Active Directory Basics

Walkthrough of the Active Directory Basics room.

---

Task 1: Introduction

---

Task 2: Physical Active Directory

---

What database does the AD DS contain?

Answer: NTDS.dit

Where is the NTDS.dit stored?

Answer: %SystemRoot%\NTDS

What type of machine can be a domain controller?

Answer: Windows Server

---

Task 3: The Forest

What is the term for a hierarchy of domains in a network?

Answer: Tree

What is the term for the rules for object creation?

Answer: Dp,aom Schema

What is the term for containers for groups, computers, users, printers, and other OUs?

Answer: Organizational Units

---

Task 4: Users + Groups

The users and groups that are inside of an Active Directory are up to you; when you create a domain controller it comes with default groups and two default users: Administrator and guest. It is up to you to create new users and create new groups to add users to.

Image by raphaelsilvafromPixabay

Users Overview – 

Users are the core to Active Directory; without users why have Active Directory in the first place? There are four main types of users you’ll find in an Active Directory network; however, there can be more depending on how a company manages the permissions of its users. The four types of users are: 

• Domain Admins – This is the big boss: they control the domains and are the only ones with access to the domain controller.
• Service Accounts (Can be Domain Admins) – These are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account
• Local Administrators – These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller
• Domain Users – These are your everyday users. They can log in on the machines they have the authorization to access and may have local administrator rights to machines depending on the organization.

Image by raphaelsilvafromPixabay

Groups Overview – 

Groups make it easier to give permissions to users and objects by organizing them into groups with specified permissions. There are two overarching types of Active Directory groups: 

• Security Groups – These groups are used to specify permissions for a large number of users
• Distribution Groups – These groups are used to specify email distribution lists. As an attacker these groups are less beneficial to us but can still be beneficial in enumeration

Default Security Groups – 

There are a lot of default security groups so I won’t be going into too much detail of each past a brief description of the permissions that they offer to the assigned group. Here is a brief outline of the security groups:

• Domain Controllers – All domain controllers in the domain
• Domain Guests – All domain guests
• Domain Users – All domain users
• Domain Computers – All workstations and servers joined to the domain
• Domain Admins – Designated administrators of the domain
• Enterprise Admins – Designated administrators of the enterprise
• Schema Admins – Designated administrators of the schema
• DNS Admins – DNS Administrators Group
• DNS Update Proxy – DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
• Allowed RODC Password Replication Group – Members in this group can have their passwords replicated to all read-only domain controllers in the domain
• Group Policy Creator Owners – Members in this group can modify group policy for the domain
• Denied RODC Password Replication Group – Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
• Protected Users – Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
• Cert Publishers – Members of this group are permitted to publish certificates to the directory
• Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the domain
• Enterprise Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the enterprise
• Key Admins – Members of this group can perform administrative actions on key objects within the domain.
• Enterprise Key Admins – Members of this group can perform administrative actions on key objects within the forest.
• Cloneable Domain Controllers – Members of this group that are domain controllers may be cloned.
• RAS and IAS Servers – Servers in this group can access remote access properties of users

---

Which type of groups specify user permissions?

Answer: Security Groups

Which group contains all workstations and servers joined to the domain?

Answer: Domain Computers

Which group can publish certificates to the directory?

Answer: Cert Publishers

Which user can make changes to a local machine but not to a domain controller?

Answer: Local Administrator

Which group has their passwords replicated to read-only domain controllers?

Answer: Correct Answer

---

Task 5: Trusts + Policies

---

What type of trust flows from a trusting domain to a trusted domain?

Answer: Directional

What type of trusts expands to include other trusted domains?

Answer: Transitive

---

Task 6: Active Directory Domain Services + Authentication

The Active Directory domain services are the core functions of an Active Directory network; they allow for management of the domain, security certificates, LDAPs, and much more. This is how the domain controller decides what it wants to do and what services it wants to provide for the domain.

Tools by Ana Miminoshvili on Dribble

Domain Services Overview – 

Domain Services are exactly what they sound like. They are services that the domain controller provides to the rest of the domain or tree. There is a wide range of various services that can be added to a domain controller; however, in this room we’ll only be going over the default services that come when you set up a Windows server as a domain controller. Outlined below are the default domain services: 

• LDAP – Lightweight Directory Access Protocol; provides communication between applications and directory services
• Certificate Services – allows the domain controller to create, validate, and revoke public key certificates
• DNS, LLMNR, NBT-NS – Domain Name Services for identifying IP hostnames

Domain Authentication Overview – 

The most important part of Active Directory — as well as the most vulnerable part of Active Directory — is the authentication protocols set in place. There are two main types of authentication in place for Active Directory: NTLM and Kerberos. Since these will be covered in more depth in later rooms we will not be covering past the very basics needed to understand how they apply to Active Directory as a whole. For more information on NTLM and Kerberos check out the Attacking Kerberos room – https://tryhackme.com/room/attackingkerberos.

• Kerberos – The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
• NTLM – default Windows authentication protocol uses an encrypted challenge/response protocol

The Active Directory domain services are the main access point for attackers and contain some of the most vulnerable protocols for Active Directory, this will not be the last time you see them mentioned in terms of Active Directory security.

---

What type of authentication uses tickets?

Answer: Kerberos

What domain service can create, validate, and revoke public key certificates?

Answer: Certificate Services

---

Task 7: AD in the Cloud

---

What is the Azure AD equivalent of LDAP?

Answer: REST APIs

What is the Azure AD equivalent of Domains and Forests?

Answer: Tenants

What is the Windows Server AD equivalent of Guests?

Answer: Trusts

---

Task 8: Hands-On Lab

---

Deploy the Machine

Answer: No answer required.

What is the name of the Windows 10 operating system?

Answer: Windows 10 Enterprise Evaluation

What is the second “Admin” name?

Answer: Admin2

Which group has a capital “V” in the group name?

Answer: Hyper-V Administrators

When was the password last set for the SQLService user?

Answer: 5/13/2020 8:26:58 PM

---

Task 9: Conclusion