Active Directory (AD)

Active Directory Main Concepts

What is Active Directory (AD)?

Active Directory (AD) is directory service developed by Microsoft to manage Windows domain networks and it is the most commonly used indentity management service in the world (95% of companies use it),

Active Directory is like a phone book that stores all kinds of informations related to objects, such as: computers, users, printers, etc.

It permits the authentication of computers in the network using relative credentials via Kerberos tickets methodology.

Phisical AD Components

Domain Controller (DC)

Absolutely, here's a refined version with additional details:

A Domain Controller (DC) is a crucial component of a Windows-based network, entrusted with the Active Directory Domain Services (AD DS) server role. This role entails specific responsibilities, making the DC a cornerstone for network operations. When a server is promoted to a domain controller, it assumes several key functions:

Hosts AD DS Directory Store: The DC hosts a comprehensive copy of the Active Directory Domain Services (AD DS) directory store. This store contains vital information about network resources, user accounts, group policies, and more, crucial for network operations and security.
Provides Authentication and Authorization Services: Authentication and authorization services are core functions of a domain controller. It verifies the identity of users and computers attempting to access network resources and determines the level of access they are granted based on established security policies.
Replicates Updates: Domain Controllers collaborate through replication mechanisms to ensure data consistency across the domain and forest. When changes are made to the directory store on one DC, those updates are propagated to other domain controllers within the same domain and across the forest.
Allows Administrative Access: Domain Controllers facilitate administrative access to manage user accounts, group policies, network resources, and other aspects of the Active Directory infrastructure. Administrative tasks are crucial for maintaining the security and functionality of the network.

However, if a Domain Controller is compromised, it poses significant risks to the entire network. Potential consequences of a compromised DC include:

Unauthorized Access: Attackers may exploit the compromised DC to gain unauthorized access to sensitive data and resources within the network.
Data Theft: Sensitive information stored in the Active Directory, such as user credentials and proprietary data, may be stolen or manipulated.
Disruption of Services: Compromised DCs can disrupt network services, leading to downtime and productivity losses.
Propagation of Attacks: Attackers may use compromised DCs as footholds to launch further attacks or spread malware within the network.

In larger corporations, multiple Domain Controllers are typically deployed to distribute the workload and provide redundancy. This distributed architecture offers some resilience against attacks because compromising one DC does not grant total control over the entire network. However, it underscores the importance of robust security measures and proactive monitoring to detect and mitigate potential threats promptly.

AD DS Data Store

The AD DS Data Store is the foundational component of Active Directory Domain Services (AD DS), responsible for storing and managing directory information critical for user authentication, service access, and application functionality. This data store comprises the Ntds.dit file, which holds a wealth of sensitive information pertaining to users, objects, groups, password hashes, and more. Here are the main purposes and characteristics of the AD DS Data Store:

Ntds.dit File: At the heart of the AD DS Data Store is the Ntds.dit file, a database file that encapsulates all directory information within Active Directory. This file contains a comprehensive record of users, objects, groups, organizational units, and their respective attributes, along with encrypted password hashes for authentication purposes.
Sensitive Information Repository: The Ntds.dit file houses highly sensitive information that forms the backbone of an organization's identity and access management infrastructure. This includes user credentials, group memberships, access control settings, and other security-related data crucial for maintaining the integrity and security of the network.
Storage Location: By default, the Ntds.dit file is stored in the %SystemRoot%\NTDS folder on all domain controllers within the Active Directory domain. This centralized storage ensures uniform access to directory information across the network while maintaining data consistency and integrity.
Access Control: Access to the AD DS Data Store is tightly controlled and restricted to domain controller processes and protocols. This ensures that only authorized entities, such as Active Directory services and administrative tools, can interact with and manipulate directory data. Unauthorized access attempts are rigorously enforced and logged to maintain the confidentiality and integrity of the data store.
Integration with Domain Controller Operations: The AD DS Data Store is seamlessly integrated with domain controller operations, facilitating efficient storage, retrieval, and management of directory information. Changes made to directory objects and attributes are promptly reflected in the Ntds.dit file and replicated across domain controllers to maintain data consistency and availability throughout the network.

Overall, the AD DS Data Store plays a pivotal role in the functioning of Active Directory, serving as a secure repository for critical directory information essential for user authentication, resource access control, and administrative management within Windows-based network environments.

Logical AD Components

AD DS Schema

Active Directory Domain Services (AD DS) schema is a fundamental component of Active Directory infrastructure, defining the structure, attributes, and rules governing the storage and management of objects within the directory service. It provides a standardized framework for organizing and accessing information in a Windows network environment. Here are the main functions and characteristics of the AD DS schema:

Object Classes: Object classes serve as blueprints for defining the types of objects that can be stored in Active Directory. These classes encompass a wide range of entities such as users, groups, computers, printers, organizational units (OUs), and more. Each object class encapsulates a specific set of attributes that define the properties and characteristics of the objects belonging to that class.
Attributes: Attributes represent the properties or characteristics of objects stored in Active Directory. They provide essential information about objects, such as usernames, passwords, email addresses, phone numbers, and group memberships. Attributes are defined within the schema along with their data types, syntax, and other constraints to ensure data integrity and consistency.
Schema Objects: The schema itself is represented as a collection of objects stored within Active Directory. These schema objects define the object classes, attributes, and other schema-related components necessary for maintaining the directory structure. Schema objects are instances of schema classes defined within the schema and are essential for enforcing consistency and standardization across the directory service.
Extension and Modification: The AD DS schema is designed to be flexible and extensible, allowing organizations to tailor it to their specific requirements. Administrators can extend or modify the schema to accommodate new object classes, attributes, or custom schema rules. This may involve adding new attributes to existing object classes, defining entirely new object classes, or implementing custom schema rules to enforce specific business logic or constraints.
Replication: Changes made to the AD DS schema are replicated across all domain controllers within an Active Directory forest. This ensures consistency and uniformity of the directory structure and data across the entire forest, regardless of the location of domain controllers. Replication mechanisms ensure that schema updates are propagated efficiently, minimizing inconsistencies and ensuring that all domain controllers have the latest schema information.

In summary, the AD DS schema plays a crucial role in defining and maintaining the structure, attributes, and rules governing the storage and management of objects within Active Directory. It provides a flexible and extensible framework that allows organizations to customize Active Directory to meet their unique business requirements while ensuring consistency and standardization across the entire directory service.

Domains

Domains are fundamental units within an Active Directory (AD) environment, providing centralized management and authentication services for network resources. Here are the main functions and characteristics of domains within Active Directory:

Organizational Boundary: Domains serve as organizational boundaries within an Active Directory forest. They provide a logical structure for organizing and managing network resources, including users, computers, groups, and other objects. Each domain represents a distinct administrative boundary, allowing administrators to delegate management responsibilities and apply security policies at the domain level.
Security Boundary: Domains establish security boundaries within an Active Directory forest, defining the scope of authentication and authorization for network resources. Users and computers within a domain authenticate against domain controllers within the same domain, which verify their identity and grant access to resources based on established security policies. Domains also enforce access control mechanisms, such as group policies, to regulate resource access and permissions.
Trust Relationships: Domains can establish trust relationships with other domains within the same forest or with external domains in separate forests. Trust relationships allow users and resources from one domain to access resources in another domain while maintaining security boundaries and enforcing authentication and authorization policies. Trust relationships facilitate collaboration and resource sharing across organizational boundaries within a secure and controlled environment.
Namespace Management: Each domain in Active Directory has a unique Domain Name System (DNS) name, known as the domain's DNS namespace. The DNS namespace ensures that domain-joined clients can locate domain controllers and other network resources using fully qualified domain names (FQDNs). Domain controllers within a domain manage the domain's DNS namespace and provide name resolution services to clients within the domain.
Replication Boundary: Domains define replication boundaries within an Active Directory forest, determining the scope of replication for directory information between domain controllers. Replication within a domain ensures that changes made to directory objects, such as user accounts or group memberships, are synchronized across all domain controllers within the same domain. This ensures data consistency and availability while minimizing replication traffic across the network.
Administrative Boundaries: Domains allow for the delegation of administrative responsibilities, enabling organizations to distribute management tasks and responsibilities across different administrative units. Administrators can assign specific administrative privileges and permissions to users or groups within a domain, allowing them to manage resources and perform administrative tasks based on their assigned roles and responsibilities.

Domains are essential building blocks of an Active Directory environment, providing organizational, security, and administrative boundaries for managing network resources. They facilitate centralized authentication, access control, and resource management while enabling collaboration and resource sharing within a secure and controlled environment.

Trees

In Active Directory (AD), a Tree is a hierarchical arrangement of domains that share a common namespace. Trees are used to organize domains into a logical structure.

Key Characteristics:

Domains in a tree share a contiguous DNS namespace (e.g., company.com and sub.company.com).
All domains in a tree are connected by two-way transitive trusts, allowing seamless resource sharing.
Domains in a tree can have unique policies and administrators while still being part of the larger structure.

Example:

Root Domain: company.com
Child Domain: sales.company.com
Another Child Domain: hr.company.com

Forests

A Forest is the highest level of organization in Active Directory. It acts as a container for one or more trees, enabling resource sharing across multiple namespaces.

Key Characteristics:

Contains one or more trees that do not share a contiguous namespace.
Trees in a forest are connected through transitive trust relationships.
Forests define the security boundary in Active Directory, meaning objects in one forest cannot interact with another forest unless explicitly allowed.
Each forest has a Global Catalog that stores information about all objects in the forest to facilitate searches.

Example:

Tree 1: company.com → sales.company.com, hr.company.com
Tree 2: branch.org → accounts.branch.org, it.branch.org

Organizational Units (OUs)

Organizational Units are containers within a domain that organize objects such as users, groups, and computers into manageable units.

Key Characteristics:

OUs are used to delegate administrative tasks without creating additional domains.
They allow the application of Group Policies (GPOs) to manage objects within the OU.
Hierarchical structure makes it easier to reflect an organization’s real-world structure (e.g., departments or locations).
Unlike domains, OUs are not security boundaries; permissions from the domain level apply to all OUs within it.

Example:

Domain: company.com
- OU: Sales → contains users and computers for the sales department.
- OU: IT → contains users and computers for the IT department.

Trust

A Trust is a relationship established between domains or forests to allow resource sharing and authentication across boundaries.

Types of Trusts:

Parent-Child Trust: Automatically created between a parent and its child domain.
Tree-Root Trust: Automatically created between the root domains of trees within a forest.
External Trust: Created manually to connect domains in different forests that do not have a transitive trust.
Forest Trust: Connects two forests for resource sharing.
Shortcut Trust: Optimizes authentication paths between domains within the same forest.

Trust Directions:

One-Way Trust: Domain A trusts Domain B, but not vice versa.
Two-Way Trust: Both domains trust each other.

Objects

In Active Directory, an Object is the fundamental unit of data. Each object represents a single entity, such as a user, group, computer, or printer.

Key Characteristics:

Objects are stored in the Active Directory database and organized into a hierarchical structure.
Each object has a unique Distinguished Name (DN) to identify it within the directory.
Objects have attributes that store details (e.g., a user's name, email, or phone number).

Common Object Types:

Users: Represent individual accounts for people.
Groups: Collections of users or computers.
Computers: Represent devices joined to the domain.
Printers: Represent network printers.

Forests and Domain Trust

Trust relationships allow forests and domains to collaborate and share resources.

Within a Forest:

All domains and trees are connected by two-way transitive trusts by default.
This allows for seamless resource sharing and centralized management across the entire forest.

Between Forests:

Trusts need to be manually configured for forests to interact.
Forest Trusts allow limited or full resource sharing between forests.

Trust Security Considerations:

Trusts rely on Kerberos authentication, and misconfigurations can lead to security vulnerabilities.
Use trust filtering to restrict the scope of access between domains or forests.

Courses and Certifications

Very in-depth

Altered Security Certification s (CRTP, CRTE, CRTM, etc..), check my notes for CRTP here
HackTheBox Certifications (CAPE, CPTS)
OffSec Pen-300 (OSEP)
Microsoft AZ-500
Zero Point Security - Red Team Ops (CRTO)
Active Directory Live Training - TCM
GIAC Red Team Professional (GRTP)

Less in-depth

❗ Disclaimer

Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!

❗Never run these techniques on un-authorized addresses

PreviousPython NextBlockchain Security

Last updated 15 days ago

Active Directory (AD)

Active Directory Main Concepts

What is Active Directory (AD)?

Active Directory is like a phone book that stores all kinds of informations related to objects, such as: computers, users, printers, etc.

It permits the authentication of computers in the network using relative credentials via Kerberos tickets methodology.

Phisical AD Components

Domain Controller (DC)

Absolutely, here's a refined version with additional details:

Hosts AD DS Directory Store: The DC hosts a comprehensive copy of the Active Directory Domain Services (AD DS) directory store. This store contains vital information about network resources, user accounts, group policies, and more, crucial for network operations and security.
Provides Authentication and Authorization Services: Authentication and authorization services are core functions of a domain controller. It verifies the identity of users and computers attempting to access network resources and determines the level of access they are granted based on established security policies.
Replicates Updates: Domain Controllers collaborate through replication mechanisms to ensure data consistency across the domain and forest. When changes are made to the directory store on one DC, those updates are propagated to other domain controllers within the same domain and across the forest.
Allows Administrative Access: Domain Controllers facilitate administrative access to manage user accounts, group policies, network resources, and other aspects of the Active Directory infrastructure. Administrative tasks are crucial for maintaining the security and functionality of the network.

However, if a Domain Controller is compromised, it poses significant risks to the entire network. Potential consequences of a compromised DC include:

Unauthorized Access: Attackers may exploit the compromised DC to gain unauthorized access to sensitive data and resources within the network.
Data Theft: Sensitive information stored in the Active Directory, such as user credentials and proprietary data, may be stolen or manipulated.
Disruption of Services: Compromised DCs can disrupt network services, leading to downtime and productivity losses.
Propagation of Attacks: Attackers may use compromised DCs as footholds to launch further attacks or spread malware within the network.

AD DS Data Store

The AD DS Data Store is the foundational component of Active Directory Domain Services (AD DS), responsible for storing and managing directory information critical for user authentication, service access, and application functionality. This data store comprises the Ntds.dit file, which holds a wealth of sensitive information pertaining to users, objects, groups, password hashes, and more. Here are the main purposes and characteristics of the AD DS Data Store:

Ntds.dit File: At the heart of the AD DS Data Store is the Ntds.dit file, a database file that encapsulates all directory information within Active Directory. This file contains a comprehensive record of users, objects, groups, organizational units, and their respective attributes, along with encrypted password hashes for authentication purposes.
Sensitive Information Repository: The Ntds.dit file houses highly sensitive information that forms the backbone of an organization's identity and access management infrastructure. This includes user credentials, group memberships, access control settings, and other security-related data crucial for maintaining the integrity and security of the network.
Storage Location: By default, the Ntds.dit file is stored in the %SystemRoot%\NTDS folder on all domain controllers within the Active Directory domain. This centralized storage ensures uniform access to directory information across the network while maintaining data consistency and integrity.
Access Control: Access to the AD DS Data Store is tightly controlled and restricted to domain controller processes and protocols. This ensures that only authorized entities, such as Active Directory services and administrative tools, can interact with and manipulate directory data. Unauthorized access attempts are rigorously enforced and logged to maintain the confidentiality and integrity of the data store.
Integration with Domain Controller Operations: The AD DS Data Store is seamlessly integrated with domain controller operations, facilitating efficient storage, retrieval, and management of directory information. Changes made to directory objects and attributes are promptly reflected in the Ntds.dit file and replicated across domain controllers to maintain data consistency and availability throughout the network.

Logical AD Components

AD DS Schema

Object Classes: Object classes serve as blueprints for defining the types of objects that can be stored in Active Directory. These classes encompass a wide range of entities such as users, groups, computers, printers, organizational units (OUs), and more. Each object class encapsulates a specific set of attributes that define the properties and characteristics of the objects belonging to that class.
Attributes: Attributes represent the properties or characteristics of objects stored in Active Directory. They provide essential information about objects, such as usernames, passwords, email addresses, phone numbers, and group memberships. Attributes are defined within the schema along with their data types, syntax, and other constraints to ensure data integrity and consistency.
Schema Objects: The schema itself is represented as a collection of objects stored within Active Directory. These schema objects define the object classes, attributes, and other schema-related components necessary for maintaining the directory structure. Schema objects are instances of schema classes defined within the schema and are essential for enforcing consistency and standardization across the directory service.
Extension and Modification: The AD DS schema is designed to be flexible and extensible, allowing organizations to tailor it to their specific requirements. Administrators can extend or modify the schema to accommodate new object classes, attributes, or custom schema rules. This may involve adding new attributes to existing object classes, defining entirely new object classes, or implementing custom schema rules to enforce specific business logic or constraints.
Replication: Changes made to the AD DS schema are replicated across all domain controllers within an Active Directory forest. This ensures consistency and uniformity of the directory structure and data across the entire forest, regardless of the location of domain controllers. Replication mechanisms ensure that schema updates are propagated efficiently, minimizing inconsistencies and ensuring that all domain controllers have the latest schema information.

Domains

Organizational Boundary: Domains serve as organizational boundaries within an Active Directory forest. They provide a logical structure for organizing and managing network resources, including users, computers, groups, and other objects. Each domain represents a distinct administrative boundary, allowing administrators to delegate management responsibilities and apply security policies at the domain level.
Security Boundary: Domains establish security boundaries within an Active Directory forest, defining the scope of authentication and authorization for network resources. Users and computers within a domain authenticate against domain controllers within the same domain, which verify their identity and grant access to resources based on established security policies. Domains also enforce access control mechanisms, such as group policies, to regulate resource access and permissions.
Trust Relationships: Domains can establish trust relationships with other domains within the same forest or with external domains in separate forests. Trust relationships allow users and resources from one domain to access resources in another domain while maintaining security boundaries and enforcing authentication and authorization policies. Trust relationships facilitate collaboration and resource sharing across organizational boundaries within a secure and controlled environment.
Namespace Management: Each domain in Active Directory has a unique Domain Name System (DNS) name, known as the domain's DNS namespace. The DNS namespace ensures that domain-joined clients can locate domain controllers and other network resources using fully qualified domain names (FQDNs). Domain controllers within a domain manage the domain's DNS namespace and provide name resolution services to clients within the domain.
Replication Boundary: Domains define replication boundaries within an Active Directory forest, determining the scope of replication for directory information between domain controllers. Replication within a domain ensures that changes made to directory objects, such as user accounts or group memberships, are synchronized across all domain controllers within the same domain. This ensures data consistency and availability while minimizing replication traffic across the network.
Administrative Boundaries: Domains allow for the delegation of administrative responsibilities, enabling organizations to distribute management tasks and responsibilities across different administrative units. Administrators can assign specific administrative privileges and permissions to users or groups within a domain, allowing them to manage resources and perform administrative tasks based on their assigned roles and responsibilities.

Trees

In Active Directory (AD), a Tree is a hierarchical arrangement of domains that share a common namespace. Trees are used to organize domains into a logical structure.

Key Characteristics:

Domains in a tree share a contiguous DNS namespace (e.g., company.com and sub.company.com).
All domains in a tree are connected by two-way transitive trusts, allowing seamless resource sharing.
Domains in a tree can have unique policies and administrators while still being part of the larger structure.

Example:

Root Domain: company.com
Child Domain: sales.company.com
Another Child Domain: hr.company.com

Forests

A Forest is the highest level of organization in Active Directory. It acts as a container for one or more trees, enabling resource sharing across multiple namespaces.

Key Characteristics:

Contains one or more trees that do not share a contiguous namespace.
Trees in a forest are connected through transitive trust relationships.
Forests define the security boundary in Active Directory, meaning objects in one forest cannot interact with another forest unless explicitly allowed.
Each forest has a Global Catalog that stores information about all objects in the forest to facilitate searches.

Example:

Tree 1: company.com → sales.company.com, hr.company.com
Tree 2: branch.org → accounts.branch.org, it.branch.org

Organizational Units (OUs)

Organizational Units are containers within a domain that organize objects such as users, groups, and computers into manageable units.

Key Characteristics:

OUs are used to delegate administrative tasks without creating additional domains.
They allow the application of Group Policies (GPOs) to manage objects within the OU.
Hierarchical structure makes it easier to reflect an organization’s real-world structure (e.g., departments or locations).
Unlike domains, OUs are not security boundaries; permissions from the domain level apply to all OUs within it.

Example:

Domain: company.com
- OU: Sales → contains users and computers for the sales department.
- OU: IT → contains users and computers for the IT department.

Trust

A Trust is a relationship established between domains or forests to allow resource sharing and authentication across boundaries.

Types of Trusts:

Parent-Child Trust: Automatically created between a parent and its child domain.
Tree-Root Trust: Automatically created between the root domains of trees within a forest.
External Trust: Created manually to connect domains in different forests that do not have a transitive trust.
Forest Trust: Connects two forests for resource sharing.
Shortcut Trust: Optimizes authentication paths between domains within the same forest.

Trust Directions:

One-Way Trust: Domain A trusts Domain B, but not vice versa.
Two-Way Trust: Both domains trust each other.

Objects

In Active Directory, an Object is the fundamental unit of data. Each object represents a single entity, such as a user, group, computer, or printer.

Key Characteristics:

Objects are stored in the Active Directory database and organized into a hierarchical structure.
Each object has a unique Distinguished Name (DN) to identify it within the directory.
Objects have attributes that store details (e.g., a user's name, email, or phone number).

Common Object Types:

Users: Represent individual accounts for people.
Groups: Collections of users or computers.
Computers: Represent devices joined to the domain.
Printers: Represent network printers.

Forests and Domain Trust

Trust relationships allow forests and domains to collaborate and share resources.

Within a Forest:

All domains and trees are connected by two-way transitive trusts by default.
This allows for seamless resource sharing and centralized management across the entire forest.

Between Forests:

Trusts need to be manually configured for forests to interact.
Forest Trusts allow limited or full resource sharing between forests.

Trust Security Considerations:

Trusts rely on Kerberos authentication, and misconfigurations can lead to security vulnerabilities.
Use trust filtering to restrict the scope of access between domains or forests.

Courses and Certifications

Very in-depth

Altered Security Certification s (CRTP, CRTE, CRTM, etc..), check my notes for CRTP here
HackTheBox Certifications (CAPE, CPTS)
OffSec Pen-300 (OSEP)
Microsoft AZ-500
Zero Point Security - Red Team Ops (CRTO)
Active Directory Live Training - TCM
GIAC Red Team Professional (GRTP)

Less in-depth

❗ Disclaimer

Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!

❗Never run these techniques on un-authorized addresses

PreviousPython NextBlockchain Security

Last updated 15 days ago