We covered some basic security and hardening techniques that can be implemented on Windows server systems with AD installed. We mainly used Group Policy Editor to apply and implement policies such as SMB and LDAP signing, Password strength policies and password hashing policies. We also used Microsoft Security Compliance Toolkit to import pre-developed security templates into GPO and to analyze current policies for best practices. We used TryHackMe Active Directory Hardening room for demonstration purposes as part of Security Engineer track.

Blue Team Study Notes

Windows Active Directory Penetration Testing Study Notes

Domain Controller

A Domain Controller is an Active Directory server that acts as the brain for a Windows server domain; it supervises the entire network. Within the domain, it acts as a gatekeeper for users’ authentication and IT resources authorisation.
Trees and Forests
Trees and Forests are the two most critical concepts of the Active Directory.

Trees are responsible for sharing resources between the domains. The communication between the domains inside a tree is possible by either one-way or two-way trust. When a domain is added to the Tree, it becomes the Offspring domain of that particular domain to which it is added – now a Parent domain.

ForestsWhen the sharing of the standard global catalogue, directory schema, logical structure, and directory configuration between the collections of trees is made successfully, it is called a Forest. Communication between two forests becomes possible once a forest-level trust is created.

Trust in Active Directory 

AD trust is the established communication bridge between the domains in Active Directory. When we say one domain trusts another in the AD network, it means its resources can be shared with another domain. However, one domain’s resources are not directly available to every other domain, as it is not safe. Thus, the resource sharing availability is governed by Trusts in AD. The AD trusts are of two categories, which are classified based on their characteristics or the current direction.

Creating the Right Type of Accounts
Implementing the least privilege model requires setting up the different account types for diverse purposes. It includes the following account types:
  • User accounts: You must promote using regular user accounts for most people in the network, who are necessary to perform their regular duties.
  • Privilege accounts: These are the accounts with elevated privileges and are further classified as first and second privilege accounts.
  • Shared accounts: These accounts are shared amongst a group of people, as the visitors with bare minimum privileges, to give limited access for a specific time. These accounts are not recommended and must be utilised in limited scenarios.
Role-Based Access Control on Hosts
As a System Administrator, it is of utmost importance to grant rights to resources while keeping the principle of Least privilege in mind, which states that:
Per Wikipedia, “The principle of minimal privilege or the principle of least authority, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose“.
Role-based access control allows you to indicate access privileges at different levels. It includes DNS zone, server, or resource record levels and specifies who has access control over creating, editing, and deleting operations of various resources of Active Directory.
Tiered Access Model
The Active Directory Tiered Access Model (TAM) comprises plenty of technical controls that reduce the privilege escalation risks. It consists of a logical structure that separates Active Directory’s assets by creating boundaries for security purposes. The primary goal is the protection of Active Directory’s top-valued identities (Tier 0). At the same time, domain members and other users can perform routine tasks, such as email checking, surfing the internet, and using apps and other services (Tier 1, 2). It comprises three tiers, Tier 0, 1, and 2, which are as follows:
  • Tier 0: Top level and includes all the admin accounts, Domain Controller, and groups.
  • Tier 1: Domain member applications and servers.
  • Tier 2: End-user devices like HR and sales staff (non-IT personnel).
Implementation of Tiered Access Model 
The critical implementation of this model is based on the principle of “Prevention of privileged credentials from crossing boundaries, either accidentally or intentionally”. Implementing technical controls via Group Policy Objects is crucial to avoid such scenarios. These Group Policy Objects put together the security rights that can deny access or grant permission. You can read more about the Tiered and Enterprise Access Model (EAM) here.
Auditing Accounts 
Accounts audit is a crucial task mainly carried out by setting up the correct account, assigning privileges, and applying restrictions. Three audit types related to accounts must be done periodically: usage, privilege, and change audits.
  • Usage audits allow monitoring each account’s specific tasks and validating their access rights.
  • A privilege audit allows you to check if every account in the system has the least privilege.
  • Change audits a

Most Common Active Directory Attacks

Kerberoasting is a common and successful post-exploitation technique for attackers to get privileged access to AD. The attacker exploits Kerberos Ticket Granting Service (TGS) to request an encrypted password, and then the attacker cracks it offline through various brute force techniques. These attacks are difficult to detect as the request is made through an approved user, and no unusual traffic pattern is generated during this process. You can prevent the attack by ensuring an additional layer of authentication through MFA or by frequent and periodic Kerberos Key Distribution Centre (KDC) service account password reset. You can learn more about the attack here.
Weak and Easy-to-Guess Passwords 
The easiest target for intruders to breach security is the weak and easy-to-guess old passwords. The best recommendation is to use strong passwords and avoid already known ones. A strong password consists of a combination of uppercase and lowercase letters, numbers, and special characters. You can learn more about password strength here. There are many tools available that can help you perform Password Auditing in AD. You can see a report generated through a free tool on Desktop > Password-Report.png.
Brute Forcing Remote Desktop Protocol 
The intruders or attackers use scanning tools to brute force the weak credentials. Once the brute force is successful, they quickly access the compromised systems and try to do privilege escalation along with a persistent foothold in the target’s computer. The best recommendation is to never expose RDP without additional security controls to the public internet. Continuous audits for scanning attacks or brute-force attempts are also an important step.
Publically Accessible Share
During AD configuration, some share folders are publicly accessible or left unauthenticated, providing an initial foothold for attackers for lateral movement. You can use the Get-SmbOpenFile cmdlet in PowerShell to look for any undesired share on the network and configure access accordingly.
Room Answers
Change the Group Policy Setting in the VM, so it does not store the LAN Manager hash on the next password change.

What is the default minimum password length (number of characters) in the attached VM?

Computers and Printers must be added to Tier 0 – yea/nay?

Suppose a vendor arrives at your facility for a 2-week duration task. Being a System Administrator, you should create a high privilege account for him – yea/nay?

Find and open BaselineLocalInstall script in PowerShell editor – Can you find the flag?

Find and open MergePolicyRule script (Policy Analyser) in PowerShell editor – Can you find the flag?

Does Kerberoasting utilise an offline-attack scheme for cracking encrypted passwords – yea/nay?

As per the generated report, how many users have the same password as aaron.booth?

Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles