This document discusses protecting administrative credentials on a network. It describes how domain admin access can be obtained by dumping passwords from the LSASS process using mimikatz. It recommends enabling SMB signing on domain controllers to mitigate this, as well as using local firewalls, non-admin accounts, reducing dependencies, managed service accounts, and Azure MFA to further protect credentials. The goal is to restrict exposure of admin credentials that act as "keys to the castle."