Michael Waterman

Ramblings on IT and Security

Tag: How-to (Page 2 of 3)

Building High-Available LDAPS Architectures

January 31, 2026 / / 5 Comments

If you’re running Active Directory, like I said in a previous blog, that’s the majority of readers, you’re almost certainly using LDAPS, the secure version of LDAP. Not just because it’s “best practice,” but because plaintext LDAP over port 389 is a really bad idea, furthermore Microsoft has blocked access when you’re trying to connect to just LDAP on port 389 without any form of security.

While Microsoft has not removed the ability to use LDAP on port 389, recent security hardening features (such as LDAP channel binding and LDAP signing) can be configured to reject simple bind operations that are not signed or encrypted. In practice, many organizations today do not support clear-text LDAP unless it is secured (for example, via LDAPS). That’s why enabling LDAPS and proper security policies is highly recommended.

Unfortunately most environments treat LDAPS like a checkbox: “Yeah, we enabled LDAPS, installed a certificate, moved on.”

And that’s fine… until it isn’t. If your LDAP clients, VPN gateways, firewalls, RADIUS/NPS servers, Linux services, identity proxies, SaaS connectors, security appliances (the list goes on) depend on LDAPS, then what happens when the one Domain Controller you pointed them at suddenly goes offline?

Continue reading

How to: Build a PKI with PowerShell – Part 2 – IIS WebServer

January 3, 2026 / / 0 Comments

Other parts in this series

How to: Build a PKI with PowerShell – Part 1 – Preparation

How to: Build a PKI with PowerShell – Part 3 – Offline Root CA

How to: Build a PKI with PowerShell – Part 4 – Enterprise CA

In the previous part, I’ve covered the design choices and preparation work needed before touching any infrastructure. In this part, I’ll finally start building something: the PKI Web Server.

I know, I know, not the most exciting exercise, but stay tuned, perhaps I’ll have some former Microsoft Security engineer tips here! However boring, this server plays a crucial role in the overall trust model. It hosts:

  • The Certificate Revocation List (CRL)
  • The Certificate Distribution Point (CDP)
  • The Certification Practice Statement (CPS)

In short: it becomes the “public-facing” component of your PKI.

Continue reading

How to: Build a PKI with PowerShell – Part 1 – Preparation

December 31, 2025 / / 3 Comments

Other parts in this series

How to: Build a PKI with PowerShell – Part 2 – IIS WebServer

How to: Build a PKI with PowerShell – Part 3 – Offline Root CA

How to: Build a PKI with PowerShell – Part 4 – Enterprise CA

Over the last couple of years, I’ve written a lot about Public Key Infrastructure (PKI). Not the “click next, next, finish” type of posts, but the deeper stuff, why you’d pick one design over another, and what trade-offs you’re really making.

Even so, I still see people struggling with PKI. Sometimes even setting up a relatively simple environment turns into a painful mix of conflicting guides, half-implemented best practices, and “set it and forget it” assumptions. The reality is: PKI quietly underpins almost everything we trust in modern IT environments, but it’s often poorly documented, inconsistently implemented, and rarely treated like the living service it actually is.

Continue reading

PKI – Part 5: Creating Unique Object Identifiers (OIDs)

May 10, 2025 / / 2 Comments

Introduction: Why OIDs matter in PKI

When building or managing a Public Key Infrastructure (PKI), precision and uniqueness are not optional, they’re very essential. Don’t be one of many, be your unique self! One key element that reflects this is the Object Identifier (OID). OIDs are globally unique values used to identify everything from certificate policies and application purposes to custom certificate extensions and cryptographic algorithms.

Continue reading

Step-by-Step Guide to Windows Event Forwarding and NTLMv1 Monitoring

June 29, 2024 / / 22 Comments

Did you know that Windows has had a built-in capability to function as a SIEM (Security Information and Event Management) system for years, provided you stay within the Windows ecosystem? This powerful feature, known as Windows Event Forwarding (WEF), allows you to centralize event logs from multiple Windows machines, giving you a comprehensive view of your network’s activities.

Continue reading

Advanced QEMU/KVM Networking on Ubuntu

December 12, 2023 / / 0 Comments

Transitioning between Operating Systems can be a challenge. Many aspects of what you’re used to work differently and you should expect a learning curve.

Well, that was a weird intro for a blog post that has Linux networking in the title! Actually I’m saying goodby to Windows as my primary system…. yes you read that correctly. It’s not that I don’t like the system anymore, it’s the direction Microsoft is taking with AI and the integration into the OS that made me take this decision.

Continue reading

Navigating PowerShell Remoting Challenges with PowerShell 7

August 27, 2023 / / 0 Comments

In the world of system administration and automation, PowerShell has been a trusted companion for managing tasks efficiently across a variety of environments. With the introduction of PowerShell Core 7, the capabilities of PowerShell expanded further by becoming cross-platform, allowing administrators to manage systems regardless of their operating system. Recently, I embarked on a journey to explore the capabilities of PowerShell Core 7’s remoting features, but as often happens in the world of technology, I encountered an unexpected challenge.

Continue reading
« Older posts Newer posts »

© 2026 Michael Waterman

Theme by Anders NorenUp ↑