11:17 using machine accounts instead of an AD service accounts is a bad practice.. each service running in this context on the server will have the same password, and more importantly if an attack gains local admin rights on the server he has full controll on the service as well. Adding the fact that you cant enforce policy with AD and use restrictions.. this is not a good advice, actualy the best mitigation you forgot to mantion is to add the domain service account to gMSA - Group Managed Service Accounts. This will automaticly set a strong random password and rotate it automaticly as well as other hardenings on the service account itself
great video, this was exactly what I needed. Thanks
11:17 using machine accounts instead of an AD service accounts is a bad practice.. each service running in this context on the server will have the same password, and more importantly if an attack gains local admin rights on the server he has full controll on the service as well. Adding the fact that you cant enforce policy with AD and use restrictions.. this is not a good advice, actualy the best mitigation you forgot to mantion is to add the domain service account to gMSA - Group Managed Service Accounts. This will automaticly set a strong random password and rotate it automaticly as well as other hardenings on the service account itself