Active Directory Security

Common good practices

  • πŸ”’ An account inside the Domain Admins group should be used instead of the Administrator account which should be disabled.
  • πŸ”‘ Limit the use of administrative accounts
  • πŸ—ΊοΈ Do not name your server after its function (i.g. SQL_SERVER)
  • 🌍 Do not name a workstation after its business unit (i.g. sales-xxx)
  • 🏠 Do not use easy to guess usernames (i.g. firstname.lastname)
  • πŸͺΊ Add the fewest services on your DC (i.g. no ISS/WSUS...)
  • πŸ„β€β™‚οΈ Install the least ISS modules

Authentication & Authorization

Active Directory database

password_attacks

Active directory database is stored on the domain controller at %SystemRoot%\ntds\ntds.dit. It's used to validate credentials.

It contains user/computer/group accounts, group policies, etc.

To copy this database, we either need local administrative or domain administrative privileges. We can use VSS.

You can use commands that are only available on Windows Server:

CMD> vssadmin CREATE SHADOW /For=C:
CMD> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\NTDS\NTDS.dit %temp%\NTDS.dit

You can also use cme/nxc which automatically dump it:

$ nxc smb IP -u 'username' -p 'password' --ntds

Kerberos

password_attacks

Kerberos is a protocol used to provide secure authentication over non-secure networks. It replaces NTLM and NetNTLM.

When a user logs in, their password is hashed and sent to Kerberos server along with the timestamp for verification. Upon successful login, the server generates a ticket-granting ticket (TGT) 🎫.

When the user wants to access a network resource, such as a shared folder or a database, the computer requests a ticket from the Key Distribution Center (KDC) using the TGT. If the request is accepted, the KDC will give them a Ticket Granting Service (TGS) 🎟️ that they can use solely for the requested service.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

Configure BitLocker
  • Also in Windows Security
  • Network Unlock

1) The first part is installing BitLocker on the server:

  • Start the Server Manager
  • Click on "Add roles and features"
  • Press Next thrice
  • In Features, select BitLocker

2) Then we need to configure it:

  • Go to Tools > Group Policy Management
  • Right-click on a GPO > Edit (you could create a GPO and apply it on the whole domain, or a GPO only for some OUs...)
  • Navigate to "Computer Configuration" > "Policies" > "Administrative Templates" > "Windows Components" > "BitLocker Drive Encryption"
  • ~~Enable the "Turn on BitLocker"~~
  • Go Navigate to "Operating system drives"
  • Enable the "Require additional authentication at startup"
    • Select "Allow BitLocker without a compatible TPM"
    • Select "Do not allow startup PIN with TPM"
  • Enable "Choose how BitLocker-protected operating system drives can be recovered"
    • Select the "Save BitLocker recovery information to AD DS for operating system drives"
  • Navigate back to parent
  • ~~Configure "Choose drive encryption method and cipher strength" (encryption method, cipher strength...)~~

3) On the Windows 10, you need to use a local administrator account, refer to the "Get started" section if needed.

  • Open a powershell/CMD as an administrator
  • Enter "gpedit.msc"
  • Navigate to "Computer Configuration" > "Administrative Templates" > "Windows Components" > "BitLocker Drive Encryption"
  • ...
  • Restart

Then, right-click on the drive to encrypt, select "Bitlocker", and encrypt it. If prompted for a password when starting the workstation, then something went wrong in your configuration.

Notes to configure TCP/IP parameters

You can either use the Windows Registry, or a group policy. Here are some parameters that you may want to set.

  • SynAttackProtect (SYN flood attacks)
  • EnableDeadGWDetect (Detect dead gateways)
  • EnablePMTUdiscovery (Avoid fragmentation...)
  • KeepAliveTime (Timeout for inactive connections)
  • TCPMaxPortsExhausted (Prevent from exhausting ports)
  • PerformRouterDiscovery (Can simply the configuration but allow attackers to set up rogue routers/... to redirect traffic)
  • NoNameReleaseOnDemand (Release the NetBios name when no longer needed to prevent attacker from obtaining information)
  • TcpMaxConnectResponseRetransmissions (can help to prevent SYN flood attacks, but may exhaust system resources)
  • Passwords stored in cleartext in group policy? in user desc?