THM – Active Directory Basics – Part 18
This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there.
Table Of Contents
Introduction
Active Directory is the directory service for Windows Domain Networks.
What is Active Directory?
It’s a collection of machine and servers connected inside of domains, that are part of a bigger forest of domains, that make up the Active Directory network. AD contains many functions:
- Domain Controllers
- Forest, Trees, Domains
- Users + Groups
- Trusts
- Policies
- Domain Services
Why use Active Directory
It allows for the control and monitoring of their users computers through a single domain controller. Allows a single user to sign in to any computer on the active directory network and have access to stored files and folders in the server, as well as the local storage on that machine. Allows for any user in the company to use any machine that the company owns, without having to set up multiple users on a machine.
Physical Active Directory
Domain Controllers
A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the center of Active Directory – Control the rest of the domain. Tasks for the domain controller:
- Holds the AD DS data store
- Handles authentication and authorization services
- Replicate updates from other domain controllers in the forest
- Allows admin access to manage domain resources
AD DS Data Store
Active Directory Data Store holds the databases and process needed to store and manage directory information such as users, groups and services. Content and characteristics of AD DS Data Store:
- Contain the NTDS.dit – a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users.
- Stores by default in %SystemRoot%\NTDS
- Accessible only by the domain controller
The Forest
Forest is what defines everything; container that holds all the other bits and pieces of the network together. Without the forest all the trees and domains would not be able to interact.
Forest Overview
A forest is a collection of one or more domain trees inside of an Active Directory network. It categorizes the parts of the network as a whole.
Forest consists of these parts:
- Trees – a hierarchy of domains in Active Directory Domain Services
- Domains – Used to group and manage objects
- Organization Units (OUs) – Containers for groups, computers, users, printers and other OUs
- Trusts – Allow users to access resources in other domains
- Objects – Users, groups, printers, computers, shares
- Domain services – DNS server, LLMNR IPv6
- Domain Schema – Rules for object creation
Users + Groups
Users Overview
Users are the core to AD. No users – no need for AD. Four main types of users in AD network. Can be more depending on how a company manages the permissions of its users. Four type of users:
- Domain Admins – they control the domains and are the only ones with access to the domain controller.
- Service Accounts (Can be Domain Admins) – These are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account
- Local Administrators – These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller
- Domain Users – These are your everyday users. They can log in on the machines they have the authorization to access and may have local administrator rights to machines depending on the organization.
Groups overview
Groups make it easier to give permissions to users and objects by organizing them into groups with specified permissions. Two types of AD groups:
- Security Groups – These groups are used to specify permissions for a large number of users
- Distribution Groups – These groups are used to specify email distribution lists. As an attacker these groups are less beneficial to us but can still be beneficial in enumeration
Trusts + Policies
Help the domain and trees communicate with each other and maintain security inside of the network.
Domain Trust Overview
Trusts are a mechanism in place for users in the network to gain access to other resources in the domain. Trust outlines the way that the domains inside of a forest communicate to each other. Trusts can in some environments extend out to external domains and even forests in some cases.
Two types of trusts that determine how the domains communicate:
- Directional – The direction of the trust flows from a trusting domain to a trusted domain
- Transitive – The trust relationship expands beyond just two domains to include other trusted domains
Domain Policies Overview
Dictate how the server operates and what rules it will and will not follow. Acts as a rulebook for AD that a domain admin can modify and alter as necessary.
Active Directory Domain Services + Authentication
AD DS are the core functions of Active Directory network; allow for management of the domain, security certificates, LDAPs and much more.
Domain services are services that the domain controller provides to the rest of the domain or tree. Default domain services:
- LDAP – Lightweight Directory Access Protocol; provides communication between applications and directory services
- Certificate Services – allows the domain controller to create, validate, and revoke public key certificates
- DNS, LLMNR, NBT-NS – Domain Name Services for identifying IP hostnames
Domain Authentication Overview
Most important part of AD – and most vulnerable part – is the authentication protocols. Two main types of authentications in place for AD: NTLM and Kerberos.
- Kerberos – The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
- NTLM – default Windows authentication protocol uses an encrypted challenge/response protocol
AD in the cloud
Windows Server AD | Azure AD |
LDAP | Rest APIs |
NTLM | OAuth/SAML |
Kerberos | OpenID |
OU Tree | Flat Structure |
Domains and Forests | Tenants |
Trusts | Guests |