Neko

Active Directory Basics

An overview of basic concepts and functionality provided by Active Directory

Last updated: May 4th, 2023

Windows Domains

  • Advantages
    • Centralised Identity Management
    • Security Policies
  • Summary
    • Windows Domain is a group of users and devices
    • Administration is centralised through Active Directory
    • The Domain Controller is the server that runs the AD services
    • The core of the domain is the AD DS which contains object information

Active Directory

  • Objects
    • Users
      • Security principles; can be assigned privileges over resources
      • Represent people and services
  • Machines
    • Security principles; local administrators; ComputerName$; rotated 120 char passwords
  • Security Groups
    • Domain Admins
      • Admins of entire domain
    • Server Operators
      • Administer DCs, cannot change admin group memberships
    • Backup Operators
      • Access any file
    • Account Operators
      • Create and modify accounts
    • Domain Users
      • All user accounts
    • Domain Users
      • All Computers
    • Domain Controllers
      • All DC's
  • Organizational Unit (OUs) vs Security Groups
    • OUs are for applying policies
    • Security Groups are used to grant permissions over resources.

Group Policy Object (GPO)

  • GPO push configurations and security policies to OUs
  • GPO distribution is done over the network share; SYSVOL at C:\Windows\SYSVOL\sysvol\

Auth Methods

  • Kerberos
    1. User send username and timestamp, encrypted using a key derived from the password, to the KDC
    2. KDC sends back a TGT, encrypted with the krbtgt accounts hash, and a session key, encrypted with the user hash
    3. The client can then request a TGS by sending the username and timestamp, encrypted with the session key, the TGT and a service principle name (SPN) to connect to a service
    4. The KDC will respond with the TGS, encrypted with the service hash, and a service session key, encrypted with the session key.
    5. The client will finally send the username and timestamp, encrypted with a service session key, and the TGS to the server.
  • NetNTLM
    1. The client sends an authentication request to the server they want to access.
    2. The server generates a random number and sends it as a challenge to the client.
    3. The client combines their NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.
    4. The server forwards the challenge and the response to the Domain Controller for verification.
    5. The domain controller uses the challenge to recalculate the response and compares it to the original response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server.
    6. The server forwards the authentication result to the client.

Trees, Forests, and Trusts

  • Trees
    • Allow domains to be combined
  • Forests
    • Trees with different name spaces.
  • Trusts
    • Allows permissions to be extended to other domains in a tree