This webcast was originally published on September 19, 2024.
In this video, Dale Hobbs discusses a beginner’s guide to Active Directory. He covers various components such as trusts, group policy, replication types, authentication protocols, and key features like single sign-on and multi-master replication. Additionally, Dale emphasizes the importance of understanding and securing Active Directory implementation to prevent potential vulnerabilities and attacks.
- Active Directory (AD) is a central identity management system designed to manage users, passwords, and group memberships from a single location, simplifying overall management processes in organizations.
- AD’s scalability allows it to handle millions of objects within a domain and support multiple domains within a forest, ensuring high availability and fault tolerance through multi-master replication.
- Implementing strong password policies, restricting administrative privileges, and enabling auditing are crucial steps for securing an AD environment, along with regular backups and patch management.
Highlights
Full Video
Transcript
Dale Hobbs
First off, thanks everybody for joining. Today’s topic is Beginner’s Guide to Active Directory. So, first off, my name is Dale Hobbs. I am a penetration tester at Black Hills Information Security, as well as an instructor here at Antisyphon Training where I do teach a class on active directory and how to hack active directory and compromise, some of the insecurely, configured features within active directory.
So before joining Black Hills Infosec, I did spend many years as a blue teamer where I spent a significant number of those years designing, building, and managing large-scale active directory environments.
So whether you’re brand new to it, you’re just wanting to get started or trying to figure out where to get started, or if you’ve been around for a while and you’re trying to make a shift and you want to get your feet back with active directory, we’re going to spend the next hour ish, going through basically a crash course on the basics of active directory.
We’ll, talk about what active directory is, the various different components that make up active directory. We’ll look at things like, trusts, group policy, the various different types of replication that you need to know about.
We’ll also touch on the authentication protocols that are used within active directory and why each one is used, and which ones you should be using. also talk some of the various different types of objects in active directory, such as users, groups and computers.
And then, there are many components of active directory. Obviously, we can’t go into detail on all of them, but I do will spend some time on active directory certificate services, additional resources, things like computers, users and groups within your network.
It does feature a hierarchical structure, and it also provides things like, authentication and authorization functions within a domain. this is designed really to help simplify management and it’s very similar to how a phonebook stores information about various, different network resources.
So those resources within active directory are referred to as objects. Now, all these resources are stored in a centralized database and that database can then, span multiple sites, including things like different floors in a building or maybe different buildings in a city or even, across different countries.
As the network grows, active directory allows your various objects to be organized into logical groups and logical subgroups, to which you can then apply, access controls, at each of those various different levels to maintain security within the environment.
The active directory database itself, or the data contained in it, I should say, is accessible to all users within the domain so even your low privilege users, can potentially exploit the, some misconfigurations or weaknesses if there are some.
So it is crucial to understand how active directory works and understand how you can secure your implementation as well. Unfortunately, out of the box, active directory is not secure by default.
What initially started out as a simple directory has evolved into a very highly scalable system capable of managing millions and millions of objects within it.
It does provide some, a lot of flexibility, but it does introduce some vulnerabilities as misconfigurations, within active directory, often lead to full compromise of the environment.
So, it is a key target for an attacker. Ao, if you’re around with the pre show, attackers are always, almost always going after active directory because most companies today, have some form of active directory in their environment.
So it is key to have a solid understanding of the various different components, how to secure them, against the various different attacks. So again, active directory, is a central identity management system.
It’s designed to efficiently manage users accounts, their passwords, group memberships, all from a single, central location. this is designed to simplify, the overall management process of your organization, especially in larger organizations.
It does enhance, security by providing some mechanisms to the verify the identity of users and then grant access to those users, based on their permissions and the security policies that are applied to them.
This is really designed to ensure that only authorized users have access to the network of resources that are within the environment. So again, active directory’s scalability allows it to handle millions of objects within a domain and support also multiple domains within, a forest.
So we’ll talk a bit about domains and forest coming up. Don’t worry if you don’t know what those are just yet. And one of the key features in active directory is implementation of single sign on.
So it is designed to allow users to sign in once and access multiple resources with a single set of credentials without the need to enter their password in or enter multiple passwords in in order to do so.
Now, active directory also supports something called multi master replication. So this is designed to synchronize the data across multiple domain controllers. the goal here is to ensure high availability and fault tolerance while also providing continuous, access to that information in, the event that, one or more of your domain controllers fail.
So active directory functionality also extends to, simplifying some of those management tasks or those administrative tasks by using, different types of delegation. So you can then enable specific users or groups of users to handle specific, specific tasks, things like password resets or maybe adding new computers to the domain.
So it’s designed really to reduce the workload on your central it staff, by allowing some of your lower level it staff to take on some of that administrative overhead.
Now, active directory consists of various objects, again, such as users, computers, printers, groups, organizational units, and domain controllers. And these are referred to as objects.
an object is any resource that’s stored within the active directory environment. So users, for example, user objects are considered to be leaf objects. They do contain abuse attributes such as their display name at the last log on time and times when the passwords are last changed.
and these users are considered to be security principles. And each one has a unique identifier. Other types of objects such as contacts, these represent external users, but they’re not actually security principles.
So there’s no, there’s no login component for them. They’re really there just for things for maybe external partners or external resources.
Printers also have attributes like the name driver, information, also not considered to be security principles. Computer objects, on the other hand, these refer to any computer, whether it’s a workstation or a server that is connected to the active directory network.
These are considered principles. They do consider security principles. So they do have their own, associated rights and permissions as well, shared, folders.
These are also not security principles, but they can contain attributes like the location of the folder, security, rights assigned to that folder. Groups contain users, computers and potentially other groups.
and these are, the goal with groups really is to help manage permissions within active directory. So ideally you’re applying permissions to groups rather than to individual units or individual users.
Now, organizational units are often referred to them, as OUs. These are containers that are used to organize objects for, easy management and delegation of tasks without granting full administrative rights to the end users.
And then we have domains. So domains are the overarching structure that contains all of these objects. And each domain has its own database and its own set of policies such as, password policies, for example.
Now, domain controllers are the brains of the active directory network and they are responsible for handling the authentication and any access requests, as well as enforcing security policies.
And the active directory directory database is stored on each domain controller in the environment. So the last thing here is site. Now, a site consists of computers that are connected by different network links.
So they’re designed to enable efficient replication across domain controllers in different locations, whether there’s different floors in a building, maybe different buildings within city, different cities in a country, or even again across, different countries.
Now, active directory does have a comprehensive suite of directory services, identity management and information protection capabilities. The first one is active, directory domain services.
Now this is the core component that stores all the active directory data and manages the communication between the users and the domains. This is effectively the central repository for all users computers and resources within the network.
It does handle tasks such as logins, authentication, as well as directory searches, and also handles or ensures the synchronization of directory data across multiple domain controllers in the environment.
There are some special specialized services as well, things like, active directory lightweight directory services. this is a lightweight version of active directory that supports directory services for applications that don’t actually require a full domain controller.
So it can operate independently or alongside with active directory, directory services. And again, it works by storing application specific data with custom schemas based on the needs and requirements.
Now, active directory federation services, this does provide single sign on capabilities and supports seamless access across different organizations and uses claims based authentication, in order to manage the user resources, sorry, the user’s access to the resources.
So this enables users to access multiple applications, again with a single set of credentials, even across organizational boundaries. So federation, services, usually you’d set up federation between your organization and potentially another organization in order to share resources.
That’s where this component comes in, and then active directory certificate services. Again, this is a public key infrastructure or the PKI, that’s built into active directory.
And then rights management services. This is designed to protect digital information from unauthorized access using, encryption policies.
So it works with Microsoft applications to ensure that your sense of data is protected both online and offline, and uses some persistent security measures that allow that security to follow the data regardless of where it’s located.
Now, the active directory architecture includes a number of components, forests, trees, domains, organizational units, or ous, and domain controllers. Now, forests are the top-level containers.
these provide a security boundary within which users, groups and computers all interactive. it does allow centralized management and collaboration between multiple domains through a variety of different trust relationships.
So when you create a new domain, an active directory, you either join it to an existing forest, an existing domain, or you’re creating a new forest. If it’s brand new, the first one you create is going to be the root of the forest.
Trees consist of multiple domains within a forest that share a contiguous namespace, such as child domains. you can also have multiple trees within a forest.
domains then are logical partitions, each one with its own active directory database as well as its own security policies. Now, within each domain you have, ous, organizational units and domain controllers and sites and subnets.
Now, ous again are containers that hold groups, users, computers, and potentially other ous as well. they enable both the logical organization of your environment as well as allowing for a delegation of administrative tasks.
This does again help administrators manage those resources very efficiently and by applying, group policies and security settings to those ous and subsequently anything that’s contained within that ou.
Now, domain controllers run the active directory domain services role, and they provide authentication and directory services as well as enforce the security policies.
there is a concept of read only domain controllers. they are exactly what they sound. It’s a read only copy of the database. they are designed to provide services in locations, where you have a lower level, of security.
So for example, maybe a branch office where you don’t have a dedicated server room, you might need a domain controller there, but you put a read only domain controller there. So if something happens, someone picks up and walks away with it.
They don’t have a full read, write copy of the database. There’s no hashes stored in the database and the read only database and the global catalog. This is a special domain controller that stores a full copy of the objects in its domain and a partial copy from the other domains that are contained within the same forest, designed to speed up searches, and the logon process across, the forest.
And finally, sites and subnets are used to manage replication traffic and optimize those authentication requests based on geographic location. So if you’re in a large organization, where you have multiple sites, you’re going to be, heavily using these different sites and the different sites and subnets to configure those different rules, that are associated with the replication.
Speaking of replication, in most cases you are going to want multiple domain controllers in order to manage active directory efficiently. If it’s a small lab, you can probably get away with one. Just be aware that if the domain controller crashes or blows up or corrupts or whatever the case is, you’re starting from scratch.
The idea is multiple domain controllers, and then you want to make sure those domain controllers are synchronized. To do this, Microsoft introduced the directory replication service.
Now replication is a process of synchronizing your directory data. Again, such those attributes, sorry, those objects along with their attributes and the metadata between multiple domain controllers within a, domain or within a forest.
This ensures that any changes that are made to directory objects on one domain controller are propagated to all the other domain controllers, such as a password. If you change your password on one domain controller, you want to make sure that replicates to all the other domain controllers.
So obviously you can log in if you happen to go to a different site. Again, this helps maintain consistency as well as provides fault tolerance across the network. Now, replication does follow a very specific replication topology, and that topology defines how connections and replication paths are established between the domain controllers.
Each domain controller will have a set of replication partners. Those partners can either be in the same site or they can be across different sites if you choose to. The replication does occur periodically based on some predefined intervals.
So those intervals are configured depending are configurable depending on the type of data that’s being replicated. Common, intervals are 15 minutes for domain specific data or up to 180 minutes for, for configuration data.
So replication, is also triggered by some certain events, such as password changes, a password change, certain will password change, or the creation of new objects will trigger a replication across the domain as well.
Now, there are two types of replication in active directory. The first one is called intra site replication. this occurs within a single active directory site.
it is designed really for those areas that are low latency, high speed communication within the environment. replication in these environments happens more frequently, to ensure that the, the quick propagation of changes within the same site.
And then we have intersite replication, which occurs between different active directory sites. So things maybe across different parts of the city or from one site to a site in a different country.
So those sites typically will have not so common as, not as common today, but sometimes you’ll still have slower and less reliable network connections. so the replication is designed to occur less frequently with it, with the intra site replication, just with the intent of minimizing the impact of network traffic across the WAN.
Active directory trusts are relationships between domains in an active directory network, and they do enable secure communication and resource sharing across different domains or forests. These trusts, allow users in one domain to access resources in a different domain.
So those trusts can either be one way where one domain allows access to another but not vice versa, or they can be two way trusts where, both domains allow access to each other’s resources.
So within those trusts they’re also categorized into two different types. So we have transitive trusts and non transitive trusts. A transitive trust allows trust relationships to flow through intermediary domains.
So for example, if domain a trusts domain B and then domain B trusts domain circumental, then domain a and domain C automatically trust each other as well through, through domain b.
Now nontransitive trusts do not extend beyond the two domains that are involved, so those relationships don’t propagate further. So similar to the previous example, domain a trust b, domain b trust c.
That means that domain a does not automatically trust domain C when you’re using a nontransitive trust. A group policy allows administrators to define and enforce various different system settings, security policies and configurations, for groups of computers or users within a domain.
So it provides centralized control over a variety of aspects of the windows operating system. Things like, applications that are installed, network settings, password, requirements, and all those settings are stored in group policy objects or often referred to just as gpos.
Now, those gpos can be applied to either users or computers within specific active directory containers such as sites, domains, or even as far, far down as organizational units.
So these enable admin to basically target configurations for various different types of users or groups within an organization. So, for example, you may have different gpos that are applied to your finance users than what you would have applied to your it or your manufacturing or your marketing users.
Now, each GPO acts as a container for a variety of settings, scripts and templates that manage the behavior and security of a system. Things again like password policies, firewall rules, you can install software through group policies.
You can even do things like controlling the desktop backgrounds, mapping network drives or mapping printers as well. Gpos, apply, to specific users, groups or computers using, you can use security filtering to provide additional fine grain control over who receives certain policies within, within a GPO.
And they can be customized for both user and configurations or user and computers. So when user settings take effect during. Sorry, let me back up.
GPOs are applied to users take effect during the login process, and they are specific to the user regardless of which system they log into. So if you log into a computer in, the finance department in Los Angeles, and then you also go log into a different computer in New York City at a different, computer, the GPO settings would be the same.
Settings would be applied to you regardless of where you logged in. Computer settings are a little bit different. They’re applied to the computer itself. And they are independent of the user logged in. So any user that logs into that computer in Los Angeles will have those computer specific settings applied to that computer, which may or may not be different than, users who log into a computer in your New York office, for example, gpos are applied in hierarchical order as well.
They allow an administrator to enforce certain policies over other policies when a conflict arrives. So settings that are applied at higher levels, such as domains, can sometimes be overwritten or overridden by settings are applied at lower levels, such as maybe at an OU group.
Policy updates occur periodically, typically every 90 minutes. By default, there is a randomized 30 minutes offset designed to prevent overloading the domain controllers.
You can also force updates, using the GP update command at the Windows command prompt if you need to apply changes more quickly. So if you apply something, you need to test it out or you want to go into effect right away on a specific machine, you can force the group policy update from the command line.
Now, the management of gpos is handled through the group policy management console. it is a graphical interface that simplifies the creation, editing and organization of gpos, does provide centralized platform for managing policies within the domain or within the forest.
Again, also provides that hierarchical view of the gpos. And so you can understand, how they’re related to the various ous and domains and sites within the organization. So this does make it easier for an admin to understand how policies are applied across the active directory structure and also allows you to, to back up and restore group policies, which, can be, can be necessary or unnecessary, necessary thing for disaster recovery, or maybe if you want to preserve your configurations.
You want to have something you can revert back to if you make a mistake on your, on your on your policy. In addition to creating and editing policies, the group policy management console, or the GPMC also reports, various different modeling tools as well as reporting as well.
So you can generate reports that show the effects of the various different gpos on users and computers. also great for troubleshooting, as it provides some very detailed insights into the policies that are applied, including the order of the application, of those gpos as well.
Also allows for delegation as well, so you can allow different it personnel to have limited access to specific gpos. therefore, with the goal then of minimizing the risk of unintended changes to gpos or maybe affect a wider scale of users, it does integrate again with active directory users and computers, to design or, sorry, to streamline that process of linking the gpos to the various different, objects within active directory.
Now, when you first set up your domain, there are two default gpos, that are created. The first one is the default domain policy. This one applies to all users and computers within the domain and covers things like password policies, account lockout rules, those types of things.
And then you have the default domain controllers policy. And that one applies specifically to domain controllers, things like, security configurations, audit policies, user rights assignments.
Both these policies are crucial for inactive directories, so just be aware that they should be modified very carefully as they do have some very domain wide, domain wide implications if something goes wrong.
So generally speaking, it is not recommended, to put all of your settings in that default domain policy. It is better to create separate policy objects, different gpos for different settings for a number of reasons.
First off, it allows you to provide more granular control over specific settings. So things like allows you to manage easier, manage troubleshoot and modify the policies without affecting other settings that may be applied to larger groups of people.
That default domain policy, ideally you want to reserve that for things that need to be applied universally to all users, things like password policies or lockup or account lockout policies as well.
So by not using that domain controller for, sorry, that default domain policy for everything you do, then, reduce the risk for unintentionally affecting the entire domain full of users.
Troubleshooting can become more complex as well. If you put all your settings into a single GPO with separate gpos, it is easier to identify which GPO is causing an issue and therefore you can just disable that GPO and address the issue really quickly as opposed to having to modify the default policy and hope for, hope that it’s going to solve the issue.
It does also provide for greater flexibility, applying different policies to different groups or different ous users. And computers, allows for to target your applications based on the needs of very specific departments or specific users.
Now, when it comes to authentication protocols, there are two protocols used in active directory. The first one, NTLM Ntlan manager. This is an older protocol for Windows networks. It does use a challenge response mechanism to verify user credentials and then Kerberos.
Now Kerberos is the default protocol that you use in active directory directory for both users as well as for services. It does use a ticket granting tickets or tgts for that communication, and it enables mutual authentication between the client and the server.
So Kerberos does provide, better security and efficiency over NTLM. be aware that NTLM may still be used for backwards compatibility, with some older legacy systems.
Now within NTLM, there’s two versions of NTLM NTLM v. One is the older authentication protocol used for verifying users works with a challenge response mechanism where the client sends an authentication request and then the server responds with a random challenge.
The client will then generate a password hash and encrypt it using that challenge and then send that encrypted hash back to the server. The server will then repeat that same process, comparing the client’s, hash with its own.
If they match, authentication is successful, and the user is allowed to log in. So NtLM v one is largely deprecated due to a multitude of various different security vulnerabilities.
So hopefully you’re not using this today. If you are, you may want to consider, you may want to reconsider that. Now. NtLM version two is a more secure and enhanced version of the NTLM protocol.
It does address many of the vulnerabilities within NtLM v one. One, of those ways it does that is by incorporating some stronger cryptographic techniques. it does also require mutual authentication, meaning both the client and the server have to prove their identities to each other.
so this does incorporate some additional data, such as timestamps into that challenge and response mechanism. So when a client attempts to access the network, sends an authentication request to the server, server responds with a random challenge, and then that, with NTLM v two, it will then the client will then use a combination of the password hash, the servers challenge, as well as some other data like those timestamps, for example, to then generate that response.
That response is then sent with a client generated challenge back to the server. The server will then perform that same function, and if they come to, the same encrypted hash value, then, authentication is successful and users granted access.
Now, Kerberos is again the default authentication protocol used in active directory. Its primary purpose is to provide secure authentication and communication between the clients and the services.
Kerberos cannot be used on standalone computers. It does require active directory for operation. So, while this is the default protocol in use, if a system does not support Kerberos for whatever reason, maybe it’s a legacy system or just flat out doesn’t support it, the system will fall back to NTLM, if it can’t.
So Kerberos is based on a key distribution center or a KDC, and that is made up of three different components. The first component is the authentication server. This is the piece that performs the initial authentication.
You have a ticket granting server that issues service tickets based on those initial, tgts or the ticket granting tickets that are obtained from the ticket, the ticket granting server.
And then you have a Kerberos database that stores the authentication and identification information as well. So once a user is authenticated, Kerberos will provide a specific ticket for the session and those tickets are then used instead of passwords to gain access to the various different resources.
So, this provides security while eliminating the need to transmit passwords over the network as you’re passing tickets around instead of passwords. So again, some of the key features of Kerberos, it does authenticate users by varying their identity through the issuance of a TGT or that ticket granting ticket.
nd it authorizes users to grant, to, sorry, to access specific services based on service tickets that are issued by the ticket granting server. Also enables single sign on as well, allowing users to access multiple services without having to re enter those credentials.
Provides mutual authentication again, also ensuring that both the client and the service verify, each other’s identity. And it does use secret key cryptography to secure that communication as well.
Kerberos has something else within it called a pack or a privileged attribute certificate. This data structure is used in the Kerberos authentication process and it includes some information related to the user’s authentication.
Things like any important security attributes that are related to that user, along with any data specifying the user’s group memberships, their user rights, if they have administrative privileges such as, domain, group membership, for example, that pack is designed to ensure that the user’s security context is properly communicated within the environment.
It is digitally signed by the KDC or the key distribution center. And it does, it is designed to guarantee that digital signature is designed to guarantee that the pack has not been tampered with during transmission.
So when a user obtains a service ticket from the KDC, their pack is embedded within that service ticket. So whenever they attempt to access resources within the domain, that pack is presented with those resources, where it’s authenticated and where it’s authentic, where it’s authenticity and integrity are then verified.
So domain controllers, for example, and other servers will use that pack to make access control decisions. So when a user requests access to a file or resource, the pack is consulted to determine if the user has the appropriate permissions based on their group memberships and their privileges that are assigned to the user.
If the pack is valid, and the user’s authorization is confirmed, then access is granted. If the pack is found to be invalid or if the system suspects it’s been tampered with, access will then be denied.
Another feature of Kerberos is something called a service principal name or an SPN. These are unique identifiers that represent specific network services. these play a key role in the authentication process as they do help define which service a client is requesting access to.
They are, they do follow a specific format. the format is always service hostname, where a service is a type of service like HTTP or SMTP for example.
And then the hostname refers to the fully qualified domain name of the server, that’s hosting the service, like for example, db dot example.com as an example.
Now each SPN has to be unique within the domain. this is to prevent confusion and ensure that clients can accurately identify and request access to the correct services.
Those SPNs are registered in the KDC for the domain where the service is hosted. So during that registration process, that SPN is linked to the services secret key, which the KDC will later use to encrypt any service tickets for clients that are attempting access to that service.
So when a client requests access to a service, it includes that SPN in its service ticket request. The ticket granting service then uses that SPN to identify which services secret key should be used to encrypt the session key that’s stored within that service ticket.
So in a Windows environment, you use the set SPN exe command line tool to manually create those spns. elevated permissions are required for this. So regular users are not able to read or, sorry, not able to create spns.
They can read them, obviously they need to be able to, but they cannot actually create them. It does require administrative, access. So the Kerberos authentication process involves multiple steps, in order to ensure a secure exchange of credentials between the client and the KDC.
So first step, a user will initiate authentication process by providing their credentials to the authentication server. The authentication server will then verify their credentials and if successful, will grant.
So, we’ll generate a TGT and that TGT is typically valid for 10 hours. once that ticket expires, after the 10 hours, Windows will automatically request a new one. So now the user’s got a Tgt.
If they want to access resources on the network, they will submit a request to the ticket granting server and provide that TGT as well as the name of the service they want to access or the SPN that they want that went access.
The TGS will then verify the TGT and check with active directory to confirm that the user is authorized to, access the requested service. If the user is authorized, the TGS will issue a service ticket.
That service ticket will contain the user’s identity and a session key for both the user and the service. That service ticket is then encrypted with the service’s secret key.
the client will then present that service ticket to the service. The service will verify the ticket, ensure the user is authorized and identify and verify their entity. Verify that their identity is valid based on the trust that that service has with the Kerberos system.
If everything checks out, the service grants the user access to grant the requested resources. So it’s a again, multi step process. It sounds complicated, but not really.
Now, moving on to user accounts. User accounts are created either locally or within active directory to allow users or services to log on to systems and access resources based on the rights that are assigned to them.
So when a user logs in, the credentials are verified and an access token is created, that access token contains the user’s security identity as well as our group memberships. And then that token is used to interact with processes and access, various resources, along networks such as file shares, applications, database servers and so on.
User accounts are commonly grouped together, ideally just to simplify administration. This allows, privileges to be assigned to groups again, rather than to individual users. Now, user accounts in active directory can have a wide range of permissions from basic read only accounts all the way up to full administrative accounts, that have full control over the domain.
So if they’re misconfigured, obviously this can create some security vulnerabilities that an attacker could potentially exploit. So, users, again, as much as I hate to say it, use the term, but users are unfortunately often the weakest link.
So it is important to implement, some strong policies and management procedures, around those users and their accounts in order to reduce risks, related to user behavior.
Now, local accounts are stored on individual machines. Their rights are limited to that host or that machine where they’re created on. They’re not managed across a domain like domain accounts and therefore they don’t have access but to different resources outside of the system that they’re created on.
Domain accounts, on the other hand, they are granted rights from the domain so they can access shared resources, things like file shares and printers. Now there are several domain accounts that are created when active directory is set up.
First, one being an administrator account, this has full control over the domain. Second one is the KRB TGT account and this is the service, account that Kerberos uses for authentication.
Now, domain joined computers benefit from, group policy configurations. Again, you can provide centralized, centrally, essentially manage the configurations for your computers and resources.
Non domain joined computers, things like, computers in a standalone workgroup. Obviously they’re managed independently, so this can make resource sharing and administration more complicated in larger environments.
Non domain joined computers are fine for maybe for a small business that, 510 users, not a big deal. Very quickly becomes an administrative nightmare in, larger organizations where it just becomes unmanageable.
Now, groups in active directory allow similar users to be centralized for easier management of rights and access. So there are some built in groups in active directory.
You can also create your own custom groups for more specific needs. built in groups are created when the domain is set up and generally they’re used for administrative purposes. So there’s built in groups such as domain admins, which have specific scopes and specific set of permissions applied to it.
over time, the number of groups in active directory can grow very rapidly. Unfortunately, that does tend to lead to unattended access if they’re not properly managed. So ideally, regularly auditing those group memberships as well as promote their associated permissions is crucial to making sure that make sure that your users only have the necessary, information or the necessary access in order to perform, to perform their day to day jobs.
So ideally, you want to prevent excessive group membership if you can get away with it. Now, active directory has two, sorry. Active directory groups have two primary characteristics.
They have a type and a scope. When it comes to types, there are two different types of groups you have. First off you have security groups. Security groups are used to assign permissions and rights to a collection of users.
And then you have distribution groups, which are typically, groups that are primarily used for things like email, groups, those types of things. there are different scope, three different scopes as well.
each group has a different, potential different scope. So you got domain local scope group, sorry, the domain local scope, global scope or universal scope. No, groups that are set up as domain local groups are only able to manage resources within the domain that they were created in.
but it can’t. That group can contain users from other domains within a forest. Global groups can manage resources in other groups, but can only contain accounts from their own domain.
And then you have universal groups. Now, universal groups manage resources across multiple domains and forests, and they can contain domain users. Users from any domain groups can also be nested as well.
That means that one group can be a member of another group, which leads to users, indirectly inheriting permissions. So this can simplifies administration, but it can also complicate, auditing, as well.
Users may unintentionally receive privileges they weren’t supposed to have, so which can make things very difficult to track down if you have lots of groups nested within, within groups.
Now, active Directory certificate services this is a Windows server role for managing the public key infrastructure in an active directory environment. It enables the issuance, management and revocation of digital certificates for systems, users, applications, devices in your network.
It is very tightly integrated into active directory, which simplifies the management of those certificates by ensuring that those certificates are automatically distributed across the domain.
So digital certificates are essential for things like verifying identities, encrypting data. They typically bind to users devices or services and provide the security that is needed for various different tasks such as maybe email, network communications, vpn access, and so on.
Certificates that are issued by active directory certificate services are automatically recognized and trusted within the active, within the active directory environment where they’re created.
ADC’s also supports certificate revocation mechanisms such as certificate revocation lists and your online certificate status protocol.
this allows you to to expire any certificates or any certificates that they’ve been compromised. You can, you can mark them as revoked and then invalidate those certificates.
ADC’s consists of several critical, critical components. At the core of it is the certificate authority. Now, the certificate authority is responsible for issuing, renewing and revoking those digital certificates.
And there are two types of certificate authorities within active directory. The root ca or the root certificate authority. serves as a trust anchor and then you have subordinate cas, which are the ones that issue certificates to the end entities.
An entity is basically a user computer or service that requests a certificate. Now that CA ensures the proper binding of public keys to the various different entities that request them.
so this provides the foundation of secure communications and identity verification within active directory. Now, certificate templates play a crucial role in standardizing certificates.
They define the properties and attributes of certificates that are issued by the CA. they’re designed to ensure consistency across the various different certificate types such as user certificates or web servers or code signing certificates.
The certificate revocation list is also an essential mechanism, that it’s designed, sorry, it’s published regularly by the cadence to revoke any compromised or invalid certificates.
Certificates are stored within the designated certificate store on the Windows system. So this acts as a repository for all the certificates, allowing them to be managed and accessed by the various different clients in the environment.
So just like any PKII out there, on the public Internet, a certificate request process involves several key steps to ensure that those certificates are issued securely.
First off, the entity requesting the certificate will generate a public and private key pair. That private key is kept separately, and then a certificates, signing request or a CSR, will include the public key as well as the entity’s identity, and that is then submitted to the CA.
The CA will then verify that request, ensuring that it meets the various different, security requirements and identity requirements.
And if approved, the CA will then issue the certificate. The entity will then install that certificate on their device or on their system and link that with the corresponding private key.
Now again, ADCs uses certificate templates. These are predefined configurations that specify the type of digital certificate that can be issued by the CA. So they’ll determine things like the certificates properties, any attributes, the key usage, and any other settings that are applied to that are that are required.
these allow an administrator to standardize the issuance of certificates based on a variety of different purposes. Things like again like email or VPN access code signing. and they’re designed really to ensure that those certificates meet a specific security and specific operational needs.
Now, there are a variety of different types of certificates, that are used by ADC’s. First one is the user certificate. These are typically assigned or issued to individuals for things like, email signing, encryption, or user authentication.
Computer certificates are used for authenticating m authenticating computers usually used for things like, remote access. Sometimes you’ll use them for access, to Wi Fi if you’re using 802.1.
X, and then web server certificates obviously used for HTTPs, servers co signing certificates used by your developers to sign your executables and their scripts to ensure that they come from trusted resources.
sometimes, you’ll have policies in place that will only allow scripts to run if they’re digitally signed. That’s where these code signing certificates will come into place. And then lastly, smart card login certificates typically used for, those environments where they’re using smart cards as their login process for authentication.
Now, each of these certificates plays, a very important role in ensuring that trust and secure communications within your network, within your active directory network.
Okay, so now we’ve come through kind of the core pieces of active directory and then what I personally consider to be the most important pieces. Let’s talk about some general best practices.
1st. 1st up. Backup strategies, patch management and change control are crucial in active directory, to maintain, to ensure that the maintenance of a secure and resilient active directory environment.
So regular backups of the active directory database as well as any critical system files. Ideally you want these scheduled so that it runs on some set of a schedule. and you also want to make sure you can take system state backups as well.
the key thing with backups is not just making the backups, you need to test them as well. So you want to make sure you’re testing them periodically, to ensure the data integrity and to make sure that frankly they can be restored at all.
There’s nothing worse than attempting to restore a backup, only to find out the backups corrupt and doesn’t work. Patch management is also essential here as well. so you want to make sure you have a regular patch policy to make sure that any patches for active directory are being deployed, in an appropriate fashion.
Ideally testing those in a non production environment first, if you can, monitoring and ordering as well. These are key to detecting and responding to any potential issues within active directory, not just security issues, but also performance issues as well.
ideally you want to enable auditing for things like user logins or failed logins as an example. So performing regular reviews of your security groups and memberships as well is important as well, as well as any modification, of any policies you have.
So ideally using some kind of automated tools to alert you of that activity as well. Those security policies play a vital role in your environment. So you want to make sure that you have strict policies around your passwords restricting administrative access, and ideally using group memberships and gpos.
on the slide there, there is a link, where you can go to the Microsoft site where they will provide to you all the different best practice, configurations for, auditing in the environment.
So again, tracking user activity through those login events, monitoring your access objects or sorry, object access. this will help you detect any unauthorized access or changes to those critical resources.
So you want to make sure you have those, all those audit policies configured to track those specific events like login attempts or any privileged use or accessing any objects.
Now, the event viewer is a built in Windows utility. it does provide very detailed logs, things like the various different system events, any errors and warnings.
this is a critical tool for monitoring any issues related to active directory. So, ideally when it comes to active directory specifically you’re looking for, you want to focus on the logs that are within the directory service tree for any errors and warnings that are there.
The security tree or the security logs, obviously will contain any unusual or suspicious, authentication exempts as well. So you can use filters, of course, to narrow down specific issues such as failed logins or any replication errors to speed up your troubleshooting process.
There are some command line tools like DC Diag and Netdiag, that will provide you some deeper insight into the health of the system. So DC diag provides diagnostic checking of the domain controller’s health.
Specifically, you can check for things like, the functionality of DNS or functionality of DHCP to make sure they’re operating efficiently. Netdiag, is a, network diagnostic tool, and this one is really designed to test the network connectivity and help you identify any problems in communication between your clients and your servers.
Monitoring replication is crucial as well, especially with multiple domain controllers. You want to make sure you’ve got consistent data or data consistency across those domain controllers. The rep admin tool can be used for that.
you can gather, just a summary to have a quick summary of replication status, or you can use, the show repl flag, that will allow you to, identify any inbound replication partners as well as their status, ideally to help, help you determine if active directory is synchronizing correctly.
So ideally you want to address any replication failures as quickly as possible, to prevent any data inconsistencies and ensure that your, active directory environment is running, running efficiently.
Now, DNS, is an essential component of, active directory as well. I didn’t touch on it because I think everybody knows what DNS is already today.
So DNS again, this ensures that with DNS is essential to ensure that all your domain controllers are configured or are correctly registered in DNS, and they’re effectively providing name resolution in addition to the replication as well.
So, in order for this to work, you have to make sure your sites and services, your sites and your subnets are set up to reflect your physical network. That, will help optimize the flow of data, in the environment as well as optimize the login traffic as well as the replication efficiency as well.
So you’ll use to manage that replication. you’re going to use different site links, and then you’re going to adjust those site links, the cost with those site links based on whatever the resources are.
Maybe you’ve got a slower network connection there, maybe you’ve got a faster connection. Ideally you want to be able to control the replication traffic and schedule it appropriately so it’s not overwhelming your network.
So you can speed up and minimize login times as well by reducing the number of gpos that are applied to users and computers. One method again is to implement filtering to specific targets or specific users and computers as needed.
So ideally also, people often forget about tracking their metrics such as their cpu memory and network usage as well. those allow you to adjust performance, sorry, to adjust resources to maintain, maintain optimal, optimal performance on your domain controllers.
If your domain controller is underscoped, not enough cpu, not enough memory, it’s not going to perform very well. So monitoring those as well, tracking those metrics is going to help you make sure that those systems have enough resources and they’re running optim optimally.
Now, to ensure redundancy, again, it is recommended to deploy a minimum of two domain controllers in each domain and ideally if you can, place them in different physical locations for geographic redundancy if possible.
so again, a disaster recovery plan is key here as well. regular testing to make sure you can restore your active directory in the case of a failure. in locations where again, where physical security cannot be guaranteed, such as a branch office, you want to consider using those read only domain controllers, that will then again allow you to limit the data that’s stored on them, to minimize the risks if the machine is compromised.
In addition to that services like DNS and DHCP. Ideally you want to configure them, with failover nodes for high availability and fault tolerance as well. In the event one goes down or you take one down for whatever reason, you still have a second one, ideally to handle the workload.
Now, when it comes to security, it is essential to implant m the principle of least privilege again, granting users access only to the systems, only to the, granting users only the access that they need in order to perform their jobs.
So highly privileged accounts like your domain controller or, sorry, your domain admin accounts should be avoided for routine day to day tasks. Ideally, your admins should have separate low privileged accounts that they use for their day to day activity.
Securing your domain controllers is just as important as well. So that means physically securing them as well as installing only the essential software required and regularly updating and patching them as well.
So strong password policies should be enforced on your administrative accounts as well, which you want to make sure you have the appropriate complexity requirements, any expiration periods, basically how long the password good for before you have to change it, and then if you can get away with it.
Multi factor authentication on your administrative accounts as well. Yes, even on the inside internal network. Regular audits as well should be able to, should track changes to your active directory objects, while monitoring tools can also help, detect any suspicious activity.
So you want to implement best practices for group policy as well and make sure that policies are applied at the appropriate levels and then review those policies on some kind of regular cadence to ensure that they continuously meet your security requirements, protecting against things like pass to hash attacks, for example.
There are some solutions around that that can help Microsoft’s local password, a local administrator password solution or laps. this will ensure unique, passwords for the local administrator accounts on all your systems within your environment.
So those will then be randomized, changed at some periodic interval, and then they can be securely stored within active directory and accessible only to privileged user accounts on Windows ten Server 2016 and later you can also use Windows credential guard that will also protect against some past the hash attacks by isolating and hardening the credential storage process itself.
So ideally, again, if you can get away with it, disable NTLM in favor of Kerberos. if again, if you can get away with it again, just be aware though that not all systems support Kerberos, so make sure you thoroughly test that out before making that change.
Now there are some insecure network protocols in the network as well. People hear this one quite often, Llmnr and link local multicast name resolution as well as netbios name service.
these have been around for a number of years. There’s lots of webcasts out there on why they should be turned off, but unfortunately they still exist in many environments, so they’re often exploited by tools, like responder for example, so you can disable them.
Sorry, sorry, Llmnr, you can be, can you, you can disable through group policy by turning off the multicast name resolution setting and then net bias over TCP IP or MBTNs, not quite as straightforward since group policy does not have a direct setting for it.
so you have a couple choices. You can either manually configure it on each system, you can either create a script that you push out through group policy or there’s a registry setting as well that you can control that registry setting through a GPO as well.
One other thing you can do to, a couple of things you can do to prevent these types of attacks being these types of protocols from being abused is network access control. so network access control works by enforcing some policies and access control measures to detect and block unauthorized devices from accessing the network.
As well. You could implement network segmentation, things like private Vlans that may then, further isolate your clients to reduce that, peer to peer communication and therefore limit, the impact of potential attacks to those systems.
I think we might be running short on time here, so I’ll try and speed through. SMB signing is crucial as well. this ensures the authenticity integrity of SMB packets by digitally signing for them.
So this is designed to prevent SMB relay attacks, to ensure that the incoming packages haven’t been tampered with. Again, can you control this through group policy?
The setting is there in the slide and the slide, I think it’s in the slide, is it? Yeah, it is there, stronger authentication methods, again using kerberos and so on. TLM M tiered accounts, privilege of lease pyramids, sort of principle of least privilege.
and then when these are properly implemented, those tiered accounts will then, prevent those high privileged credentials, such as those belonging to your domain admins, from being unnecessarily exposed and then limiting local, administrator rights, to users, but can also help, against some SMB relay attacks.
Even if they are able to relay a connection, with low privilege user accounts, it makes it more difficult for them. finally, there is the concept of protected user security group.
This group is specifically designed to protect against credential theft attacks, as well as some other security mechanisms as well. So consider putting your administrative accounts in that protected user security group, Kerberos.
Kerberos. one of the things that people can do with Kerberos is very quickly enumerate all the users within your system. that unfortunately cannot be prevented due to the fact that it’s a legitimate functionality of Kerberos.
But there are several ways to mitigate that and to detect when it’s happening. first off, proper logging on your domain controllers as a variety of event logs listed here on the slide.
these will track events like TGC, requests, fail, pre authentication attempts and any service ticket, renewals as well rate, limiting kerberos authentication can be an effective way as well to counter some of those brute force attacks and also to slow down, the enumeration process.
honey token or honey or decoy. Accounts with strong passwords and restricted long run capabilities can also help to slow down, that enumeration process.
So service accounts should ideally use long randomly generated passwords, ideally 30 plus characters, and you should change them anytime a privileged user that has access to those leaves your organization or anytime you suspect an account compromise the KRB TGT account as well.
that password should be changed regularly. changing that password will immediately invalidate any existing, golden tickets or silver tickets in the environment. So just be aware of that. You do need to change that password twice, as does have a password history of two.
So just be, be certain that you leave, an adequate period of time in between those password changes. If you change it too quickly, you’ll effectively invalidate every Kerberos ticket in your environment and that’s not going to work out to be a very good day for you.
Group. managed service accounts as well. We’re introduced in, Windows server 2012. they are designed to centrally manage, and implement complex random passwords for all of your service accounts.
Strong, password policy, again, reduces the risk for an attacker guessing or cracking your passwords, especially in offline attacks where maybe they’ve already gathered your password hashes.
the stronger passwords can be more difficult for them to crack and hopefully not crack at all. Ideally you want to be using minimum 15 character passwords if you can, and encourage your users to use passphrases as opposed to short complex passwords.
Multifactor, authentication, again, is key here as well. Implement that anywhere that you can. it used to be that the recommendation was to force your users to change passwords every 90 days or something like that.
Unfortunately, that does, encourage your users to reuse old passwords or do silly things like just append a number or a letter, a special character send to the password.
So typically today it’s not recommended to change them every 90 days according to NIst, some piece, some requirements or some compliance such as PCR for example, still does require you to change those passwords every 90 days.
So if you are, PCI, compliance is relevant to you, then you may still have to work with that. All right, IPv six. We didn’t touch on IP version six, but there are some, lots of attacks around IP version six.
So, disabling IP version six, if you’re not using. It is key here as well. This will prevent windows clients from querying for ADHD version six server which may or may not exist in your environment.
IP version six is enabled by default on every Windows endpoint and unfortunately it’s typically not managed by users today, by organizations today, in an unmanaged state.
It’s quite vulnerable and can be taken advantage of. I’m just trying to speed through here because I know we’re just over time, but last one is the ADC’s.
One of the things you want to manage for is the modification of any certificate templates. Typically speaking, certificate templates are not changed very frequently. So ideally you want to monitor for any changes or any anomalies related to the certificate templates.
by default, ADCs does not enable audit logging by default, so you will want to enable it, as part of your, your process. So you’re looking for both success and failure logging for ADCs as well.
That of course can be enabled through group policy. Now with root policy or so with, with ADC’s there is a web enrollment interface as well. It is not installed by default, it’s not required.
you can install it for added functionality if you choose to do so. Just be aware that out of the box it is configured to use HTTP and is therefore vulnerable, to a bunch of relay attacks.
So if you are using that web interface, make sure that you’re using it. You’re configuring to use HTTPs instead of HTTP.
All right, so wrapping things up here, I know we’re over key points. Make sure you plan your structure. Define your hierarchy very carefully. Determine how your domains, ous and groups are going to be structured in order to meet your needs.
Learn how those different trust relationships between the domains and forests can facilitate resource sharing and security access across the different areas of your network. Understand the different roles of domain controllers, DNS, global cloud catalog servers.
Each one of those plays a critical and part of the active directory environment. Use your ous to group your users, computers and resources in a logical fashion. this will help you apply policies as well as manage permissions very efficiently.
And make sure you’re familiar yourself with group policy to enforce things like security, settings, software deployment, user configurations and so on. Understanding how to create manageable user accounts and the various security groups and the types of groups is also important as you as well, you also want to learn to make sure you learn about the different authentication methods like Kerberos and NTLM to make sure that you can provide secure access for your users and reduce the risk of unauthorized.
And then finally, strong password policies, restricting administrative privileges, and auditing to monitor that activity. So make sure you have a backup plan as well. Can’t stress that one enough. There’s nothing worse than your active directory environment blowing up and you have no backup to refer back to.
All right, wrap it up. Sorry. Let’s sped through that really quickly at the end. But I apologize. But I believe the slides are in, discord for you to download.
Zach Hill
Yeah, they’re in the anti, cast resources channel if anybody wants to access those slides. And I’ll put that in the chat also. But thank you, man, that was fantastic.
It was like such a great overview. It’s been a while since I’ve been in active directory, so just kind of like, getting this refresher was fantastic for me. So for anybody out there who’s not familiar with active directory, I hope you learned a lot today, or I hope it was a great refresher for you as well.
So, do you have a couple minutes for questions?
Dale Hobbs
Absolutely.
Zach Hill
Awesome. I know we have a lot. Like, there’s a lot of questions that I saw come through, so I doubt we’ll be able to get to all of them. So is there a good way to get a hold of you if people have any other further questions or.
Dale Hobbs
I mean, I try to get to stay in discord, but realistically, things go so fast in discord. It’s like trying to stay on any social media platform where you look at something and then you look away and you look back and it’s refreshing.
You’re like 30 screens away. So, you can try discord. Instagram or Instagram, sorry, LinkedIn. I’m on there as well. Twitter. And not cold Twitter anymore. X I guess, it’s still Twitter.
Zach Hill
Yeah, it’ll always be Twitter. all right, this is a great first question to start off with because, now that you have introduced everybody to this is active directory, this is what it does.
Here’s this overview. Are there any good home labs that you can recommend that somebody do with active directory?
Dale Hobbs
Yeah, so if you’re looking for a free resource, of course. there is one called goad go. Active directory. I don’t remember the link for it. Someone named Mayfly, I think his name is.
It’s really good. it goes through a lot of the various different attacks. Well, it’s more from the attacky side as opposed to standing up active directory. But if you’re looking to not just build an active directory environment, but then learn how to attack it and, figure out how the various attacks work, that resource is really good.
You can, he’s got a deployment tool. I forget what’s called, I’m drawing a blank on it. But to deploy a set of vms, building an entire forest basically.
and then you can then follow through his step by step guides that he’s got on his webpage to then learn how to do the various different attacks. And then ideally if you’re doing the attacks, that’s great. But if you’re, if you’re a blue teamer, obviously you want to learn how to make sure those attacks don’t work in your environment.
So I think it’s a good idea to go through those and then implement some of the controls and then try those attacks again and see if they still work or make sure that hey yeah, those don’t work, that control works. I can put that in my own environment.
Zach Hill
Perfect. Yeah, I put the link for goad in the chat as well. I think somebody else did also. but yeah, definitely a great resource for y’all to check out. This is kind of a good question.
I think we talked about this a little bit in pre show, kind of somewhat, but what size, like numbers of users devices would use lightweight directory services versus the full ad DS?
Dale Hobbs
I don’t know if you’d replace, if you’d use lightweight as a full blown active directory deployment. I think it’s more designed for specific use cases.
I’ve never come across it, to be honest with myself. It’s either active directory or a workgroup. And workgroups, again, they don’t work very well. When you start getting to ten plus users, they just become unmanageable.
But, Yeah, that’s a good question. I can’t think of a good scenario where I would use that, but especially to replace active directory altogether.
You can run it either with active directory, side by side in tandem with it, or you can use it on its own, but I don’t think you’d use it on its own as a full environment management.
Does that make sense?
Zach Hill
Thank you, sir. this is a great question from Nathan. I think should lead to a pretty good answer, but is there a way to alert when a user logs in from a different geolocation in a short period of time?
I don’t think ad has this specifically. That would be more built in with your sim if you had one, correct?
Dale Hobbs
Yeah. The impossible travel is always fun. Yeah, no, I don’t think there’s any way to, to, to my knowledge, ad doesn’t have anything built in. But yeah, I mean, that gets tricky. Like, you do have to have some tools, like, like you saying, for example, but I don’t know, I don’t know how much I trust that.
Especially with now with everybody working from home. Like, it’s used to be that, you go work in the office, but now people work from home. So when you VPN in, you might VPN in from, you might be living in like, I don’t know, Chicago.
And your VPN exit point is in, Florida somewhere. So you access your email from Chicago and then you VPN from Florida and it looks like, oh, hey, how do you travel that far? I don’t know how much I trust the impossible travel thing anymore, but I think it’s still something good to look at.
But it’s definitely. I don’t think it’s built into ad. Yeah, you can. You definitely for the, alert on the process itself, but I’m not sure how you.
I don’t think you can do that natively in active directory.
Zach Hill
Awesome. what happens if you accidentally try to assign two gpos to an object that have conflicting settings?
Dale Hobbs
the one that’s higher in the tree will override the lower one. So if you have one at a. Sorry, the ones lower in the tree. So if you put one at, let’s say, for example, you’ve got, m one ou and then you’ve got another ou nested inside that one.
The lower ou ones will apply if you have one ou and two policies applied at the same level. I would expect to see, some abnormalities because unless you specifically, because the other thing too, with a GPO is that if there’s a setting in a GPO or GPO itself, you can specify that one to be enforced and that means that something else can’t override it, even if it’s at the same level.
If you don’t, by default, I would assume that. I’ve never tried it, but I’m going to just take a wild guess. That your settings would probably flip back and forth would be my guess.
I don’t know. I’ve never tried it. Now I’m going to go try and see what happens, though.
Zach Hill
Awesome. Seth wants to know if kerberoasting is still legitimate. Threat in ad environments or even azure cloud environments.
Dale Hobbs
ad, yes, I did it yesterday quite efficiently on the test that I’m on right now. so yeah, it’s absolutely still so a thing.
Zach Hill
That’s awesome. There’s so many like just different questions and just comments and feedback here. Everybody’s saying you did a great job today and thank you.
So it would take us all day to go through, I think, all these questions here.
I’m like scrolling, scrolling, scrolling.
Dale Hobbs
Somebody just posted an ADC’s hardening tool called locksmith. I’ve never looked at that yet, so I’ll have to check into that. I think that’s Was that hkde?
There we go.
Zach Hill
I’m sorry, my zoom chat got all screwed up there. You might answer this in the slides. I’m not sure, but do Kubros tickets get cached on target systems when using network only connections?
I don’t like WinRm or I don’t think so.
Dale Hobbs
I mean if you request a ticket and I mean you can request a ticket using a tool like Rubius for example, or even in a Linux machine, you can use other tools to request tickets and then you just have them in a cache file.
You can move that cache file from, around, from system to system. Yes, but I don’t think natively I’m not, I don’t, I don’t know for sure to be honest.
I mean the system will actually, let me rephrase that. So your system that you requested on, when you load it up, it’s going to put it in your cache for the lifetime of the ticket. So at that 10 hours, and then after that 10 hours it’s going to expire and you’re going to request a new one.
you can change that period too. I don’t know, I don’t think I mentioned in there. But if you don’t want your kuberos tickets to last for 10 hours, maybe you only want them valid for 1 hour, you can change it. If you want them longer, you can change it as well.
So 10 hours is the default. It is completely configurable.
Zach Hill
Steven is asking what considerations must be made when accounting for kerberosing. Ensuring encryption, for TGS, rep is as high as possible or any other.
Dale Hobbs
Yeah. So one of the things, a lot of those kerberosing, I would say probably the biggest thing is to make sure that the password, the passwords for the accounts are strong passwords because with kerberosing, when you grab a Kerberos ticket, of course one of the things we want to do is want to go try and crack it because the Kerberos ticket includes the NTLM password, hash of the user.
So if we can crack it then we have the user’s password. so if we can’t crack it, of course then it’s no good. But. So, I would say probably the password length is or password not complexity, but the effectiveness of the password I guess.
I’m not sure if it’s the right word, but a good password, not something that could be easily correct for sure.
Zach Hill
Awesome. M here’s a scenario during a ransom where a ta tries to get access to the DC, how does this work and how is the privilege escalation done?
Dale Hobbs
Sorry.
Zach Hill
And also what is the impact of getting access to the DC, sorry, at right here, ta, I’m guessing during rant, a ta, maybe a teacher, assistant, a ta, I don’t know.
Dale Hobbs
So getting access to domain controller, typically, I mean as a non, as a low privilege. Okay. Yeah, so gaining access to the domain controller, if you gain access to the domain controller with elevated privileges you have obviously that’s, that’s the key to the kingdom.
So you can very easily dump the active directory database and take it offline and crack the passwords. So it’s, it. So gaining access to a domain controller from a privilege standpoint, is typically equates to full compromise of the environment because at that point you’ve got the password database, you just take it offline and run it through hashcat or John the Ripper and just wait, sit back and wait for passwords to rain down on you.
As a low privilege user though, your access is typically limited to access to file shares like the default sysvol folder where there’s files in there for, maybe there’s scripts in there.
sometimes people will have old scripts in there where they were not created very, very well and they would have maybe hard coded passwords in them. So if you can gain access to those scripts as any low privileged user would be able to from the SysPa folder, any passwords in there, try them out if they work, see what you get out of it.
Maybe you might luck out in an administrative account and then you’re back to full compromise again.
Zach Hill
Awesome. Thank you, sir. so typically when we do these, these webcasts on Wednesdays we do what’s called a breakout room and we do like an AMA afterwards.
But today I have a meeting at 1230. So in like ten minutes. So we’re not going to be able to do the breakout room today. so I don’t know, Dale, do you still have another ten minutes or so or.
No. Yeah, so we’ll just spend the rest of these ten minutes answering any questions you all have, if you do have them. Otherwise we can, we can kill the webcast for the day.
But if you do have questions for Dale in regards to today’s webcast, or if you have questions for myself or anybody for from anti siphon, about anti siphon training or anything regarding security and it certifications, things like that, we’re happy to help.
Dale’s, Dale’s done some ama’s with me, so he knows kind of how that process goes. but yeah. Any questions you guys have?
Dale Hobbs
I keep trying to get to them, but it just happens. They always fall on. Well, on Tuesdays, whatever. I think it’s. What time is it? Noon. Is it your time?
Zach Hill
Well, it’s eleven my time, but it’s twelve eastern.
Dale Hobbs
And the timing just never rushed me. So I try and get to them, but not as much as I’d like to.
Zach Hill
Here’s a question. So let’s say somebody did a Kerberos enumeration based on Microsoft defender. and there’s no more info how to detect who did it and how to mitigate it.
Dale Hobbs
usually with kerberosing we’re going to look for, It’s not very common when you’re kerberosing. It’s not usually one account that you find. Usually you find a bunch of Kerberos accounts like various different SPN.
So I guess one of the things you can look for is maybe someone who’s requested, those tickets for those, those Kerberos tickets for a large number of accounts in a short period of time.
Zach Hill
THC, Hydra or medusa. Any good?
Dale Hobbs
those are more password. I’ve never used those for kerberosing, but I was used kind of use those. I haven’t used either for quite a while, actually. But last time I recall using those was more for like password related attacks, like password guessing or password spraying or whatever.
But I haven’t tried them for kerberosing.
Zach Hill
Is there any other questions? I know there was a lot in there, but I’m telling there was so many questions today and so many just different feedback and stuff I’m trying to go through.
what’s the best way to get an entry level ad job? Typically, starts off with the help desk. Help us are typically the first people who start messing with it, like not messing with active directory, but getting involved with active directory.
Yeah, that’s a great place to start learning more about it.
Dale Hobbs
Yeah, it’s been a while since I’ve been entry level, but, I mean, I remember what I’ll say back in the day when I was started, like, I don’t know, so many years ago, everybody started in help desk and that was kind of like where you started.
You started help desk and you worked your way up. I don’t know. Is that still the same? Is that still the case today? Does people start at helpdesk? Are people more just getting like, out of university or college or wherever they came from and just heading straight into like junior admin jobs?
Zach Hill
Matt, you’re going to start like a completely different conversation with that right there. Ooh, wow. it varies, man. It’s so dependent on like, the actual individual these days and what they’re doing above and beyond their studies.
it really, the industry has changed quite a bit. I would still say most people are looking at those entry level types of positions, though.
Dale Hobbs
Okay. There’s one question that I see here that I think is a good one says if you had to give, to just give one tip regarding active directory, would it be? What would it be? And I would say for that one, start building a lab and just play with it.
Like if you’ve got, an extra machine laying around your house that you can afford to just, sit in the corner and play with, or maybe you’ve got vMware, virtualbox or whatever hypervisor you use.
I would say start with building a Windows server and then just go through the process of starting active directory and then just kind of follow through the best practices. Things like where do I set up password policies?
How do I set up group policies? how do I configure the various different, like, and things like DHCP and DNS and all those different things. So I would say just start as if you’re building something from scratch and just go for it.
Yeah.
Zach Hill
Now, depending on like the speed of your Internet and a little bit of your computer, you can have active, directory spun up in a virtual machine in about like a half hour, like 30 minutes or less.
You can have that spun out and you can be diving into it. It’s really, really quick and easy to.
Dale Hobbs
Do if you don’t have access to, to a machine or you don’t have virtualization or maybe the machine, maybe your laptop doesn’t have enough resources you can use online. Things like snap labs, they have like full active directory areas.
Just be aware there’s a cost associated to that. So just something to be aware of.
Zach Hill
But yeah, for sure. how do you use two fa on prem, ad?
Dale Hobbs
Yeah, so usually where I’ve seen it is applied on the domain controllers when you remote desktop into them. Not so much for like mapping network drives, but if you’re trying to remote desktop into a domain controller to administer the device, you can install MFA tools like I think I hate to drop, hate to name save specific vendor names, but duo for example used to have their, their tool used to allow you to have up to ten users, I think it was.
So if you’re a small organization you can still have that for, that ten user license for free. and you put on the domain controller and then anybody who tries to remote desktop into the domain controller would of course require MFA in order to log in.
Zach Hill
Thank you, sir. do encryption types, for kerberosing authentication matter, for mitigating kerberos thing?
Dale Hobbs
Yeah, most of the kerberos effect, works with aE’s encryption. Some of those hacks like I think it’s golden, ticket, I think attacks, I think they require the usage of rc four.
So when you’re looking at your curb birds tickets, if you see tickets that are, that are using rc four encryption, they’re usually not, not good.
Zach Hill
Lewis was asking if you could talk about ad sync but I don’t really, sir. Like Lewis, is there anything specific you wanted them to talk about ad sync or any, anything you could say about ad sync?
Dale?
Dale Hobbs
like adsync for synchronization, synchronizing up to azure.
Zach Hill
I’m not sure. I’m trying to get more, try to get more info.
Dale Hobbs
I’m not sure. Depends on the question I guess.
Zach Hill
Yeah, we got a few minutes here left. I just want to say thank you again to Dale for sharing his time with us today. sharing your knowledge with us. And I believe you’re going to be doing a four hour workshop that’ll take us a step further from what we learned today and get students a little bit more hands on.
Dale Hobbs
Yeah, yeah, I’m working on it. hopefully get it out by the end of the year would be great. so the goal of that one just in a nutshell, let’s take things a little bit further than what we covered today.
Dive, a little bit deeper into some of these things and then actually go through some labs, handout labs, where actually we’ll, build out active directory, and then, apply some of these different policies and, things like laps and the different password policies and how to use gpos and stuff like that.
So more hands on usage of ad for someone who maybe doesn’t know where.
Zach Hill
To start, I guess there’s a few questions, and even that question kind of came in just like a minute ago. Like, how do I get started? So that workshop, once you get that kind of finished up, we’ll announce it, obviously.
but, yeah, it’ll be a four hour workshop where you’d be able to really get hands on with active directory. So today was a great presentation of kind of introducing us to the fundamentals of just understanding what active directory is, what it does.
And, Dale’s next class, will be getting hands on with it.
Dale Hobbs
It.
Zach Hill
And that. That one I’m very excited for. As soon as we have more info, we’ll definitely put it out there.
I think we’ll go ahead and end it for the day again, last time, just thank you again, Dale. Thank you to everybody out there who joined us today. We really do appreciate you.
We’ll be back again next week, same time, same place. Cannot wait to see you. Who do we have coming up? I just had it pulled up and I forgot. Who’s next week?
It is, Josh Mason with return on influence. And if you guys ever want to find out what’s going on next week too, like I needed to do, I just went here to this website.
I forgot the ht. Oh, the HTTPs. hold on. There we go. You go to powered by BHIS.com.
it’ll take you to our zoom stadium where you can see all of our events that are going on from both anti siphon, active countermeasures and black Hills information security. So, with that being said, thank you again, Dale.
Thank you everybody, again. Hope you have a great week. Take care, everybody. Ryan, you can kill it with fire, sir. See y’all.