • One-way audio: Almost always NAT/RTP. Open UDP 10000–20000 to/from the carrier and ensure externip is set in sip.conf if behind NAT.
  • Agents can’t log in: Check phone passwords match, user is allowed for the campaign, and the agent’s web URL points to the right server.
  • Predictive dial calls dropping: Reduce dial level, check trunk channel limit, and verify carrier permits parallel calls.

FAQ

Does Vicidial work on Ubuntu?

The official ViciBox installer targets Rocky/RHEL. Community packages exist for Debian/Ubuntu but are less battle-tested. Stick with Rocky unless you have a strong reason.

How many agents can one server handle?

Roughly 50–100 agents on a properly-sized single server. Beyond that, split into a database server, telephony server, and one or more web servers.

Is Vicidial GDPR-compliant?

The platform itself is neutral — compliance depends on your call-recording, retention, and consent practices. Vicidial supports per-list and per-campaign recording rules and DNC (Do Not Call) handling.

Need help?

If you’d like a Vicidial deployment done right — clustering, SIP trunk integration, scripts, and reporting — our VoIP team can do it remotely.

Ransomware Protection in 2026: A 7-Layer Defense Playbook

by

TL;DR: Ransomware now hits more than 60% of mid-sized organizations every year, and the average recovery cost crossed $1.8M in 2025. This guide walks through the seven defensive layers every business should have — from endpoint hardening to immutable backups — so a single click on a malicious email doesn’t become a multi-week outage.

What ransomware actually does

Modern ransomware no longer just encrypts files — it does three things at once: encrypts data, exfiltrates a copy for extortion, and disables your backups before you notice. The “triple-extortion” model means even if you have backups, the attackers threaten to publish or sell your data unless you pay.

The seven defensive layers

1. Email and identity hardening

Around 90% of ransomware enters through phishing. Enable DMARC, DKIM, and SPF on your domain. Require MFA on every account — especially email, VPN, and remote management tools. Disable legacy authentication protocols (POP, IMAP, basic auth) that bypass MFA.

2. Endpoint Detection & Response (EDR)

Traditional antivirus catches known signatures. EDR products like Bitdefender GravityZone, SentinelOne, or CrowdStrike watch behavior — encrypting many files in seconds, lateral movement, suspicious PowerShell — and can roll back the damage automatically.

3. Network segmentation

Flat networks let ransomware travel everywhere. Segment finance, HR, production, and IT management into separate VLANs with firewall rules between them. Disable SMBv1 entirely. Block lateral SMB and RDP traffic unless explicitly required.

4. Patch management

CISA’s known-exploited-vulnerabilities list is published weekly. Patch critical CVEs within 72 hours on internet-facing systems, 14 days on internal systems. Automate where possible (WSUS, Ansible, Intune).

5. Immutable, offline backups (3-2-1-1-0)

The new 3-2-1-1-0 rule: 3 copies, 2 different media, 1 offsite, 1 offline or immutable, 0 errors verified. Test restores monthly. Most ransomware-hit companies discover their “backups” don’t actually restore when the moment comes.

6. Privileged access management

Domain admins should be rare and audited. Use tiered admin models. Just-in-time access via tools like Microsoft PIM eliminates standing privileges that attackers love to abuse.

7. Security awareness training

Phishing simulations once a quarter measurably reduce click rates. KnowBe4, Hoxhunt, and Microsoft Attack Simulator all have free trials. The goal isn’t to shame employees — it’s to build muscle memory.

Quick comparison: free vs paid endpoint tools

ToolTypeFree TierBest For
Microsoft DefenderEDR (built-in Windows)YesSmall Windows shops
Bitdefender GravityZoneEDR + EPPTrialSMB/Mid-market
CrowdStrike FalconEDR/XDRTrialEnterprise
WazuhOpen-source SIEM/HIDSFully freeTech-capable teams

Incident response in the first 60 minutes

  1. Isolate — disconnect infected machines from the network (don’t power off; you lose memory evidence).
  2. Identify scope — which accounts, which servers, which data.
  3. Preserve logs — copy firewall, EDR, and Windows Event logs to immutable storage.
  4. Notify — your legal team, cyber-insurance carrier, and if applicable regulators.
  5. Do not pay yet — most ransom payments don’t result in clean decryption keys, and they fund future attacks.

FAQ

Is paying the ransom illegal?

Not generally, but paying sanctioned groups (Conti, Lockbit affiliates linked to OFAC-listed entities) can carry legal liability. Always consult counsel.

How often should we run tabletop exercises?

At least twice a year, with IT, legal, communications, and one executive in the room.

Does cyber-insurance cover ransomware?

Most policies do, but premiums and exclusions have tightened sharply. Carriers now require MFA, EDR, and tested backups as preconditions.

Conclusion

Ransomware defense isn’t one product — it’s an assembly of small, boring, well-maintained controls. The organizations that recover fastest are the ones that practiced. If you’d like a free 30-minute assessment of your current posture, get in touch.

AWS vs Azure vs Google Cloud: Honest 2026 Comparison

by

TL;DR: Choosing between AWS, Azure, and Google Cloud is rarely about features — they all cover the basics. It’s about pricing predictability, integration with your existing stack, and where your team already has skills. This guide compares the three on cost, networking, security defaults, and developer experience to help you choose the right one (or the right combination).

Quick verdict

  • AWS — broadest service catalog, best ecosystem, steepest pricing complexity
  • Azure — best if you’re a Microsoft/Active Directory shop; tight Microsoft 365 integration
  • Google Cloud — best for data, ML, and Kubernetes-first teams; simplest networking

Compute pricing — apples-to-apples

For a 4 vCPU / 16 GB Linux VM running 24/7 in a major US region, public list prices are usually within 5–10% of each other. The real differentiators are:

  • AWS Savings Plans / Reserved Instances: Up to 72% off with 3-year commits.
  • Azure Reserved VM Instances: Similar discounts, plus Hybrid Benefit for existing Windows Server / SQL licenses.
  • GCP Sustained-Use Discounts: Automatic discounts kick in after the first 25% of the month — no commitment required.

Networking

GCP’s global VPC model is the simplest: one VPC spans every region. AWS and Azure require per-region VPCs/VNets that you connect via peering or transit gateways. For multi-region apps, this is a real time-saver on GCP.

Egress (data out) is the hidden cost on all three. Always model egress in your TCO — at scale, it can exceed compute costs.

Identity & security defaults

Azure wins if you already use Entra ID (Azure AD) — SSO, conditional access, and B2B sharing all “just work”. AWS IAM is more granular but historically more error-prone (publicly readable S3 buckets, anyone?). GCP IAM sits in between, with a simpler role hierarchy.

All three offer free baseline security features: GuardDuty (AWS), Defender for Cloud free tier (Azure), Security Command Center Standard (GCP). Turn them on.

Databases

  • Managed Postgres: AWS Aurora > Azure DB > Cloud SQL on features. GCP Cloud SQL is simplest to operate.
  • Data warehouse: BigQuery is the runaway leader for ad-hoc analytics; Snowflake (multi-cloud) competes hard. Redshift and Synapse are catching up.
  • NoSQL: DynamoDB (AWS) is unmatched at scale; Firestore (GCP) is friendliest for developers; Cosmos DB (Azure) offers the widest API surface.

Kubernetes

GKE Autopilot is currently the most operations-friendly managed Kubernetes — Google bills only for pod resources. EKS is the most flexible but charges $0.10/cluster/hour. AKS has no control-plane fee and integrates cleanly with Entra ID.

When to go multi-cloud

Multi-cloud sounds good in board meetings and is painful in practice. Use it when you have a clear, narrow reason: regulatory data residency, vendor risk for a critical workload, or wanting a specific service unique to one provider (BigQuery for analytics, Cosmos DB for global multi-write).

For most SMBs, going single-cloud and investing skills deeply is the right call.

Cost optimization checklist

  • Set billing alerts at 50% / 80% / 100% of monthly budget
  • Use tag/label-based cost allocation from day one
  • Turn off dev/test resources outside business hours (saves ~70%)
  • Right-size every quarter using built-in recommenders
  • Buy reservations only for steady-state workloads
  • Use Spot / Preemptible / Spot VMs for fault-tolerant batch jobs (60–90% off)
  • Watch egress in dashboards — it’s where bills go sideways

FAQ

Which is cheapest overall?

For pure compute with no commitments, GCP usually edges ahead thanks to sustained-use discounts. With 3-year reservations, AWS and Azure can match or beat it.

Is the AWS free tier really free?

For 12 months, yes — within limits. Set a $1 budget alert; one mis-sized RDS instance can blow past the free tier in hours.

Should I learn Terraform or each provider’s native IaC?

Terraform if you’re multi-cloud or your team values portability. Native (CloudFormation/Bicep/Deployment Manager) if you’re single-cloud and want first-day support for new services.

Conclusion

The right cloud is rarely the cheapest on paper — it’s the one your team can operate confidently and securely. If you want a cost and architecture review of your existing footprint, our cloud architects can help.

Linux Server Hardening: A Complete Step-by-Step Checklist

by

TL;DR: A fresh Ubuntu or Rocky Linux server is reasonably secure out of the box — but reasonable isn’t enough for anything exposed to the internet. This checklist walks through SSH hardening, firewall rules, fail2ban, automatic security updates, audit logging, and SELinux/AppArmor essentials. Apply it in order on a fresh VM and you’ll close 95% of common attack vectors.

1. Create an admin user and disable root SSH

adduser admin
usermod -aG sudo admin   # Ubuntu/Debian
usermod -aG wheel admin  # RHEL/Rocky

Copy your SSH key to the new user, log in to verify, then edit /etc/ssh/sshd_config: set PermitRootLogin no, PasswordAuthentication no, and Port 2222 (or any non-default port). Restart sshd.

2. Configure the firewall (UFW or firewalld)

# Ubuntu
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp
ufw allow 80,443/tcp
ufw enable

# Rocky/RHEL
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --permanent --add-service={http,https}
firewall-cmd --reload

3. Install fail2ban

Brute-force protection should be running before you put anything online.

apt install fail2ban -y   # Ubuntu
dnf install fail2ban -y   # Rocky

cat > /etc/fail2ban/jail.local <<'EOF'
[sshd]
enabled = true
port = 2222
maxretry = 3
findtime = 10m
bantime = 1h
EOF

systemctl enable --now fail2ban

4. Enable automatic security updates

# Ubuntu
apt install unattended-upgrades -y
dpkg-reconfigure --priority=low unattended-upgrades

# Rocky
dnf install dnf-automatic -y
systemctl enable --now dnf-automatic.timer

5. Lock down kernel and sysctl

Add to /etc/sysctl.d/99-hardening.conf:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.tcp_syncookies = 1
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2

Apply with sysctl -p /etc/sysctl.d/99-hardening.conf.

6. SELinux or AppArmor — leave it ON

On Rocky/RHEL run getenforce; it should report Enforcing. Don’t disable it because a tutorial said so — use audit2allow to write targeted policies instead. On Ubuntu confirm AppArmor with aa-status.

7. Audit logging with auditd

apt install auditd -y   # Ubuntu
dnf install audit -y    # Rocky
systemctl enable --now auditd

Pull a vetted rule set such as the Neo23x0 audit rules to start logging meaningful events (user creation, privilege changes, suspicious binaries).

8. Disable unused services

systemctl list-unit-files --state=enabled
# disable anything you don't need:
systemctl disable --now avahi-daemon cups bluetooth

9. Time, logs, and monitoring

Enable chronyd/NTP. Centralize syslog with rsyslog → a remote log server, or ship logs to Wazuh/Graylog. Without good timestamps and remote logs, incident response is guesswork.

10. Backups before you go live

Schedule restic, borgbackup, or Veeam backups to an offsite immutable target. Test a restore. Now you can go live.

Quick audit checklist

  • SSH on non-default port, root login disabled, key-only auth
  • UFW/firewalld default deny inbound
  • fail2ban active, banning > 0 hosts
  • Unattended-upgrades running
  • SELinux/AppArmor enforcing
  • auditd capturing user, privilege, and file events
  • Time sync working, logs centralized
  • Tested backups within last 7 days

FAQ

Should I change the SSH port?

It’s not security in itself, but it cuts brute-force log noise dramatically. Combine it with key-only auth and fail2ban.

Is Ubuntu or Rocky safer?

Both are equally secure when hardened. Rocky benefits from SELinux being default; Ubuntu has a faster patch cadence. Pick the one your team knows best.

Do I need a host-based IDS?

Yes, for production. Wazuh is free, mature, and integrates beautifully with auditd.

Next steps

Need help hardening a fleet of Linux servers or building a golden image? Talk to a CoreSecTech engineer.