Skip to content

Active Directory - Introduction

Definition : Active Directory is a collection of machines and servers connected inside of domains, that are a collective part of a bigger forest of domains, that make up the Active Directory network.

Why using AD ?

  • To control and monitor the computers of the company's employees through a single domain controller.
  • Allows a single user to sign in to any computer on the active directory network and have access to his or her stored files and folders in the server, as well as the local storage on that machine.
  • Any user in the company to use any machine that the company owns, without having to set up multiple users on a machine.

Pieces

  • Domain Controllers
  • Forests, Trees, Domains
  • Users + Groups
  • Trusts
  • Policies
  • Domain Services

Domain Controllers

Definition : The center of Active Directory. It is Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest.

Goals

  • Holds the AD DS data store
  • Handles authentication and authorization services
  • Replicate updates from other domain controllers in the forest
  • Allows admin access to manage domain resources

AD DS Data Store

  • Contains the NTDS.dit - a database that contains all of the information of an Active Directory domain controller (users, groups, services, ...) as well as password hashes for domain users
  • Stored by default in %SystemRoot%\NTDS
  • Accessible only by the domain controller

Forest

Definition : A forest is a collection of one or more domain trees inside of an Active Directory network.

The Forest consists of :

  • Trees - A hierarchy of domains in Active Directory Domain Services
  • Domains - Used to group and manage objects
  • Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs
  • Trusts - Allows users to access resources in other domains
  • Objects - users, groups, printers, computers, shares
  • Domain Services - DNS Server, LLMNR, IPv6
  • Domain Schema - Rules for object creation

Users & Groups

AD comes with default groups and two default users: Administrator and guest.

The four types of users are :

  • Domain Admins - This is the big boss: they control the domains and are the only ones with access to the domain controller.
  • Service Accounts (Can be Domain Admins) - These are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account
  • Local Administrators - These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller
  • Domain Users - These are your everyday users. They can log in on the machines they have the authorization to access and may have local administrator rights to machines depending on the organization.

There are two overarching types of Active Directory groups :

  • Security Groups - These groups are used to specify permissions for a large number of users
  • Distribution Groups - These groups are used to specify email distribution lists. As an attacker these groups are less beneficial to us but can still be beneficial in enumeration

Type of default security groups :

  • Domain Controllers - All domain controllers in the domain
  • Domain Guests - All domain guests
  • Domain Users - All domain users
  • Domain Computers - All workstations and servers joined to the domain
  • Domain Admins - Designated administrators of the domain
  • Enterprise Admins - Designated administrators of the enterprise
  • Schema Admins - Designated administrators of the schema
  • DNS Admins - DNS Administrators Group
  • DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
  • Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain
  • Group Policy Creator Owners - Members in this group can modify group policy for the domain
  • Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
  • Protected Users - Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
  • Cert Publishers - Members of this group are permitted to publish certificates to the directory
  • Read-Only Domain Controllers - Members of this group are Read-Only Domain - Controllers in the domain
  • Enterprise Read-Only Domain Controllers - Members of this group are - Read-Only Domain Controllers in the enterprise
  • Key Admins - Members of this group can perform administrative actions on - key objects within the domain.
  • Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.
  • Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.
  • RAS and IAS Servers - Servers in this group can access remote access properties of users

Domain Trusts

Definition : How users gain access to other resources in the domain, forest, external domains and external forests.

There are two types of trusts that determine how the domains communicate :

  • Directional - The direction of the trust flows from a trusting domain to a trusted domain
  • Transitive - The trust relationship expands beyond just two domains to include other trusted domains

The type of trusts put in place determines how the domains and trees in a forest are able to communicate and send data to and from each other when attacking an Active Directory environment you can sometimes abuse these trusts in order to move laterally throughout the network.

Domain Policies

Definition : Rules for a domain.

Example of policies :

  • Disable Windows Defender - Disables windows defender across all machine on the domain
  • Digitally Sign Communication (Always) - Can disable or enable SMB signing on the domain controller

Domain Services

Definition : They are services that the domain controller provides to the rest of the domain or tree.

Default domain services:

  • LDAP - Lightweight Directory Access Protocol; provides communication between applications and directory services
  • Certificate Services - allows the domain controller to create, validate, and revoke public key certificates
  • DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames

Domain Authentication

There are two main types of authentication in place for Active Directory :

  • Kerberos - The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
  • NTLM - default Windows authentication protocol uses an encrypted challenge/response protocol

References