What defenses can prevent AS-REPRoasting attacks?

Admins should regularly scan for users with 'Do not require Kerberos preauthentication' enabled using PowerView (`Get-DomainUser -PreauthNotRequired`). Additionally, enforcing strong, complex passwords across the domain makes dictionary and brute‑force attacks infeasible even if hashes are obtained. For persistent access concerns, review AdminSDHolder protections.