Active Directory
Introduction
Active Directory (AD) is a directory service designed for Windows network environments. It enables centralized management of an organization’s resources, such as users, computers, groups, and network devices, by providing essential authentication and authorization functions within a Windows domain.
Although AD offers powerful management capabilities, its default configuration is not inherently secure; many features are designed for backward compatibility and can be misconfigured.
Given that an estimated 95% of Fortune 500 companies rely on AD, it remains a prime target for attackers.
Terminology
Core AD Architecture
Object: Any resource in AD (e.g., users, computers, groups, printers, OUs). In AD, objects are categorized by their ability to hold other objects.
Container Objects: Can hold other objects. For example, groups (which can include users, computers, and even other groups) and OUs.
Leaf Objects: Cannot contain other objects. For example, individual user accounts.
Attributes: Characteristics or properties of an object (such as a computer’s hostname or a user’s display name), typically identified by LDAP names (e.g.,
displayName,givenName).Schema: The blueprint for AD that defines what types of objects can exist and which attributes they have.
Domain: A logical grouping of objects (users, computers, etc.) that share a common directory database.
Forest: A collection of one or more domains that share a common schema and global catalog, essentially forming the topmost AD container.
Tree: A hierarchy of domains that share a contiguous namespace, with one root domain at the top.
Organizational Units (OUs): Containers that help organize objects for ease of management and delegation.
Naming & Identification
Global Unique Identifier (GUID): A 128‑bit unique value assigned to every AD object, ensuring its uniqueness across the enterprise.
Distinguished Name (DN): The full LDAP path to an object (e.g.,
cn=bjones,ou=IT,dc=example,dc=com), which uniquely locates it within the directory.Relative Distinguished Name (RDN): The unique name of an object within its parent container (e.g.,
bjonesin the DN above).sAMAccountName: The user’s logon name (up to 20 characters), unique within the domain.
userPrincipalName (UPN): Another form of the logon name, formatted like an email address (e.g.,
bjones@example.com).Security Identifier (SID): A unique value assigned to security principals (users, groups, computers) used to control access and manage permissions.
Replication & Controllers
Domain Controllers: Servers that store a copy of the AD database and handle core directory services such as authentication, authorization, and enforcing security policies. They are the backbone of an AD network.
FSMO Roles: Special roles assigned to certain Domain Controllers (DCs) to avoid conflicts during updates. Examples include the Schema Master, PDC Emulator, and RID Master.
Global Catalog (GC): A DC that holds a full copy of objects in its domain and a partial copy from other domains, enabling quick searches across the entire forest.
Replication: The process by which changes to AD objects are synchronized between all DCs, ensuring consistency throughout the environment.
Read-Only Domain Controller (RODC): A DC that holds a read‑only copy of AD, enhancing security in locations where full write access is not desired.
Security & Access
Security Principal: Any entity that can be authenticated by AD (users, computers, or groups).
Service Principal Name (SPN): A unique identifier for a service instance, used in Kerberos authentication to associate a service with a service logon account.
Access Control List (ACL) & Access Control Entries (ACEs): An ACL is a list of ACEs that define which users or groups (security principals) have what type of access to an object.
Policies & Data Storage
Group Policy Object (GPO): A collection of policy settings applied to users and computers, controlling various aspects of the operating environment.
SYSVOL: A shared folder on each DC that stores public files such as GPOs, logon scripts, and other policies. Its contents are replicated across DCs.
NTDS.DIT: The core AD database file stored on a DC that contains all directory data—including user accounts, groups, and password hashes.
FSMO Roles
Active Directory uses five Flexible Single Master Operation (FSMO) roles to manage critical operations and prevent conflicts:
Schema Master: Manages the read/write copy of the AD schema, which defines all attributes available to objects.
Domain Naming Master: Ensures that each domain within a forest has a unique name.
Relative ID (RID) Master: Allocates blocks of RIDs to Domain Controllers so new objects receive unique SIDs (combining the domain SID with a unique RID).
PDC Emulator: Acts as the authoritative Domain Controller for authentication, password changes, Group Policy management, and time synchronization.
Infrastructure Master: Translates object identifiers (GUIDs, SIDs, DNs) between domains, ensuring proper name resolution in multi-domain forests.
Issues with FSMO roles can cause authentication and authorization problems within the domain.
Trusts
Trusts link the authentication systems of different domains or forests, allowing users to access resources outside their own domain. They can be defined by type and direction:
Trust Types
Parent-Child: A two-way transitive trust between domains within the same forest.
Cross-Link: A trust between child domains that speeds up authentication.
External: A non-transitive trust between domains in separate forests (not joined by a forest trust), typically using SID filtering.
Tree-Root: A two-way transitive trust established between a forest root domain and a new tree root domain.
Forest: A transitive trust between two forest root domains.
Trust Characteristics
Transitivity:
Transitive Trust: Extends trust to all domains connected in the trust chain.
Non-Transitive Trust: Limits trust to only the two directly connected domains.
Direction:
Two-Way (Bidirectional) Trust: Both domains can access each other’s resources.
One-Way Trust: Only the trusted domain’s users can access resources in the trusting domain.
Active Directory Protocols
Kerberos
Purpose: Default authentication protocol for AD (since Windows 2000) that uses mutual authentication and a ticket‑based system to secure credentials.
How It Works: When a user logs in, their client requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) on a Domain Controller. This TGT is later exchanged for service tickets to access specific resources—without sending the user’s password over the network.
Port: 88 (TCP and UDP)
DNS
Purpose: Resolves hostnames to IP addresses and locates Domain Controllers and other AD services using service (SRV) records.
Key Features:
Dynamic Updates: Automatically adjusts to changes (such as IP address updates).
Service Records: Enables clients to find necessary network resources (e.g., file servers, printers, DCs).
Port: 53 (UDP by default, with TCP fallback for larger messages)
LDAP
Purpose: Provides a protocol for querying and managing the directory information stored in AD, including user and security data.
How It Works:
Session Establishment: An LDAP session begins by connecting to an LDAP server (also known as a Directory System Agent). Domain Controllers listen for LDAP requests, such as those for authentication.
LDAP Authentication (BIND Operation): Authentication in LDAP is achieved through a BIND operation, which sets the authentication state for the session. There are two primary methods:
Simple Authentication: Uses a username and password to perform a BIND request. This method may be anonymous, unauthenticated, or fully credentialed.
SASL Authentication: The Simple Authentication and Security Layer (SASL) framework allows LDAP to use other authentication services (for example, Kerberos). SASL separates the authentication mechanism from the LDAP protocol, providing additional security.
Ports: 389 for standard LDAP; 636 for LDAP over SSL (LDAPS)
MSRPC
Purpose: Microsoft’s implementation of Remote Procedure Call (RPC) enables interprocess communication for various AD tasks.
Key Interfaces:
lsarpc: Manages local security policies on a computer.
netlogon: Handles continuous authentication processes within the domain.
samr: Provides access to and management of the domain account database (users, groups, etc.).
drsuapi: Facilitates replication-related tasks between Domain Controllers.
Usage: MSRPC supports many of the client-server operations that keep an AD environment running smoothly.
Other Authentication Methods
In addition to Kerberos and LDAP, AD employs legacy and modern methods such as LM, NTLM, NTLMv1, NTLMv2, and Domain Cached Credentials.
NTLM
Symmetric key cryptography
Random number
Domain Controller
NTLMv1
Symmetric key cryptography
MD4 hash, random number
Domain Controller
NTLMv2
Symmetric key cryptography
MD4 hash, random number
Domain Controller
Kerberos
Symmetric key cryptography & asymmetric cryptography
Encrypted ticket using DES, MD5
Domain Controller/Key Distribution Center (KDC)
LM Hashes: Outdated and weak; limited to 14 characters and easily cracked.
NTLM: More modern than LM but vulnerable to pass-the-hash and brute-force attacks.
NTLMv1: An older challenge/response protocol with significant vulnerabilities.
NTLMv2: A stronger, more robust protocol designed to overcome the flaws of NTLMv1.
Domain Cached Credentials (MSCache2)
Overview: Domain Cached Credentials (also known as MSCache2) are used to allow domain users to log in to their machines even when a Domain Controller is unavailable (for example, during network outages).
How It Works:
Local Caching: When a user successfully logs into a domain-joined machine, their hashed credentials are stored locally in the registry at:
HKEY_LOCAL_MACHINE\SECURITY\CacheCache Limit: Typically, the last ten successful logins are cached.
Security Implications:
These cached hashes are designed to be slow to crack, even with powerful GPU-based tools.
They cannot be used for pass-the-hash attacks.
They may still be vulnerable if weak passwords are used, so understanding their strength is crucial during security assessments.
Active Directory Users
User accounts enable people or programs (such as system services) to log on and access resources based on assigned rights.
Local Accounts
Local accounts are stored on individual systems (servers or workstations) and grant rights only on that specific machine. They are recognized as security principals but do not extend access across a domain.
Default Local Accounts:
Administrator:
Role: Full control over the system.
Notes: The first account created on a Windows system (SID S-1-5-domain-500). It can be disabled or renamed but not deleted.
Guest:
Role: Provides temporary, limited access.
Notes: Disabled by default due to the security risk of allowing anonymous access.
SYSTEM (NT AUTHORITY\SYSTEM):
Role: Used by the operating system to perform internal functions.
Notes: Has full control over the host and does not appear in user management tools.
Network Service & Local Service:
Role: Predefined accounts used by Windows services.
Notes: Network Service presents credentials to remote systems, while Local Service operates with minimal privileges and anonymous network credentials.
Domain Users
Domain user accounts are managed centrally in Active Directory, allowing users to log in on any domain-joined machine. These accounts are granted rights to access a wide range of resources (e.g., file servers, printers, intranet sites) based on permissions set by administrators.
KRBTGT Account: A built-in service account used by the Kerberos Key Distribution Center (KDC) for authentication. It is a frequent target for attackers because compromising it can grant unrestricted access to the domain.
Same concept of local and domain users apply to machines where we can have Domain-joined and Non-Domain-joined machines.
Active Directory Groups
A group is an object that place similar users together and mass assign rights and access.
Groups vs. Organizational Units (OUs)
Groups:
Primary Purpose: Assign permissions to resources (e.g., file shares, printers).
Usage: Enable mass rights assignment and simplify permission audits.
Organizational Units (OUs):
Primary Purpose: Organize users, groups, and computers to simplify management and apply Group Policy settings.
Usage: Delegate administrative tasks (such as password resets) without giving full administrative rights.
Groups in AD have two key characteristics: type and scope.
Group Types
Security Groups:
Purpose: Assign permissions and rights.
Behavior: All members inherit the group’s assigned permissions, making rights management and auditing more efficient.
Distribution Groups:
Purpose: Used by email applications (e.g., Microsoft Exchange) for mailing lists.
Limitation: Cannot be used to assign resource permissions in the domain.
Group Scopes
Group scope defines where a group can be used and what objects it can contain. There are three primary scopes:
Domain Local Groups:
Manage permissions for resources only within the domain where the group is created.
Can include users from other domains and be nested within other local groups.
Cannot be used outside of their home domain.
Global Groups:
Grant access to resources in other domains.
Can only contain accounts from the domain where they were created.
Can be nested into both other global groups and domain local groups.
Universal Groups:
Manage resources across multiple domains within the same forest.
Can contain users from any domain.
Stored in the Global Catalog; changes trigger forest-wide replication, so administrators typically nest more stable global groups within universal groups to minimize replication overhead.
Built-in vs. Custom Groups
Built-in Groups: Predefined during domain creation (e.g., Domain Admins, Domain Users). Typically have a fixed scope (often Domain Local or Global) and serve specific administrative purposes. Often restricted to user accounts only (no group nesting).
Custom Groups: Created by organizations to meet specific needs. Can be security or distribution groups and assigned appropriate scopes.
Nested Group Membership
Concept: A group (such as a Domain Local group) can be a member of another group, allowing users to inherit privileges indirectly.
Important Group Attributes
Understanding group attributes is essential for both administration and security analysis. Key attributes include:
cn (Common Name): The name of the group in AD.
member: Lists the user, group, and contact objects that are members of the group.
groupType: An integer value that specifies the group's type and scope.
memberOf: Indicates which groups the current group is nested within.
objectSid: The unique security identifier (SID) for the group.
Active Directory Rights and Privileges
Rights: Permissions assigned to users or groups that allow access to objects (e.g., files, folders).
Privileges: Permissions to perform system-level actions (e.g., run a program, shut down a system, reset passwords).
Active Directory comes with many default security groups. These built‑in groups sometimes have significant rights and privileges that can be abused if misconfigured.
User Rights Assignment determines which system-level privileges are available to an account.
We can view the rights of a user by running the command
whoami /priv
A non-elevated console might not reveal all privileges due to User Account Control (UAC) restrictions.
Group Policy Objects (GPOs)
Group Policy is a Windows feature that enables administrators to centrally manage and configure settings for both user and computer accounts across an Active Directory (AD) environment.
Order of Precedence
Group Policy settings are processed based on a hierarchical structure that determines which settings take priority:
Local Group Policy:
Settings defined on the host itself.
These can be overwritten by policies applied at higher levels.
Site Policy:
Policies specific to a physical or geographical site.
Useful for handling region-specific requirements.
Domain-wide Policy:
Policies applied across the entire domain (e.g., default password policies, login banners).
Organizational Unit (OU) Policy:
Settings applied to specific OUs, allowing role- or department-specific configurations.
Nested OU Policies:
More granular policies for objects within nested OUs override those higher in the hierarchy.
Other Considerations:
Link Order: When multiple GPOs are linked to a container, they are applied based on their link order—the GPO with the lowest link order number is processed last (thus, highest in precedence).
Enforced (No Override): When a GPO is set to “Enforced,” its settings cannot be overridden by GPOs linked at lower levels.
Block Inheritance: An OU can be configured to block inherited GPOs from higher-level containers unless those GPOs are enforced.
Regardless of which GPO is set to enforced, if the Default Domain Policy GPO is enforced, it will take precedence over all GPOs at all levels.
Group Policy Refresh Frequency
Clients: By default, Group Policy is refreshed every 90 minutes (with a random offset of ±30 minutes) on user/computer accounts.
Domain Controllers: Refresh every 5 minutes by default.
Force Updates: Administrators can run
gpupdate /forceto immediately update policies.Custom Intervals: The refresh interval can be modified via GPO settings, though frequent updates can lead to network congestion.
Last updated
