Since October 14th, 2025, Microsoft has disabled previews in Windows File Explorer, for at least all downloaded files from the Internet and stored on network shares.1 Attackers could capture NTLM hashes simply by viewing the preview. I had to smile. It’s as if Microsoft had read my blog post “Why Every Windows AD Should Be Kept Offline” earlier this month,2 where I discussed exactly this kind of NTLM leakage. Read more

Not only since my seven security tips1 have I been getting questions about why I prefer to keep Windows and an Active Directory2 offline. That may sound inflexible, and in an era of AI-generated cybersecurity slop3 I may look like an outsider. So in today’s blog post I provide more context, explain the technical background, and lay out how ransomware works. Read more