Active Directory Basics 1700412159
Active Directory Basics 1700412159
The core of any Windows Domain is the Active Directory Domain Service (AD
DS).
The server that runs the Active Directory services is known as a Domain
Controller (DC).
Managing security policies: You can configure security policies directly from
Active Directory and apply them to users and computers across the network as
needed.
People: users will generally represent persons in your organisation that need to
access the network, like employees.
Services: you can also define users to be used by services like IIS or MSSQL.
Every single service requires a user to run, but service users are different from
regular users as they will only have the privileges needed to run their specific
service.
Machines
Machines are also considered "security principals" and are assigned an account
just as any regular user. This account has somewhat limited rights within the
domain itself.
Security Groups
you can define user groups to assign access rights to files or other
resources to entire groups instead of single users.
Security groups are also considered security principals and, therefore, can have
privileges over resources on the network.
Groups can have both users and machines as members. If needed, groups
can include other groups as well.
Several groups are created by default in a domain that can be used to grant
specific privileges to users. As an example, here are some of the most important
groups in a domain:
Users of this group have administrative privileges over the entire domain.
Domain
By default, they can administer any computer on the domain, including the
Admins
DCs.
Domain
Includes all existing DCs on the domain.
Controllers
Server Users in this group can administer Domain Controllers. They cannot
Operators change any administrative group memberships.
Backup Users in this group are allowed to access any file, ignoring their
Operators permissions. They are used to perform backups of data on computers.
Account
Users in this group can create or modify other accounts in the domain.
Operators
OUs are mainly used to define sets of users with similar policing
requirements.
The people in the Sales department of your organisation are likely to have a
different set of policies applied than the people in IT, for example. Keep in mind
that a user can only be a part of a single OU at a time.
Computers: Any machine joining the network will be put here by default.
You can move them if needed.
Managing users in AD
to delete OU it will refuse because By default, OUs are protected against
accidental deletion
Delegation()تفويض
allows you to grant users specific privileges to perform advanced tasks on OUs
without needing a Domain Administrator to step in.
you can Create different OUs to contain different kinds of computers, Doing so
will allow us to configure policies for each OU later.
for example
They simply act as a rulebook for Active Directory that a domain admin can
modify and alter as they deem necessary to keep the network running smoothly
and securely. Along with the very long list of default domain policies, domain
admins can choose to add in their own policies not already on the domain
controller, for example: if you wanted to disable windows defender across all
machines on the domain you could create a new group policy object to disable
Windows Defender.
The options for domain policies are almost endless and are a big factor for
attackers when enumerating an Active Directory network. I'll outline just a few of
the many policies that are default or you can create in an Active Directory
environment:
Group Policies
Windows manages such policies through Group Policy Objects (GPO).
GPOs can contain policies aimed at either users or computers, allowing you
to set a baseline on specific machines and identities.
To configure GPOs, you can use the Group Policy Management tool.
Something important to have in mind is that any GPO will apply to the linked OU
and any sub-OUs under it.
For example, the Sales OU will still be affected by the Default Domain Policy .
The first tab you'll see when selecting a GPO shows its scope, which is where
the GPO is linked in the AD.
you can also apply Security Filtering to GPOs so that they are only applied to
specific users/computers under an OU. By default, they will apply to
the Authenticated Users group, which includes all users/PCs.
The Settings tab includes the actual contents of the GPO and lets us know what
specific configurations it applies
Kerberos
Kerberos authentication is the default authentication protocol for any recent version
of Windows.
Terms :
Ticket Granting Service (TGS) : tickets that allow connection only to the
specific service they were created for.
Ticket Granting Ticket (TGT) : a ticket that will allow the user to request
additional tickets to access specific services. The need for a ticket to get more
tickets without passing their credentials every time they want to connect to a
service
Session Key : an encryption and decryption key that is randomly generated to
ensure the security of a communications session between a user and another
computer or between two computers
Service Principal Name (SPN) : a unique identifier of a service instance.
1. The user sends their username and a timestamp encrypted using a key derived
from their password to the Key Distribution Center (KDC)
2. The KDC will create and send back a Ticket Granting Ticket (TGT),Along with
a Session Key
a. Notice the TGT is encrypted using the krbTGT account's password hash,
and therefore the user can't access its contents
3. When a user wants to connect to a service on the network like a share, website
or database, they will use their TGT to ask the KDC for a Ticket Granting
Service (TGS),
5. the KDC will send us a TGS along with a Service Session Key, which we will
need to authenticate to the service we want to access.
a. Notice that The TGS is encrypted using a key derived from the Service
Owner Hash
b. The TGS contains a copy of the Service Session Key on its encrypted
contents so that the Service Owner can access it by decrypting the TGS.
6. The TGS can then be sent to the desired service to authenticate and establish a
connection
7. The service will use its configured account's password hash to decrypt the TGS
and validate the Service Session Key.
NetNTLM Authentication
1. The client sends an authentication request to the server they want to access.
2. The server generates a random number and sends it as a challenge to the client.
3. The client combines their NTLM password hash with the challenge (and other
known data) to generate a response to the challenge and sends it back to the
server for verification.
4. The server forwards the challenge and the response to the Domain Controller for
verification.
5. The domain controller uses the challenge to recalculate the response and
compares it to the original response sent by the client. If they both match, the
client is authenticated; otherwise, access is denied. The authentication result is
sent back to the server.
Note that the user's password (or hash) is never transmitted through the network for
security.
Tree
A tree or domain tree is a collection of domains. Moreover, a tree follows a parent
domain, child domain tree structure. When a domain is under a specific domain, that
Forest
A forest is a collection of trees or domain trees which provides the highest level of
security boundary. It is also a complete active directory instance. Moreover, objects
within the same forest can communicate with each other. If an object in one forest
needs to exchange information with an object in another forest, the two forests
should have forest level trust.
The Forest consists of these parts which we will go into farther detail with later:
Trust Relationships
In simple terms having a trust relationship between domains allows you to authorise
a user from domain THM UK to access resources from domain MHT EU
The simplest trust relationship that can be established is a one-way trust
relationship. In a one-way trust, if Domain AAA trusts Domain BBB , this means that a
user on BBB can be authorised to access resources on AAA:
Two-way trust relationships
can also be made to allow both domains to mutually authorise users from the other.
By default, joining several domains under a tree or a forest will form a two-way trust
relationship.
Transitive - The trust relationship expands beyond just two domains to include other
trusted domains
AD DS Data Store -
The Active Directory Data Store holds the databases and processes needed to store
and manage directory information such as users, groups, and services. Below is an
outline of some of the contents and characteristics of the AD DS Data Store:
DNS Update Proxy - DNS clients who are permitted to perform dynamic updates
on behalf of some other clients (such as DHCP servers).
Allowed RODC Password Replication Group - Members in this group can have
their passwords replicated to all read-only domain controllers in the domain
Group Policy Creator Owners - Members in this group can modify group policy
for the domain
Key Admins - Members of this group can perform administrative actions on key
objects within the domain.
RAS and IAS Servers - Servers in this group can access remote access
properties of users
NTLM OAuth/SAML
Kerberos OpenID
Trusts Guests