Episode Details
Back to Episodes
Active Directory Security Drift: How Identity Sprawl and Misconfiguration Create Invisible Risk
Season 1
Published 4 months ago
Description
(00:00:00) Unconstrained Delegation and the Furnace
(00:00:03) The Unconstrained Delegation Furnace
(00:07:08) The Golden Ticket Attack
(00:09:04) Krbtgt Rotation Rituals
(00:13:07) The Backup Service Account Privilege
(00:20:21) Local Administrator Reuse
(00:27:19) SMB Signing and NTLM Relay
(00:41:31) Group Policy Preferences and Passwords
(00:48:15) Two-Way Forest Trust
(00:48:49) The Intruder's Journey
In Part 2 of this m365.fm series, Mirko Peters goes deeper into the gravitational pull of Active Directory and how unchecked identity sprawl, legacy design, and operational shortcuts quietly turn it into a black hole for security. Most organizations treat AD as stable infrastructure — accounts are created, groups are added, permissions are granted, and life moves on. But every exception, every “temporary” permission, and every legacy service account adds weight. This episode is about what happens when that weight turns into security drift: slow, invisible, and accelerating until something breaks in production or during an incident.
WHY IDENTITY SYSTEMS NATURALLY DRIFT TOWARD INSECURITY
The assumption in many enterprises is that if access is reviewed occasionally and audits pass, identity is under control. It is not. Identity systems like Active Directory are constantly changing: projects launch, teams reorganize, mergers happen, vendors come and go. Each change adds new groups, roles, and permissions that rarely get cleaned up. Over time, privilege creep turns once-reasonable access models into sprawling risk surfaces. Security does not usually fail in a single moment. It decays slowly as accumulated decisions, shortcuts, and exceptions widen the blast radius of every future compromise.
HOW SECURITY DRIFT ACCELERATES INSIDE ACTIVE DIRECTORY
This episode breaks down how security drift accelerates over time: from harmless-seeming group nesting to orphaned service accounts with excessive privileges, from one-off troubleshooting changes that never get rolled back to “temporary” access that quietly becomes permanent. Mirko walks through how misconfiguration at scale creates attack paths that defenders cannot see in traditional tools, why standard audits rarely catch identity-based exposure, and how lateral movement becomes easy once drift has taken hold. Instead of treating each issue as a one-off fix, identity security is reframed as a physics problem — governed by gravity, inertia, and entropy.
WHAT YOU WILL LEARN
(00:00:03) The Unconstrained Delegation Furnace
(00:07:08) The Golden Ticket Attack
(00:09:04) Krbtgt Rotation Rituals
(00:13:07) The Backup Service Account Privilege
(00:20:21) Local Administrator Reuse
(00:27:19) SMB Signing and NTLM Relay
(00:41:31) Group Policy Preferences and Passwords
(00:48:15) Two-Way Forest Trust
(00:48:49) The Intruder's Journey
In Part 2 of this m365.fm series, Mirko Peters goes deeper into the gravitational pull of Active Directory and how unchecked identity sprawl, legacy design, and operational shortcuts quietly turn it into a black hole for security. Most organizations treat AD as stable infrastructure — accounts are created, groups are added, permissions are granted, and life moves on. But every exception, every “temporary” permission, and every legacy service account adds weight. This episode is about what happens when that weight turns into security drift: slow, invisible, and accelerating until something breaks in production or during an incident.
WHY IDENTITY SYSTEMS NATURALLY DRIFT TOWARD INSECURITY
The assumption in many enterprises is that if access is reviewed occasionally and audits pass, identity is under control. It is not. Identity systems like Active Directory are constantly changing: projects launch, teams reorganize, mergers happen, vendors come and go. Each change adds new groups, roles, and permissions that rarely get cleaned up. Over time, privilege creep turns once-reasonable access models into sprawling risk surfaces. Security does not usually fail in a single moment. It decays slowly as accumulated decisions, shortcuts, and exceptions widen the blast radius of every future compromise.
HOW SECURITY DRIFT ACCELERATES INSIDE ACTIVE DIRECTORY
This episode breaks down how security drift accelerates over time: from harmless-seeming group nesting to orphaned service accounts with excessive privileges, from one-off troubleshooting changes that never get rolled back to “temporary” access that quietly becomes permanent. Mirko walks through how misconfiguration at scale creates attack paths that defenders cannot see in traditional tools, why standard audits rarely catch identity-based exposure, and how lateral movement becomes easy once drift has taken hold. Instead of treating each issue as a one-off fix, identity security is reframed as a physics problem — governed by gravity, inertia, and entropy.
WHAT YOU WILL LEARN
- Why identity systems like Active Directory naturally drift toward insecurity over time.
- How permissions, groups, and service accounts silently accumulate risk as environments grow.
- The real-world impact of misconfiguration at scale on incident response and breach paths.
- How attack paths form and persist inside complex AD environments.
- Why traditional audits and point-in-time reviews miss identity-based threats.
- What it takes to reverse security drift instead of just slowing it down for the next audit cycle.
- Privilege creep, access entropy, and how “just this once” changes become permanent.
- Service account abuse, automation risk, and hidden high-privilege identities.
- Lateral movement through identity systems and the paths attackers actually use.
- Delegation risks, inheritance failures, and the illusion of least privilege.
- Detection gaps in identity security and why visibility is often an illusion.
- How to think about Active Directory as critical infrastructure, not just directory plumbing.
- Blue Team and SOC analysts who need to understand identity-driven attack paths.
- Identity and Access Management (IAM) engineers responsible for AD hygiene and design.
- Active Directory administrators maintaining complex, multi-forest or leg