Skip to content

Introduction

Active Directory enables centralized, secure management of an entire network, which might span a building, a city, or multiple locations throughout the world.

Active Directory Introduction

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780036(v=ws.10)

Components

Structure

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759186(v%3dws.10)

Component Description
Organizational Units
  • Container object
  • Used to arrange other objects
  • Easier to locate and manage
  • Can delegate the authority to manage
  • Can be nested in other organizational units
Domains
  • Container object
  • Collection of administratively defined objects that share a common directory database, security policies, and trust relationships with other domains
  • Each domain is an administrative boundary for objects.
  • A single domain can span multiple physical locations or sites
Domain Trees
  • Collections of domains that are grouped together in hierarchical structures
  • When you add a domain to a tree, it becomes a child of the tree root domain
  • The domain to which a child domain is attached is called the parent domain.
  • A child domain might in turn have its own child domain.
  • The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name such as Corp.nwtraders.msft.
  • .:. a tree has a contiguous namespace.
Forests
  • Instance of Active Directory
  • Each forest acts as a top-level container in that it houses all domain containers for that particular Active Directory instance
  • A forest can contain one or more domain container objects, all of which share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two-way transitive trust relationships.
  • The first domain in the forest is called the forest root domain.
  • The name of that domain refers to the forest, such as Nwtraders.msft.
  • By default, information in Active Directory is shared only within the forest.
  • .:. the forest is a security boundary for the information that is contained in that instance of Active Directory
Site Objects
  • Leaf and container objects
  • Topmost object in the hierarchy of objects that are used to manage and implement Active Directory replication
  • Stores the hierarchy of objects that are used by the Knowledge Consistency Checker (KCC) to effect the replication topology
  • Some of the objects located in: NTDS Site Settings objects, subnet objects, connection objects, server objects, and site objects (one site object for each site in the forest)
  • Hierarchy is displayed as the contents of the Sites container, which is a child of the Configuration container

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759073(v%3dws.10)

  • Schema - Defines objects and attributes
  • Query and index mechanism - Ability to search and publish objects and properties
  • Global Catalog - Contains info about every object in directory
  • Replication Service - Distributes information across domain controller

Detect Firewall Blocking AD

PortQryUI - http://www.microsoft.com/download/en/details.aspx?id=24009 * Run the “Domains & Trusts” option between DCs, or between DCs and any machine * “NOTLISTENING,” 0x00000001, and 0x00000002, that means there is a port block * Can ignore UDP 389 and UDP 88 messages * TCP 42 errors, that just means WINS is not running on the target server

https://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

Implementing Least Privilege Model

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

Scanning

pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession

Attack Patterns

Securing