Task 1 Introduction
Active Directory a network of computer workstaions, servers, and other network appliances grouped into domains. These domains are then grouped into forests which help to create a logical topology of an organization’s network.
There are several components within Active Directory.
- Domain Controllers
- Forests, Trees, Domains
- Users + Groups
- Domain Services
Organizations like to use Active Directory because it simplifies network administration. It enables users to log into any computer within the organizations network and have access to their files from anywhere on the network. It also centralizes administration and security monitoring to the central domain controller.
No answer needed
Task 2 Physical Active Directory
A domain controller is a Windows Server that has Active Directory Domain Services installed and has been promoted to Forest Domain Controller. Active Directory revolves around domain controllers. Their primary responsibilities are:
- Holding the AD DS data store
- Authentication and Authorization
- Replicate updates from other domain controllers in the forest
- Allow admin access to manage domain resources
The Data Store contains the Active Directory database and information needed to manage the directory.
- Contains NTDS.dit (Database with all AD information and password hashes for domain users.)
- Stored by default in %SystemRoot%\NTDS
- Only accessible by the Domain Controller
What database does the AD DS contain?
Where is the NTDS.dit stored?
What type of machine can be a domain controller?
Task 3 The Forest
A forest is a collection of one or more domain trees inside of an Active Directory network. It is what categorizes the parts of the network as a whole.
The Forest consists of these parts which we will go into farther detail with later:
- Trees – A hierarchy of domains in Active Directory Domain Services
- Domains – Used to group and manage objects
- Organizational Units (OUs) – Containers for groups, computers, users, printers and other OUs
- Trusts – Allows users to access resources in other domains
- Objects – users, groups, printers, computers, shares
- Domain Services – DNS Server, LLMNR, IPv6
- Domain Schema – Rules for object creation
What is the term for a hierarchy of domains in a network?
What is the term for the rules for object creation?
What is the term for containers for groups, computers, users, printers, and other OUs?
Task 4 Users + Groups
Four User Types
- Domain Admins – Head admin role. The primary root account for the entire domain.
- Service Accounts – Not regularly used by actual people. Accounts required for services.
- Local Admin – Admin for the local system but unable to access domain controller.
- Domain User – Regular users, possible to be local admins.
Two Group Types
There are two main types of groups.
- Security Groups – Used for setting permissions
- Distribution Groups – Used to set email distribution lists
Default Security Groups
- Domain Controllers – All domain controllers in the domain
- Domain Guests – All domain guests
- Domain Users – All domain users
- Domain Computers – All workstations and servers joined to the domain
- Domain Admins – Designated administrators of the domain
- Enterprise Admins – Designated administrators of the enterprise
- Schema Admins – Designated administrators of the schema
- DNS Admins – DNS Administrators Group
- DNS Update Proxy – DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
- Allowed RODC Password Replication Group – Members in this group can have their passwords replicated to all read-only domain controllers in the domain
- Group Policy Creator Owners – Members in this group can modify group policy for the domain
- Denied RODC Password Replication Group – Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
- Protected Users – Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
- Cert Publishers – Members of this group are permitted to publish certificates to the directory
- Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the domain
- Enterprise Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the enterprise
- Key Admins – Members of this group can perform administrative actions on key objects within the domain.
- Enterprise Key Admins – Members of this group can perform administrative actions on key objects within the forest.
- Cloneable Domain Controllers – Members of this group that are domain controllers may be cloned.
- RAS and IAS Servers – Servers in this group can access remote access properties of users
Which type of groups specify user permissions?
Which group contains all workstations and servers joined to the domain?
Which group can publish certificates to the directory?
Which user can make changes to a local machine but not to a domain controller?
Which group has their passwords replicated to read-only domain controllers?
Allowed RODC Password Replication Group
Task 5 Trusts + Policies
Security in Active Directory is implemented by trusts and policies. Trusts and policies put into place rules that decide what the domain is allowed to do. They can determine how trees and domains communicate with each other or with external domains.
Trusts determine how domains inside a forest are allowed to communicate with each other. There are generally two types of trusts.
- Directional – Trust flows from trusting domain to trusted domain
- Transitive – Trust extends out beyond just the two domains in question
Trusts can be abused by attackers to move across the network.
Domain policies are similar to groups except they use rules instead of permissions. These rules determine what a domain may do.
What type of trust flows from a trusting domain to a trusted domain?
What type of trusts expands to include other trusted domains?
Task 6 Active Directory Domain Services + Authentication
Domain Services are services that the controller provides for the domain. Default services that run on domains include LDAP, certificate services, DNS, LLMNR, NBT-NS
One of the main selling points of Active Directory is its ability to authenticate users to give them access to network resources. Active Directory has two primary methods to authenticate users, Kerberos and NTLM. Kerberos is the default authentication for Active Directory and uses tickets. NTLM is the default Windows Authentication protocol that uses an encrypted challenge-response protocol.
What type of authentication uses tickets?
What domain service can create, validate, and revoke public key certificates?
Task 7 AD in the Cloud
Active Directory has the ability to connect to the cloud through services such as Azure AD. It has a more secure default configuration than its on-premise counterpart. Azure connects the user signing on with the Active Directory domain. By having this handled by Azure, sign-on is more secure and many Active Directory attacks are pre-empted.
What is the Azure AD equivalent of LDAP?
What is the Azure AD equivalent of Domains and Forests?
What is the Windows Server AD equivalent of Guests?
Task 8 Hands-On Lab
This lab uses the tool
PowerView to obtain information on the Active Directory domain and its users.
Deploy the Machine
No answer needed
What is the name of the Windows 10 operating system?
To get the answer to this I ran the command
Get-NetComputer -fulldata | select operating system. It gave me a few options. The second one worked.
Windows 10 Enterprise Evaluation
What is the second “Admin” name?
I needed to find the users of the domain. To have powershell output these users, I used the command
Get-NetUser | select cn
One of the users was named
Admin2 which was the only other administrator type user besides the main
Which group has a capital “V” in the group name?
For this question I needed to get a list of groups for the domain. To do this I used the command
Get-NetGroup * | select-string -pattern "V" -casesensitive
I found the group
Hyper-V Administrators in the output.
When was the password last set for the SQLService user?
By using the powershell command
Get-NetUser -UserName SQLService to find the properties for the
SQLService user. One of the last properties was
pwdlastset with the value of
5/13/2020 8:26:58 PM
5/13/2020 8:26:58 PM