Introduction to Active Directory

Por

Active Directory (AD) is the backbone of identity, policy, and resource management in Windows environments. It’s a distributed, hierarchical directory service that provides centralized authentication and authorization for users, computers, groups, policies, file shares, trusts, and more. Because AD is both powerful and widely deployed, it’s a prime target for attackers — and therefore absolutely critical for defenders to understand.

What Active Directory Actually Is (Plain English)

  • Directory service: AD is essentially a searchable, distributed database of objects (users, machines, groups, OUs, etc.).
  • Centralized control: Admins manage accounts, group policies, and resources from a few servers instead of touching every host.
  • Authentication and authorization: AD handles logins (Kerberos / NTLM) and decides who can access what.
  • Scalable & hierarchical: Multiple domains, organizational units (OUs), and forests let organizations model their structure and scale to millions of objects.

Think of AD as the company’s address book + security guard + policy engine all rolled into one. It makes life easier — and, when misconfigured, makes attacks easier too.

Why AD Is a High-Value Target

  • Ubiquity: Roughly ~95% of Fortune 500 organizations run AD — it’s everywhere in enterprise Windows shops.
  • High impact: Compromise of AD (or a domain admin account) can give attackers control over essentially the whole environment.
  • Information leakage by design: A default domain user can enumerate a large amount of information (users, groups, computers), which helps attackers map and plan.
  • Historic and ongoing bugs: AD and adjacent services (e.g., Exchange) have yielded several severe vulnerabilities (Zerologon, PrintNightmare, Kerberoasting abuses) that attackers exploit to escalate privileges and move laterally.
  • Ransomware playbooks: Modern ransomware gangs (e.g., Conti and others) often rely on AD misconfigurations and known CVEs to quickly escalate and spread.

Core AD Concepts (Quick Reference)

  • Domain: A logical boundary of objects and policies.
  • Forest: A collection of one or more domains sharing a schema and global catalog.
  • Organizational Unit (OU): Containers for grouping objects (users, computers) for policy and delegation.
  • Domain Controller (DC): The server that stores AD and services authentication.
  • Group Policy Objects (GPOs): Define configuration and security settings applied to OUs, domains, or sites.
  • Principals / Objects: Users, computers, groups, service accounts, etc.
  • Trusts: Relationships allowing authentication across domains/forests.

Protocols and Technologies AD Relies On

  • LDAP (Lightweight Directory Access Protocol): Query and manage directory information (the read/write surface many tools use).
  • Kerberos: Primary authentication protocol for modern AD (ticket-based).
  • NTLM: Older authentication mechanism (still present for legacy systems and sometimes abused).
  • RPC / SMB / DCE-RPC: Common for remote management, file shares, and replication.
  • Group Policy & SYSVOL replication: Deliver settings and scripts — often a target for persistence or misconfiguration abuse.

Typical Attack Paths Against AD (High-Level)

  • Information gathering: Any domain user can enumerate AD objects to find misconfigurations and targets.
  • Credential theft: Dumping credentials from endpoints (LSASS), abusing weak secrets or stored keys (gMSAs misconfig), or capturing NTLM.
  • Kerberoasting: Requesting service tickets for SPNs and offline cracking of service account hashes.
  • Exploiting CVEs: Zerologon, PrintNightmare, and others allow privilege escalation or remote code execution on DCs.
  • Lateral movement: Using harvested credentials or RDP/SMB to move to higher value hosts.
  • Persistence & domain takeover: Create backdoor accounts, modify GPOs, or corrupt replication to gain long-term control.

A Short History (Why AD Looks the Way It Does)

  • AD was introduced in the late 1990s (Windows Server 2000) and evolved while maintaining backward compatibility with earlier Windows networking ideas.
  • It built on directory concepts such as X.500 and LDAP.
  • Over time Microsoft added forests, trusts, ADFS (Single Sign-On), Group Managed Service Accounts (gMSA), and cloud synchronization (Azure AD Connect).
  • The long history + backward compatibility means legacy protocols and configurations persist — useful for attackers.

Why Misconfiguration Is Dangerous (Examples)

  • Excessive privileges: Poor ACLs on objects or groups let attackers escalate via delegation mistakes.
  • Broadly permissive access: “Everyone” or “Authenticated Users” given rights to sensitive objects.
  • Service account mismanagement: Weak or reused passwords for service accounts enable Kerberoasting outcomes.
  • Network flattening: Lack of segmentation allows compromised endpoints to reach DCs or other critical infrastructure.
  • Unpatched CVEs: Known AD-related vulnerabilities can be weaponized quickly by attackers and ransomware groups.

Defensive Principles and Hardening Guidance

  1. Least privilege: Limit who can read, write, and modify AD objects; use tiered admin models.
  2. Segmentation & monitoring: Network segmentation, host-based controls, and IDS/EDR visibility reduce and detect lateral movement.
  3. Patch management: Rapidly remediate critical AD-related CVEs (Zerologon, PrintNightmare, etc.).
  4. Audit and logging: Enable and collect DC security logs, LDAP/audit logs, and authentication telemetry. Correlate with endpoint EDR.
  5. Credential hygiene: Use strong secrets, restrict high-privilege account usage, rotate service account passwords, and favor gMSA where appropriate.
  6. Limit exposure of sensitive attributes: Control who can enumerate servicePrincipalNames and other sensitive metadata.
  7. Monitoring for abuse patterns: Kerberos anomalies, sudden account delegations, unusual SPN requests, or new privileged group membership.
  8. Red team testing and purple teaming: Regular exercises to discover policy gaps and operationalize detection.

Tools & Learning Path (for Attackers & Defenders)

  • For enumeration & testing: Tools like ldapsearch, BloodHound (graph AD relationships), Impacket (move laterally), Kerberoast toolkits.
  • For defense & detection: SIEM integration, EDR products, DC hardening checklists, log analytics for Kerberos/LDAP anomalies.
  • Learning progression: start with AD fundamentals → practice enumeration in lab VMs → study common attacks (Kerberoasting, DCSync, pass-the-hash) → implement defensive controls and detection rules.

Real-World Examples (Why This Is Urgent)

  • Zerologon (CVE-2020-1472): Flaw in Netlogon allowed elevation to Domain Admin in some scenarios.
  • PrintNightmare (CVE-2021-34527): Print spooler vulnerabilities used in privilege escalation and remote code execution.
  • Kerberoasting: Still effective where service account SPNs are configured and service account passwords can be cracked offline.
  • Ransomware playbooks: Modern campaigns exploit AD weaknesses (vulnerabilities + credential theft + lateral movement) to encrypt broad swaths of infrastructure.

(These examples underline that AD compromise is often the turning point between an isolated incident and a full domain compromise.)

Active Directory Structure

Active Directory (AD) is Microsoft’s directory service built for Windows-based network environments. It operates as a distributed and hierarchical system that enables centralized control of an organization’s resources. These resources include users, computers, groups, servers, workstations, network devices, file shares, group policies, and trust relationships. Within a Windows domain, AD handles both authentication and authorization processes. Services like Active Directory Domain Services (AD DS) allow organizations to store directory information and make it accessible to regular users and administrators across the network. AD DS holds data such as usernames and passwords and manages the permissions required for legitimate users to access those details. First introduced with Windows Server 2000, AD has increasingly become a target for cyberattacks. While designed to remain backward-compatible, many of its features are not secure by default, making it complex to manage and prone to misconfigurations—especially in large-scale deployments.

Weaknesses and misconfigurations in Active Directory can be leveraged to gain an initial foothold inside a network, move laterally or escalate privileges, and eventually access sensitive assets such as databases, file shares, or source code repositories. Essentially, AD is a large, queryable database that every domain user can interact with, regardless of their permission level. Even a standard account with no elevated rights can gather information on most objects in the environment, such as:

  • Domain Computers
  • Domain Users
  • Domain Groups
  • Organizational Units (OUs)
  • Default Domain Policy
  • Domain Functional Levels
  • Password Policies
  • Group Policy Objects (GPOs)
  • Domain Trusts
  • Access Control Lists (ACLs)

Because of this, understanding how Active Directory works and the basics of its administration is crucial before attempting to test or exploit it. It’s always easier to break something once you understand how it is built.

The logical layout of AD follows a tree-like hierarchy. At the highest level sits the forest, which acts as the security boundary containing one or more domains. Each forest can consist of multiple domains, and each domain can contain additional subdomains. A domain is essentially the container for all objects (users, groups, and computers) within it. Domains also include predefined Organizational Units (OUs), such as Controllers, Users, and Computers, while administrators can create custom OUs to suit organizational needs. OUs can hold objects and other sub-OUs, allowing administrators to apply group policies with flexibility at different levels.

 What Active Directory structure can contain one or more domains?

The Active Directory structure that can contain one or more domains is called a Forest.

A Forest is the top-level logical structure in Active Directory.
It can include one domain or multiple domains (and even multiple domain trees), all sharing a common schema and global catalog.

True or False; It can be common to see multiple domains linked together by trust relationships?

It’s common in larger or more complex organizations to have multiple domains connected through trust relationships, allowing users and resources to be shared securely across them.

Active Directory provides authentication and <____> within a Windows domain environment.

Active Directory provides authentication and authorization within a Windows domain environment.

Active Directory Terminology

Before moving forward, it’s important to pause and go over some fundamental terms that you’ll encounter frequently when working with Active Directory (AD). Understanding this vocabulary will make it easier to follow along with the concepts in this module and to grasp how AD functions in general.

Object

An object is any resource stored within an Active Directory environment. This includes everything from Organizational Units (OUs) and printers to users, groups, and domain controllers. In simple terms, if it exists in AD, it’s considered an object.

Attributes

Every object in AD comes with a set of attributes that describe its characteristics. For instance, a computer object will have attributes like its hostname and DNS name. Each attribute also has a Lightweight Directory Access Protocol (LDAP) name, which is used when performing LDAP queries. Examples include displayName for a person’s full name or givenName for their first name.

Schema

The schema is essentially the blueprint of Active Directory. It defines what types of objects can exist in the AD database and what attributes they can have. Each object type—such as a user, group, or computer—belongs to a class (e.g., users belong to the user class, computers belong to the computer class). When you create a new object from one of these classes, it becomes an instance of that class. For example, if we create a computer object named RDS01, that object is an instance of the computer class.

Domain

A domain is a logical collection of objects such as users, groups, OUs, and computers. You can think of a domain as a “city” within a larger region. Domains can operate on their own or establish trust relationships with other domains, allowing them to interact securely.

Forest

At the very top of the Active Directory structure sits the forest. A forest is a collection of one or more domains and contains all AD objects, including users, computers, groups, and Group Policy Objects (GPOs). You can think of a forest as being similar to a “state” in the U.S. or a “country” in Europe. While each forest operates independently, it can still form trust relationships with other forests.

Tree

A tree is a group of domains that share a common root domain. Multiple trees together form a forest. Domains in a tree share boundaries and maintain parent-child trust relationships. For example, if the root domain is inlanefreight.local, a child domain might be corp.inlanefreight.local. Similarly, another tree in the same forest could be ilfreight.local with its child domain corp.ilfreight.local. All domains within a tree share a single Global Catalog, which provides a searchable index of objects.

Container

A container is an object whose primary role is to hold other objects. Containers have a defined position in the directory’s hierarchy, much like folders in a file system.

Leaf

A leaf is the opposite of a container—it’s an object that cannot hold other objects. Leaf objects sit at the “end branches” of the directory tree.

What is known as the “Blueprint” of an Active Directory environment?

The Schema is known as the “Blueprint” of an Active Directory environment. It defines the objects and attributes that can exist within the directory.

What uniquely identifies a Service instance? (full name, space-separated, not abbreviated)

A Service Principal Name uniquely identifies a service instance in Active Directory. It allows Kerberos to know which account a service is running under. Without it, Kerberos authentication for that service fails

True or False; Group Policy objects can be applied to user and computer objects.

Group Policy Objects can apply settings to both user accounts and computer accounts in Active Directory.

What container in AD holds deleted objects?

Deleted Objects allows recovery before they are fully cleaned up from the system.

What file contains the hashes of passwords for all users in a domain?

NTDS.dit is the main Active Directory database file stored on Domain Controllers.

Active Directory Objects

In Active Directory (AD), the term object refers to any resource within the directory. This can include users, computers, groups, organizational units (OUs), printers, shared folders, and more. Essentially, if it exists in AD, it is represented as an object.

Objects can be broadly divided into leaf objects (which cannot contain other objects) and container objects (which can hold other objects). Let’s look at the most common ones.

Users

User objects represent individuals within the organization. They are leaf objects, meaning they cannot contain other objects. Each user is a security principal, so it has both a Security Identifier (SID) and a Globally Unique Identifier (GUID).

User objects can have hundreds of attributes, such as:

  • Display name
  • Last login time
  • Date of last password change
  • Email address
  • Manager
  • Department, address, phone, etc.

In practice, only a subset of these attributes is typically populated. Still, their sheer number demonstrates AD’s complexity.

Because users provide access to so many other resources, even a low-privilege account can be a prime target for attackers, as it often enables broad enumeration of the domain or forest.

Contacts

Contact objects are usually created to represent external individuals (e.g., vendors or customers). They are leaf objects but not security principals—so they do not have a SID, only a GUID. Their attributes include first name, last name, email, and phone number. Think of them like digital “contact cards” stored inside AD.

Printers

A printer object points to a printer accessible on the AD network. Like contacts, printers are leaf objects and not security principals (only GUIDs). Attributes include printer name, driver, and port details.

Computers

Computer objects represent any machine joined to the AD domain (servers or workstations). They are leaf objects but, unlike printers, they are security principals and therefore have both a SID and a GUID.

From an attacker’s perspective, gaining administrator or SYSTEM-level access on a computer often provides capabilities similar to those of a regular domain user, allowing enumeration and lateral movement.

Shared Folders

Shared folder objects point to folders hosted on computers within the AD environment. They are not security principals (only GUIDs) but can have fine-grained access controls. Permissions can be:

  • Public (accessible to anyone, even without an AD account),
  • Authenticated users only, or
  • Restricted to specific groups or users.

Attributes include folder name, location, and access rights.

Groups

Groups are container objects that can hold users, computers, and even other groups (called nested groups). Groups are also security principals and have both a SID and GUID.

They are mainly used for managing permissions. For example, instead of giving 20 help desk employees individual access to a server, you can add them to a group that already has the required access.

However, nested groups can create complex and sometimes unintended privilege inheritance. Tools like BloodHound are often used in penetration testing to visualize and exploit these nested relationships.

Common group attributes include name, description, membership, and group memberships.

Organizational Units (OUs)

OUs are containers that help administrators organize AD objects. They are often used to delegate administrative tasks or apply group policies.

Example:

  • A top-level OU called Employees might contain child OUs like HR, Finance, or IT.
  • Permissions can be delegated at the OU level (e.g., allowing IT staff to reset passwords only for users in the Help Desk OU).

OUs are especially powerful when combined with Group Policy Objects (GPOs), as they let administrators apply policies selectively to subsets of users or computers.

Domains

A domain is the foundational structure of AD. It acts as a boundary that groups together users, computers, groups, and OUs. Each domain has its own:

  • Database of objects,
  • Security policies (e.g., password policy),
  • And trust relationships with other domains.

Domains help define the rules and identity within an AD environment.

Domain Controllers (DCs)

Domain Controllers are the backbone of Active Directory. They:

  • Handle authentication requests,
  • Verify user credentials,
  • Enforce security policies,
  • And store a copy of the AD database.

In short, no authentication or access happens without passing through a DC. They are often the highest-value targets in a penetration test

Sites

A site in AD is a collection of computers (spanning one or more subnets) connected by high-speed links. Sites are designed to make replication between domain controllers more efficient, especially in large or distributed networks.

Built-in Container

The Built-in container holds the default groups automatically created when a domain is set up (e.g., Administrators, Users, Guests).

Foreign Security Principals (FSPs)

An FSP is a special object that represents a security principal from another forest that has been added to a local group.

  • They are created automatically when an external user, group, or computer from a trusted forest is added to a group in the current domain.
  • They act as placeholders that store the external object’s SID.
  • These objects are placed inside a special container called ForeignSecurityPrincipals.

This mechanism allows AD to map external identities into local groups while maintaining trust relationships.

True or False; Computers are considered leaf objects.

Computer accounts are leaf objects, meaning they cannot contain other objects within them.

<___> are objects that are used to store similar objects for ease of administration. (Fill in the blank)

Organizational Units are objects that are used to store similar objects for ease of administration. (Fill in the blank)

What AD object handles all authentication requests for a domain?

Domain Controller is the system that validates user logins and security permissions.

Active Directory Functionality

There are five FSMO roles. They are critical single-master responsibilities that ensure certain domain and forest operations remain consistent. Problems with these roles can cause authentication and authorization failures.

Schema Master
Maintains the writable copy of the Active Directory schema — the definition of object classes and the attributes they may contain. Any schema changes must be made on the server that holds this role.

Domain Naming Master
Controls creation and removal of domain names in the forest, preventing duplicate domain names within the same forest.

Relative ID (RID) Master
Allocates blocks of RIDs to domain controllers for assigning to newly created objects. A domain object’s SID is composed of the domain SID plus the object’s RID; the RID Master prevents duplicate SIDs by managing these allocations.

PDC Emulator
Acts as the authoritative domain controller for time sync, password changes, and certain authentication tasks. It also handles Group Policy processing and acts as the primary target for legacy clients. The PDC Emulator is the authoritative source for time in the domain.

Infrastructure Master
Coordinates the translation of object identifiers (GUIDs, SIDs, Distinguished Names) between domains in a multi-domain forest. If it’s not functioning correctly, ACLs may display raw SIDs instead of user/group names.

Administrators may place these roles on specific DCs, or accept defaults when adding new DCs. Regardless of placement, FSMO issues will negatively impact domain operations.

Domain and Forest Functional Levels

Functional levels determine what AD DS features are available and which Windows Server versions are supported for domain controllers in a domain or forest. Raising functional levels unlocks newer capabilities but requires all DCs to run OS versions that support the target level.

Domain functional levels (summary)

  • Windows 2000 native — support for universal groups, group nesting, group conversion, and SID history. (Supported DC OS: Windows 2000, 2003, 2008, 2008 R2)
  • Windows Server 2003 — adds tools like Netdom, introduces lastLogonTimestamp, constrained delegation, selective authentication. (Supports up to 2012 R2 DCs)
  • Windows Server 2008 — DFS-R support for SYSVOL replication, Kerberos AES support (AES-128/256), fine-grained password policies.
  • Windows Server 2008 R2 — adds managed service accounts and authentication mechanism assurance.
  • Windows Server 2012 — KDC support for claims, compound authentication, and Kerberos armoring.
  • Windows Server 2012 R2 — protections for Protected Users, Authentication Policies and Silos.
  • Windows Server 2016 — new Kerberos/credential protection features (e.g., smart-card requirements for interactive logon improvements).

Note: No new functional level was introduced with Server 2019. Server 2008 level is the minimum to add Server 2019 DCs, and DFS-R is required for SYSVOL replication in such upgrades.

Forest functional levels (high level)

Over time, forest levels introduced features such as:

  • Windows Server 2003 — forest trusts, domain renaming, Read-Only Domain Controllers (RODCs).
  • Windows Server 2008 — defaulting new domains to Server 2008 domain level.
  • Windows Server 2008 R2 — Active Directory Recycle Bin (object restore capability).
  • Windows Server 2012 / 2012 R2 — defaulting new domains to their respective domain levels.
  • Windows Server 2016 — Privileged Access Management (PAM) via Microsoft Identity Manager.

Trusts

A trust links two AD authentication realms so users from one domain (or forest) can access resources in another. Trusts can be used for resource access or administrative delegation across boundaries.

Common trust types

  • Parent–child — automatic two-way transitive trust between a parent and its child domain within the same forest.
  • Cross-link — trust between child domains to accelerate authentication.
  • External — non-transitive trust between domains in separate forests (often uses SID filtering).
  • Tree-root — two-way transitive trust established when you create a new tree root domain in a forest.
  • Forest — transitive trust between two forest root domains.

Trusts may be transitive (trust extends beyond the immediate domain to other domains that are trusted) or non-transitive (trust applies only to the specified domain). They also can be one-way or two-way:

  • In a two-way (bidirectional) trust, users from both domains can access resources in the other domain.
  • In a one-way trust, only the trusted domain’s users can access resources in the trusting domain (access direction is the opposite of trust direction).

Real-world risk considerations

Trust relationships are often misconfigured or left unchecked after mergers and acquisitions, which can create unintended attack paths. For example, an attacker may target a trusted domain with an attack (e.g., Kerberoasting) and obtain credentials that provide administrative access in the primary domain. Regular trust audits and least-privilege designs are essential to reduce these risks.

What role maintains time for a domain?

PDC Emulator acts as the primary time source for the domain.

What domain functional level introduced Managed Service Accounts?

Windows Server 2008 R2 introduced support for accounts that automatically manage their own passwords.

What type of trust is a link between two child domains in a forest?

The Transitive Trust, establishes automatic trust so domains can access each other’s resources.

What role ensures that objects in a domain are not assigned the same SID? (full name)

Relative ID (RID) Master allocates unique ID blocks to ensure every SID is distinct.

Kerberos, DNS, LDAP, MSRPC

While Windows systems use many networking protocols, Active Directory (AD) depends on a specific set of them to function correctly. These protocols handle directory lookups, authentication, service discovery, and inter-process communication. The main protocols are:

  • LDAP (Lightweight Directory Access Protocol) – Used to query and modify directory objects.
  • Kerberos – Microsoft’s default authentication protocol since Windows 2000.
  • DNS – Used for domain controller discovery and name resolution.
  • MSRPC – Microsoft’s implementation of Remote Procedure Call for inter-process communications.

Below we dive into the most critical protocols for AD: Kerberos and DNS.

Kerberos Authentication

Kerberos is the default authentication protocol for AD domain accounts (since Windows 2000). It is an open standard, which means it can interoperate with other systems that also use Kerberos (e.g., Linux/Unix systems with MIT Kerberos).

Why Kerberos?

  • Security: User passwords are never sent across the network. Instead, tickets are used.
  • Mutual authentication: Both the client and the service prove their identities.
  • Scalability: Stateless design; the KDC doesn’t keep session history.

How it works (high-level steps)

  1. Initial login / AS-REQ
    • The user enters their credentials.
    • Their password (or a key derived from it) is used to encrypt a timestamp.
    • This is sent to the Key Distribution Center (KDC) on a Domain Controller.
    • If decryption succeeds, the KDC issues a Ticket Granting Ticket (TGT), encrypted with the krbtgt account secret.
  2. TGT validation / TGS-REQ
    • The client uses the TGT to request access to a specific service.
    • The request is sent to the KDC (TGS-REQ).
    • The KDC checks the TGT and issues a Service Ticket (TGS).
  3. Service access / AP-REQ
    • The client presents the TGS to the target service.
    • The ticket is encrypted with the NTLM hash of the service account.
    • If valid, access is granted.

Analogy: Think of the TGT like a multi-day pass at a theme park. You show your pass (instead of re-entering your payment info) to get tickets for individual rides (services).

Ports and Pentest Relevance

  • Kerberos runs on TCP and UDP port 88.
  • During enumeration, scanning for open port 88 often identifies Domain Controllers. Example with Nmap: nmap -p 88 --open -sU -sT <target>

DNS in Active Directory

DNS is essential for Active Directory. Without it, clients can’t find Domain Controllers, and DCs can’t communicate with each other.

Key functions

  • Hostname resolution: Maps hostnames to IP addresses (like normal DNS).
  • Service discovery via SRV records: AD publishes special DNS entries (_ldap._tcp.dc._msdcs.domain.com) so clients can locate services like DCs, Global Catalog servers, or Kerberos services.
  • Dynamic DNS (DDNS): Allows hosts to automatically register and update their records (critical in large, dynamic environments).

Login workflow with DNS

  1. A client joins the network.
  2. It queries DNS for an SRV record to locate a Domain Controller.
  3. DNS responds with the DC’s hostname.
  4. The client resolves the hostname to an IP address and contacts the DC for authentication.

Ports

  • UDP 53 – Default for most queries (faster, lightweight).
  • TCP 53 – Used when responses exceed 512 bytes or for zone transfers.

Security considerations

  • If DNS records are wrong, clients cannot authenticate or find resources.
  • Misconfigured or poisoned DNS can be abused by attackers to redirect authentication attempts (e.g., DNS spoofing to capture credentials).

Key Takeaways

  • Kerberos ensures secure, ticket-based, mutual authentication without transmitting passwords. Its critical port is 88 (TCP/UDP).
  • DNS underpins AD service discovery and name resolution, relying on SRV records and dynamic updates. Its key ports are 53 TCP/UDP.
  • Both are essential for a functioning AD environment — if either breaks, authentication and resource access fail.
  • For pentesters and defenders, enumerating Kerberos (port 88) and DNS (port 53) is one of the fastest ways to map AD infrastructure.

What networking port does Kerberos use?

The port 88 is used for Kerberos authentication traffic between clients and domain controllers.

What protocol is utilized to translate names into IP addresses? (acronym)

The DNS Converts human-friendly hostnames into machine-usable IP addresses.

What protocol does RFC 4511 specify? (acronym)

The LDAP defines how directory services are queried and modified over a network.

NTLM Authentication

Although Kerberos is the preferred authentication protocol in modern Active Directory (AD) environments, it is not the only option. AD supports several legacy authentication mechanisms that are still widely used — sometimes by necessity, sometimes due to backward compatibility.

These include:

  • LAN Manager (LM)
  • NT LAN Manager (NTLM)
  • NTLMv1
  • NTLMv2

While Kerberos is considered more secure, these older protocols and their underlying hash formats remain relevant — both as operational fallbacks and as common targets for attackers.

LM (LAN Manager) Hash

  • Definition: The LAN Manager hash is one of the earliest Windows password storage and authentication formats, dating back to Windows 3.11 and early Windows NT.
  • Process: Passwords are uppercased, null-padded, and split into two 7-character chunks before being hashed with DES.
  • Weaknesses:
    • Extremely predictable (uppercase only, split halves).
    • Bruteforce feasible within minutes with modern GPUs.
    • Considered obsolete; support was officially disabled by default starting with Windows Vista / Server 2008.

If LM hashes are present in an environment, they are a major red flag — attackers will target them first.

NTLM Hash

  • Definition: A password storage format introduced with Windows NT. It uses MD4 hashing on the full Unicode password.
  • Key point: This is just the hash representation of a password, not the authentication protocol itself.
  • Weaknesses:
    • MD4 is fast and unsalted → vulnerable to cracking with tools like Hashcat.
    • Offline attacks are straightforward once hashes are dumped (via SAM file, LSASS, or DCSync).

Even though stronger than LM, NTLM hashes are still highly exploitable if stolen.

NTLMv1 Protocol

  • Definition: An authentication protocol that uses the NT hash to prove identity.
  • Process: Challenge–response mechanism between client and server.
  • Weaknesses:
    • Relies on weak DES encryption.
    • Vulnerable to relay attacks and downgrade attacks.
    • Easily cracked if challenge/response pairs are captured (e.g., via Responder or Inveigh).
  • Status: Deprecated but sometimes still found in older apps or misconfigured systems.

NTLMv2 Protocol

  • Definition: A more secure authentication protocol than NTLMv1, using HMAC-MD5 and stronger challenge/response.
  • Advantages over NTLMv1:
    • Resists some replay attacks.
    • Supports stronger session security.
  • Weaknesses:
    • Still relies on the NT hash (if hashes are stolen, offline cracking is possible).
    • Remains vulnerable to pass-the-hash (PtH) and relay attacks.
  • Usage: Common in mixed environments where Kerberos cannot be used (e.g., non-domain joined systems, legacy apps).

What Hashing protocol is capable of symmetric and asymmetric cryptography?

Kerberos uses shared secret keys but can also use public/private key pairs when needed.

NTLM uses three messages to authenticate; Negotiate, Challenge, and <__>. What is the missing message? (fill in the blank)

Authenticate, completes the NTLM three-step authentication handshake.

How many hashes does the Domain Cached Credentials mechanism save to a host by default?

The Domain Cached Credentials saves a limited number of recent user credential hashes locally for offline logins. Normally around 10.

User and Machine Accounts

What Are User Accounts?

A user account is the digital identity assigned to a person or a program so that they can log in to a system and access resources. These accounts exist both on:

  • Local systems (standalone machines not joined to a domain).
  • Active Directory (AD) environments, where accounts are centrally managed across the domain.

When a user logs in:

  1. Their credentials are verified (password, smart card, etc.).
  2. The system issues an access token.
    • This token contains the user’s Security Identifier (SID), group memberships, and privileges.
    • Every time the user interacts with a process, file, or service, the token is checked to decide whether access is allowed.

Why Are User Accounts Important?

User accounts are essential because they:

  • Allow employees and contractors to log into workstations and servers.
  • Enable applications or services to run in a specific security context (for example, running a service under a privileged account instead of a generic one).
  • Control access to network resources such as:
    • File shares
    • Databases
    • Applications
    • Printers

Without user accounts, an organization cannot enforce authentication, authorization, and accountability.

Groups and Access Control

User accounts are usually combined into groups to simplify management. Instead of assigning permissions to each individual user, administrators can:

  • Create a group (e.g., Finance_ReadOnly).
  • Grant access rights to the group.
  • Add or remove users from the group as needed.

This approach is known as Role-Based Access Control (RBAC), and it greatly simplifies security administration.

Types of User Accounts in Active Directory

1. Standard User Accounts

  • Created for most employees.
  • Allow login and access to standard resources.
  • Usually assigned to multiple groups for permissions.

2. Administrative Accounts

  • Given to IT admins, Help Desk staff, or security teams.
  • Often separate from a user’s standard account (e.g., jdoe for daily work, jdoe-admin for privileged tasks).
  • Should follow least privilege principles — only used when absolutely necessary.

3. Service Accounts

  • Special accounts created for applications, databases, or background services.
  • Run with specific permissions required for the service to function.
  • Often highly privileged → making them prime targets for attackers.
  • Variants:
    • Managed Service Accounts (MSA/gMSA) – newer, automatically managed by AD.

Scale of User Accounts in Organizations

In a typical enterprise:

  • Every employee has at least one AD user account.
  • Some users (IT admins, developers) may have multiple accounts — one for daily tasks, one for elevated tasks.
  • Service accounts can number in the hundreds.

Example:
A company with 1,000 employees might have:

  • 1,000 standard accounts
  • 100 admin/service accounts
  • 100 extra accounts for contractors, interns, etc.
    → Total: 1,200+ active accounts

Disabled Accounts and Legacy Risks

Organizations often accumulate disabled accounts:

  • Former employees
  • Seasonal/temporary workers
  • Interns

These accounts are usually:

  • Moved into a special OU (e.g., OU=Former Employees).
  • Disabled but not deleted for audit or compliance reasons.

Security Risk: If privileges are not fully revoked, disabled accounts may still pose a threat. Attackers can sometimes exploit them if they are re-enabled or misconfigured.

Key Takeaways

  • A user account represents a digital identity in both local and AD environments.
  • Accounts generate an access token that governs everything the user can do.
  • Groups simplify administration by letting admins assign permissions collectively.
  • Organizations often have more accounts than employees due to admins, contractors, and service accounts.
  • Disabled or stale accounts should be carefully managed, as they can become security liabilities.

True or False; A local user account can be used to login to any domain connected host.

A local user account only works on the single machine it was created on.
It cannot be used to log in to other domain-joined systems.

What default user account has the SID “S-1-5-domain-500” ?

n every domain, there is one built-in account that is created automatically and always receives the RID ending in 500, and this account is the Administrator, which ensures there is a guaranteed way to manage the domain even if others are removed or misconfigured.

What account has the highest permission level possible on a Windows host

On a Windows machine, the account with the absolute highest level of permissions is SYSTEM, since this built-in system identity operates above administrative rights and is used by the OS to perform actions without restriction.

What user naming attribute is unique to the user and will remain so even if the account is deleted?

In Active Directory, each account receives an internal identifier that is generated once and never reused, and this value is the ObjectGUID, which remains unique to that user even if the account is deleted and recreated later.

Active Directory Groups

A common source of confusion is the difference between Groups and Organizational Units (OUs):

  • Groups → Used to assign permissions and rights to resources (files, printers, servers, applications).
  • OUs → Used to organize objects (users, groups, computers) for easier management and to apply Group Policy Objects (GPOs).

Example:

  • A Help Desk OU might allow staff to reset passwords for users without making them full administrators.
  • A Finance group might be used to give all its members access to a secure financial folder.

Think of it this way:

  • OUs = organizational structure + policy application.
  • Groups = permissions and access control.

Why Groups Matter

Imagine needing to grant 50 employees access to a new file share:

  • Without groups → The administrator would have to manually assign permissions to each individual user. This is time-consuming and difficult to audit or revoke later.
  • With groups → The administrator can simply create a group (e.g., Finance_Share_Access), grant it access to the resource, and add the 50 employees as members.

This approach simplifies:

  • Administration (assign once, apply many).
  • Auditing (easy to see who has access).
  • Revocation (remove a user from the group to strip their rights).

Group Characteristics: Type and Scope

When creating a group in Active Directory, you must define two characteristics:

1. Group Type

Determines the purpose of the group:

  • Security Groups
    • Used to assign permissions and rights.
    • All users in the group inherit permissions automatically.
    • Example: A Remote Desktop Users security group that grants RDP access to its members.
  • Distribution Groups
    • Used for email distribution (e.g., mailing lists in Microsoft Exchange).
    • Cannot be used to assign permissions to AD resources.
    • Example: A Marketing_Team distribution group used to send bulk emails to all marketing staff.

2. Group Scope

Defines how the group can be used within the AD domain or forest. Scopes include:

  • Domain Local → Permissions for resources within the same domain.
  • Global → Can contain users, groups, and computers from the same domain; can be granted rights in any domain in the forest.
  • Universal → Can contain objects from any domain and can be used across the entire forest.

Each scope has different use cases, and misusing them can create unnecessary complexity or security issues.

Security and Audit Considerations

Because groups directly affect who has access to what, organizations should:

  • Regularly audit group memberships.
  • Watch for nested groups that might unintentionally grant elevated rights.
  • Remove stale or excessive group memberships (e.g., former employees left in privileged groups).
  • Ensure least privilege is applied — users should only be in the groups they need for their daily work.

From a pentester’s perspective, groups are a goldmine for enumeration. Tools like BloodHound can map group memberships and uncover hidden privilege escalation paths.

What group type is best utilized for assigning permissions and right to users?

When assigning access to resources, the type of group designed specifically for permissions rather than just categorization is the Security group, since these groups can be added to ACLs and granted rights directly to files, folders, and services.

True or False; A “Global Group” can only contain accounts from the domain where it was created.

This statement is True, because a Global Group is restricted to holding user and computer accounts that originate from the same domain, even though the group itself can be granted permissions in other trusted domains.

Can a Universal group be converted to a Domain Local group? (yes or no)

It is possible to change the scope of a universal group to another scope, and in this case it can be converted to a Domain Local group, as long as no membership rules are violated during the conversion.

Active Directory Rights and Privileges

When it comes to Active Directory (AD), rights and privileges are at the heart of both administration and security. If managed correctly, they enable smooth business operations and enforce security boundaries. But if misconfigured or overly permissive, they create opportunities for attackers or penetration testers to escalate privileges, move laterally, or even compromise entire domains.

Understanding the distinction between rights and privileges — and how they are assigned and enforced in AD — is crucial for administrators, security teams, and Red Team operators.

What built-in group will grant a user full and unrestricted access to a computer?

On a Windows system, the built-in group that automatically provides complete and unrestricted control over the machine is the Administrators group, since any account placed in this group inherits full rights to modify system settings, manage users, install software, and access all data on the host.

What user right grants a user the ability to make backups of a system?

The user right that allows someone to copy data even when normal file permissions would prevent access is SeBackupPrivilege, since this privilege lets a user perform system-level backups across all files on the machine.

What Windows command can show us all user rights assigned to the current user?

To view every privilege the current user has on a Windows system, you can run whoami /priv, which lists all assigned user rights along with whether they are enabled or disabled.

Security in Active Directory

Throughout this module, we’ve explored how Active Directory (AD) enables organizations to manage users, devices, groups, and resources from a central location. This centralized management is one of AD’s greatest strengths: it allows administrators to rapidly provision accounts, roll out policies, and grant or revoke access across thousands of machines at once.

But there’s a catch: the very features that make AD so powerful also make it inherently risky. AD was designed to prioritize usability and availability over airtight security. Out-of-the-box, a fresh AD deployment lacks many of the hardening measures that security-conscious environments require.

This is why AD is often described as “insecure by design.” It is not broken, but its defaults lean toward convenience, compatibility, and speed — not strict security.

Confidentiality, <___>, and Availability are the pillars of the CIA Triad. What term is missing? (fill in the blank)

In security, the model that ensures data is protected relies on confidentiality and the assurance that information has not been altered, which is referred to as Integrity, along with availability to keep systems accessible when needed.

What security policies can block certain users from running all executables?

In Windows environments, the feature that can be configured to prevent specific users or groups from running certain or even all executables is Software Restriction Policies, since it allows administrators to define rules that limit which programs can be launched based on path, hash, or publisher criteria.

Examining Group Policy

What is Group Policy?

Group Policy is one of the most powerful features of Windows enterprise environments. It provides administrators with centralized control over users, computers, and applications. While every standalone Windows machine has a Local Group Policy Editor, the real power of Group Policy comes into play in a domain context within Active Directory (AD).

With Group Policy, administrators can:

  • Configure operating system settings across thousands of machines.
  • Apply security baselines and enforce compliance.
  • Automate software deployment and configuration.
  • Manage both user behavior and system functions consistently.

In short, Group Policy is not just an IT convenience — it is a cornerstone of enterprise security management.

Why Group Policy Matters for Security

Active Directory, by default, is not secure out of the box. Without hardening, its defaults lean toward usability and compatibility. Group Policy helps fill that gap by:

  • Enforcing password policies (length, complexity, expiration).
  • Applying account lockout settings to stop brute-force attacks.
  • Restricting USB or removable media usage to reduce data exfiltration risk.
  • Mandating screen lock timeouts to protect unattended workstations.
  • Deploying firewall and antivirus configurations consistently.

This makes Group Policy a critical piece of a defense-in-depth strategy. Organizations that fail to leverage it often leave large attack surfaces open.

Computer settings for Group Policies are gathered and applied at a <___> minute interval? (answer is a number, fill in the blank )

On domain-joined systems, the computer configuration portion of Group Policy refreshes on a regular schedule, and by default this happens every 90 minutes, with a random offset added to avoid all machines updating at once.

True or False: A policy applied to a user at the domain level would be overwritten by a policy at the site level.

The statement is False, because Group Policy processes in the order Local → Site → Domain → OU, which means the domain-level policy is applied after the site-level one and therefore would overwrite it, not be overwritten by it.

What Group Policy Object is created when the domain is created?

When a new domain is first established, it automatically receives a baseline Group Policy Object that defines settings such as password policies, and this built-in GPO is the Default Domain Policy, which applies to all users and computers within the domain unless overridden by more specific OU-level GPOs.

AD Administration: Guided Lab Part I

Once you have finished the tasks, type “COMPLETE” to move on.

COMPLETE

AD Administration: Guided Lab Part II

Once you have finished the tasks, type “COMPLETE” to move on.

COMPLETE