// #domain-controller
13 articles
Hardening Active Directory Against CVE-2026-47288 and the Kerberos Attack Surface
CVE-2026-47288 in the Windows Kerberos KDC is the most critical Active Directory vulnerability of 2026. Beyond patching, the Kerberos attack surface encompasses golden ticket attacks, AS-REP roasting, Kerberoasting, and credential relay. This article provides post-patch hardening guidance for enterprise AD environments.
Windows Kerberos KDC Remote Code Execution CVE-2026-47288 Puts Domain Controllers at Critical Risk
CVE-2026-47288 is a critical remote code execution vulnerability in the Windows Kerberos Key Distribution Centre that allows network-adjacent unauthenticated attackers to execute arbitrary code on Active Directory domain controllers. All supported Windows Server versions are affected. Domain controllers should be treated as the highest-priority patch target in the June 2026 update cycle.
Implementing the Active Directory Tier Model: A Practical Guide for Post-Netlogon Environments
Microsoft's Active Directory Tier Model separates administrative access by privilege level to prevent credential theft from cascading into full domain compromise. CVE-2026-41089's impact in poorly segmented environments makes the Tier Model the single highest-leverage post-incident investment. This guide covers the implementation sequence for organisations starting from scratch.
One Week After CVE-2026-41089: Taking Stock of the Netlogon Response Across Enterprise Environments
Seven days after Belgium's CCB confirmed active exploitation of the Netlogon CVSS 9.8 vulnerability, the picture of enterprise response is mixed. Domain controllers in well-governed environments are patched; a significant population of legacy and unmanaged DCs remain exposed. This review covers the response pattern and what it reveals about enterprise patch discipline.
Privileged Access Workstation Deployment: The Missing Piece of Most Active Directory Hardening Programmes
Privileged Access Workstations (PAWs) are the single most effective control for preventing credential theft from domain administrators. They are also the most consistently skipped step in enterprise AD hardening programmes. This guide covers a practical PAW deployment for Tier 0 domain controller administration.
Windows Domain Controller Security Monitoring: Building an Event Log Detection Baseline
Effective detection of domain controller attacks requires more than collecting logs — it requires specific audit policy configuration, a curated set of detection rules, and a SIEM pipeline with alert response SLAs. This guide covers the complete baseline configuration for DC security monitoring after CVE-2026-41089 highlighted the importance of pre-compromise visibility.
Identity Containment After Domain Controller Compromise: IAM Response for CVE-2026-41089 Post-Exploitation
If forensic investigation reveals CVE-2026-41089 exploitation occurred before patching, the identity response is as critical as the technical remediation. All credential material accessible from the domain controller must be treated as compromised. This guide covers the identity containment sequence for a confirmed Active Directory domain controller breach.
Domain Controller Hardening After Netlogon CVE-2026-41089: Reducing the Attack Surface Beyond Patching
Patching CVE-2026-41089 closes the specific vulnerability, but domain controllers remain highly targeted infrastructure. This guide covers the access control, network segmentation, and monitoring controls that reduce DC attack surface against the class of unauthenticated RCE threats that Netlogon represents.
Netlogon CVE-2026-41089 Detection and Forensics: Hunting for Domain Controller Compromise
With active exploitation of CVE-2026-41089 confirmed, security teams must run parallel tracks: patching domain controllers and investigating whether exploitation has already occurred. A successful Netlogon exploitation typically leads to Golden Ticket persistence and stealthy domain admin account creation — the forensic indicators are specific and searchable.
Domain Controller Network Architecture: How DC Placement Determines Netlogon Attack Surface
CVE-2026-41089's exploitability in a given environment is almost entirely determined by which networks can reach domain controllers on TCP 445. DC placement decisions — made during infrastructure design, sometimes years ago — directly determine how many machines a Netlogon-class vulnerability exposes. Reviewing DC reachability is the highest-leverage response.
Windows Netlogon CVE-2026-41089 (CVSS 9.8): Unauthenticated Domain Controller RCE Now Actively Exploited
Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation of CVE-2026-41089 on 29 May — a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows unauthenticated remote code execution on domain controllers. CVSS 9.8. A public PoC is available. Patch domain controllers as an emergency priority.
Microsoft Issues Emergency Patch KB5091157 After April Updates Crash Domain Controllers
Microsoft's April 2026 Patch Tuesday updates triggered LSASS crash-reboot loops on non-Global Catalogue domain controllers in PAM-enabled deployments and forced some Windows Server 2025 systems into BitLocker recovery mode. Emergency out-of-band updates were released April 19 for all affected Server versions. Immediate installation is required — affected DCs cause complete authentication outages across their domains.
April Windows Update Enforces AES-Only Kerberos — RC4 Fallback Blocked Across Active Directory
Microsoft's April 2026 cumulative update moves Windows domain controllers into AES-only Kerberos enforcement mode, permanently blocking RC4-HMAC as an authentication fallback under CVE-2026-20833. Organisations with legacy service accounts or unmanaged devices that have not set the msDS-SupportedEncryptionTypes attribute will begin seeing Kerberos authentication failures when the update is deployed.