Identity Security

Kerberos Posture Hardening Studio

Tighten authentication edges without surprise lockouts, using measured toggles and staged monitoring windows.

Workshop imagery for Kerberos Posture Hardening Studio

Overview

We rehearse constrained delegation decisions, review SPN hygiene, and interpret event logs without drowning in noise. Labs include staged service account rotations and pairing with PKI owners when certificates touch LDAP bindings.

What is included

  • SPN conflict detection workflow
  • Delegation matrix worksheet
  • AES preference rollout plan with rollback
  • Golden ticket discussion framed as detection practice
  • Cross-reference with endpoint hardening owners
  • Breakout on managed service account adoption
  • Quiet-hours communication plan template

Outcomes

  • List three Kerberos-related signals worth alerting on
  • Sequence a low-risk AES preference pilot
  • Document a stakeholder sign-off path for delegation changes

FAQ flip cards

Hover or focus to reveal answers.

Question

Is offensive tooling included?

Answer

No. We discuss detection and posture only; no credential harvesting exercises.

Question

VPN requirements?

Answer

Labs are reachable over WireGuard profiles we ship the week before class.

Question

What is out of scope?

Answer

We do not configure third-party PAM products or cloud-only conditional access policies.

Experience notes

The delegation matrix worksheet is now pinned in our wiki. I wanted one more hour on managed service accounts, but the follow-up office hour covered it.
Eun A. · Directory engineer · survey
Measured toggles section saved us from another weekend rollback.
Ravi M. · internal feedback