Active Directory (TryHackMe)
Basic Information
Windows domain is a group of users and computers under the administration of a given business.
The main idea behind a domain is to centralise the administration of common components of a Windows computer network in a single repository called Active Directory (AD).
The server that runs the Active Directory services is known as a Domain Controller (DC).
The main advantages of having a configured Windows domain are:
Centralised identity management: All users across the network can be configured from Active Directory with minimum effort.
Managing security policies: You can configure security policies directly from Active Directory and apply them to users and computers across the network as needed.
Active Directory
The core of any Windows Domain is the Active Directory Domain Service (AD DS).
This service acts as a catalogue that holds the information of all of the "objects" that exist on your network.
Amongst the many objects supported by AD, we have users, groups, machines, printers, shares and many others.
Types of Objects
- Users
Users are one of the objects known as security principals, meaning that they can be authenticated by the domain and can be assigned privileges over resources like files or printers.
There are 2 types of users:
People: Users will generally represent persons in your organisation that need to access the network, like employees.
Services: Services like IIS or MSSQL. Every single service requires a user to run, but service users are different from regular users as they will only have the privileges needed to run their specific service.
- Machines:
For every computer that joins the Active Directory domain, a machine object will be created.
Machines are also considered "security principals" and are assigned an account just as any regular user. This account has somewhat limited rights within the domain itself.
The machine accounts themselves are local administrators on the assigned computer, they are generally not supposed to be accessed by anyone except the computer itself, but as with any other account, if you have the password, you can use it to log in.
Machine Account passwords are automatically rotated out and are generally comprised of 120 random characters.
Identifying machine accounts is relatively easy. They follow a specific naming scheme. The machine account name is the computer's name followed by a dollar sign. For example, a machine named
DC01will have a machine account calledDC01$.
- Security Groups
You can define user groups to assign access rights to files or other resources to entire groups instead of single users.
This allows for better manageability as you can add users to an existing group, and they will automatically inherit all of the group's privileges.
Security groups are also considered security principals and, therefore, can have privileges over resources on the network.
Groups can have both users and machines as members. If needed, groups can include other groups as well.
Several groups are created by default in a domain that can be used to grant specific privileges to users. Examples of the most important default groups:
| Security Group | Description |
|---|---|
Domain Admins | Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs. |
Server Operators | Users in this group can administer Domain Controllers. They cannot change any administrative group memberships. |
Backup Operators | Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers. |
Account Operators | Users in this group can create or modify other accounts in the domain. |
Domain Users | Includes all existing user accounts in the domain. |
Domain Computers | Includes all existing computers in the domain. |
Domain Controllers | Includes all existing DCs on the domain. |
- Organizational Units (OUs)
Are container objects that allow you to classify users and machines.
OUs are mainly used to define sets of users with similar policing requirements.
The people in the Sales department of your organisation are likely to have a different set of policies applied than the people in IT, for example.
A user can only be a part of a single OU at a time.
There are some default containers:
Builtin: Contains default groups available to any Windows host.
Computers: Any machine joining the network will be put here by default. You can move them if needed.
Domain Controllers: Default OU that contains the DCs in your network.
Users: Default users and groups that apply to a domain-wide context.
Managed Service Accounts: Holds accounts used by services in your Windows domain.
Security Groups vs OUs: OUs are handy for applying policies to users and computers, which include specific configurations that pertain to sets of users depending on their particular role in the enterprise. Security Groups, on the other hand, are used to grant permissions over resources.
Managing the Active Directory (AD)
Active Directory Users and Computer can be used to edit the objects in the domain.
By default, OUs are protected against accidental deletion. To delete the OU, we need to enable the Advanced Features. This will show you some additional containers and enable you to disable the accidental deletion protection. To do so, right-click the OU and go to Properties.
Delegation is a feature that allows you to grant users specific privileges to perform advanced tasks on OUs without needing a Domain Administrator to step in (Can be given to IT managers for example)
To delegate control over an OU, you can right-click it and select Delegate Control
Group Policy Objects (GPO) are simply a collection of settings that can be applied to OUs. GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.
To configure GPOs, you can use the Group Policy Management tool.
By default a group poilcy management will apply to all authenticated users in an OU. However, you can also apply Security Filtering to GPOs so that they are only applied to specific users/computers under an OU.
GPOs are distributed to the network via a network share called
SYSVOL, which is stored in the DC.All users in a domain should typically have access to this share over the network to sync their GPOs periodically.
The SYSVOL share points by default to the
C:\Windows\SYSVOL\sysvol\directory on each of the DCs in our network.Once a change has been made to any GPOs, it might take up to 2 hours for computers to catch up. If you want to force any particular computer to sync its GPOs immediately, you can always run the following command on the desired computer
gpupdate /force
Authentication Methods
When using Windows domains, all credentials are stored in the Domain Controllers. Whenever a user tries to authenticate to a service using domain credentials, the service will need to ask the Domain Controller to verify if they are correct. Two protocols can be used for network authentication in windows domains:
Kerberos: Used by any recent version of Windows. This is the default protocol in any recent domain.
NetNTLM: Legacy authentication protocol kept for compatibility purposes.
Kerberos
Kerberos authentication is the default authentication protocol for any recent version of Windows.
Users who log into a service using Kerberos will be assigned tickets. Think of tickets as proof of a previous authentication. Users with tickets can present them to a service to demonstrate they have already authenticated into the network before and are therefore enabled to use it.
Authentication Process
The user sends their username and a timestamp encrypted using a key derived from their password to the Key Distribution Center (KDC), a service usually installed on the Domain Controller in charge of creating Kerberos tickets on the network.
The KDC will create and send back a Ticket Granting Ticket (TGT), which will allow the user to request additional tickets to access specific services. The need for a ticket to get more tickets may sound a bit weird, but it allows users to request service tickets without passing their credentials every time they want to connect to a service. Along with the TGT, a Session Key is given to the user, which they will need to generate the following requests.
TGT is encrypted using the krbtgt (KRBTGT is an account used for Microsoft's implementation of Kerberos) account's password hash, and therefore the user can't access its contents. It is essential to know that the encrypted TGT includes a copy of the Session Key as part of its contents, and the KDC has no need to store the Session Key as it can recover a copy by decrypting the TGT if needed.
When a user wants to connect to a service on the network like a share, website or database, they will use their TGT to ask the KDC for a Ticket Granting Service (TGS). TGS are tickets that allow connection only to the specific service they were created for. To request a TGS, the user will send their username and a timestamp encrypted using the Session Key, along with the TGT and a Service Principal Name (SPN), which indicates the service and server name we intend to access.
As a result, the KDC will send us a TGS along with a Service Session Key, which we will need to authenticate to the service we want to access. The TGS is encrypted using a key derived from the Service Owner Hash. The Service Owner is the user or machine account that the service runs under. The TGS contains a copy of the Service Session Key on its encrypted contents so that the Service Owner can access it by decrypting the TGS.
The TGS can then be sent to the desired service to authenticate and establish a connection. The service will use its configured account's password hash to decrypt the TGS and validate the Service Session Key.
NetNTLM Authentication
The client sends an authentication request to the server they want to access.
The server generates a random number and sends it as a challenge to the client.
The client combines their NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.
The server forwards the challenge and the response to the Domain Controller for verification.
The domain controller uses the challenge to recalculate the response and compares it to the original response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server.
The server forwards the authentication result to the client.
Multiple Domains
Sometimes organizations need to have more than 1 domain, for example, if there is more than 1 branch.
If you have two domains that share the same namespace, those domains can be joined into a Tree.
This partitioned structure gives us better control over who can access what in the domain. For example, if a company has 2 domains, one for their branch in the UK and the other for their branch in the US. The IT people from the UK will have their own DC that manages the UK resources only. For example, a UK user would not be able to manage US users. In that way, the Domain Administrators of each branch will have complete control over their respective DCs, but not other branches' DCs. Policies can also be configured independently for each domain in the tree.
Forest is the combination of two or more trees.
Trust relationships can be configured between domains. Such that, a domain trust another domain.
There are types of the trust relationships, the simplest type is a one-way trust relationship. In a one-way trust, if
Domain AAAtrustsDomain BBB, this means that a user on BBB can be authorised to access resources on AAA (The direction of the one-way trust relationship is contrary to that of the access direction)Two-way trust relationships can also be made to allow both domains to mutually authorise users from the other. By default, joining several domains under a tree or a forest will form a two-way trust relationship.
Last updated