Episode Details

In this episode of the m365.fm podcast, Mirko Peters sits down with cybersecurity expert Viktor Hedberg to explore one of the most critical — and misunderstood — areas of enterprise IT security: Active Directory tiering, privileged access, identity protection, and defending modern hybrid environments. With years of experience in incident response, offensive security, Active Directory hardening, and enterprise defense at Truesec, Viktor brings practical, real-world insights into how organizations can dramatically improve their security posture before attackers exploit their weaknesses. The conversation begins with Viktor sharing his personal journey into cybersecurity. Unlike many traditional security professionals, Viktor did not come from a university background. Instead, he worked his way from helpdesk and system administration into consultancy and incident response, gaining deep technical knowledge of Windows, Active Directory, infrastructure, and enterprise security along the way. That hands-on experience became the foundation for understanding both how to secure systems and how attackers compromise them.

WHY ACTIVE DIRECTORY IS STILL A MASSIVE TARGET

One of the strongest themes throughout the episode is the fact that Active Directory is far from dead. Despite the rise of Microsoft Entra ID, cloud-first environments, and SaaS adoption, Active Directory still remains the backbone of identity and access management in countless organizations worldwide. Viktor explains why attackers continue targeting Active Directory environments:

• Cached credentials
• Password hashes stored locally
• Kerberos tickets
• Overprivileged accounts
• Weak administrative separation
• Poor tiering implementation
• Excessive lateral movement opportunities

The discussion highlights how many organizations unknowingly expose highly privileged accounts simply by allowing administrators to sign into workstations, laptops, and servers without restrictions. Viktor explains that in many environments, compromising a single endpoint can ultimately lead to full domain compromise because of how Windows authentication and credential storage work internally.

UNDERSTANDING AD TIERING

A major focus of the episode is understanding the concept of Active Directory administrative tiering. Viktor breaks down how organizations can separate systems and administrative responsibilities into different security tiers to limit credential exposure and reduce the blast radius during an attack. The discussion explores:

• Tier 0 systems
• Tier 1 servers
• Endpoint administration
• Domain controllers
• Entra Connect servers
• PKI infrastructure
• Administrative boundaries
• Credential isolation

One of the key lessons from the episode is that organizations often underestimate which systems actually belong in Tier 0. Viktor explains why systems like Microsoft Entra Connect, PKI servers, SCCM infrastructure, and identity synchronization services can effectively become equivalent to domain controllers from a security perspective.

THE DANGER OF BUILT-IN ACTIVE DIRECTORY GROUPS

Another critical topic is the misuse of built-in Active Directory groups. Viktor shares real-world examples where organizations accidentally introduced major privilege escalation paths by using groups like:

• Print Operators
• Backup Operators
• Server Operators
• Account Operators

The episode explains why many administrators misunderstand the true permissions behind these legacy groups and how attackers can abuse them to gain elevated access inside the domain. This section serves as a strong reminder that convenience and lack of visibility often create the biggest enterprise security risks.

MODERN ATTACKERS ARE CHANGING THEIR STRATEGY

One of