A Domain Controller is an Active Directory server that acts as the brain for a Windows server domain; it supervises the entire network. Within the domain, it acts as a gatekeeper for users’ authentication and IT resources authorisation.
Trees and Forests
Trees and Forests are the two most critical concepts of the Active Directory.
Trees are responsible for sharing resources between the domains. The communication between the domains inside a tree is possible by either one-way or two-way trust. When a domain is added to the Tree, it becomes the Offspring domain of that particular domain to which it is added – now a Parent domain.
ForestsWhen the sharing of the standard global catalogue, directory schema, logical structure, and directory configuration between the collections of trees is made successfully, it is called a Forest. Communication between two forests becomes possible once a forest-level trust is created.
Trust in Active Directory
AD trust is the established communication bridge between the domains in Active Directory. When we say one domain trusts another in the AD network, it means its resources can be shared with another domain. However, one domain’s resources are not directly available to every other domain, as it is not safe. Thus, the resource sharing availability is governed by Trusts in AD. The AD trusts are of two categories, which are classified based on their characteristics or the current direction.
Creating the Right Type of Accounts
Implementing the least privilege model requires setting up the different account types for diverse purposes. It includes the following account types:
- User accounts: You must promote using regular user accounts for most people in the network, who are necessary to perform their regular duties.
- Privilege accounts: These are the accounts with elevated privileges and are further classified as first and second privilege accounts.
- Shared accounts: These accounts are shared amongst a group of people, as the visitors with bare minimum privileges, to give limited access for a specific time. These accounts are not recommended and must be utilised in limited scenarios.
Role-Based Access Control on Hosts
As a System Administrator, it is of utmost importance to grant rights to resources while keeping the principle of Least privilege in mind, which states
Per Wikipedia, “The principle of minimal privilege or the principle of least authority, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose“.
Role-based access control allows you to indicate access privileges at different levels. It includes DNS zone, server, or resource record levels and specifies who has access control over creating, editing, and deleting operations of various resources of Active Directory.
Tiered Access Model
The Active Directory Tiered Access Model (TAM) comprises plenty of technical controls that reduce the privilege escalation risks. It consists of a logical structure that separates Active Directory’s assets by creating boundaries for security purposes. The primary goal is the protection of Active Directory’s top-valued identities (Tier 0). At the same time, domain members and other users can perform routine tasks, such as email checking, surfing the internet, and using apps and other services (Tier 1, 2). It comprises three tiers, Tier 0, 1, and 2, which are as follows:
- Tier 0: Top level and includes all the admin accounts, Domain Controller, and groups.
- Tier 1: Domain member applications and servers.
- Tier 2: End-user devices like HR and sales staff (non-IT personnel).
Implementation of Tiered Access Model
The critical implementation of this model is based on the principle of “Prevention of privileged credentials from crossing boundaries, either accidentally or intentionally”
. Implementing technical controls via Group Policy Objects is crucial to avoid such scenarios. These Group Policy Objects put together the security rights that can deny access or grant permission. You can read more about the Tiered and Enterprise Access Model (EAM) here
Accounts audit is a crucial task mainly carried out by setting up the correct account, assigning privileges, and applying restrictions. Three audit types related to accounts must be done periodically: usage, privilege, and change audits.
- Usage audits allow monitoring each account’s specific tasks and validating their access rights.
- A privilege audit allows you to check if every account in the system has the least privilege.
- Change audits a
Most Common Active Directory Attacks
is a common and successful post-exploitation technique for attackers to get privileged access to AD. The attacker exploits Kerberos Ticket Granting Service (TGS) to request an encrypted password, and then the attacker cracks it offline through various brute force techniques. These attacks are difficult to detect as the request is made through an approved user, and no unusual traffic pattern is generated during this process. You can prevent the attack by ensuring an additional layer of authentication through MFA or by frequent and periodic Kerberos Key Distribution Centre (KDC) service account password reset. You can learn more about the attack here
Weak and Easy-to-Guess Passwords
The easiest target for intruders to breach security is the weak and easy-to-guess old passwords. The best recommendation is to use strong passwords and avoid already known ones. A strong password consists of a combination of uppercase and lowercase letters, numbers, and special characters. You can learn more about password strength here
. There are many tools available that can help you perform Password Auditing in AD. You can see a report generated through a free tool on
Desktop > Password-Report.png.
Brute Forcing Remote Desktop Protocol
The intruders or attackers use scanning tools to brute force the weak credentials. Once the brute force is successful, they quickly access the compromised systems and try to do privilege escalation along with a persistent foothold in the target’s computer. The best recommendation is to never expose RDP without additional security controls to the public internet. Continuous audits for scanning attacks or brute-force attempts are also an important step.
Publically Accessible Share
During AD configuration, some share folders are publicly accessible or left unauthenticated, providing an initial foothold for attackers for lateral movement. You can use the
Get-SmbOpenFile cmdlet in PowerShell to look for any undesired share on the network and configure access accordingly.