Active Directory Basics -

This room will introduce the basic concepts and functionality provided by
Active Directory.

A Windows domain is a network where users and computers are managed centrally.

Active Directory (AD) is the centralized repository used to manage:

- Users
- Computers
- Security policies

The server running AD is called a Domain Controller (DC).

ACTIVE DIRECTORY
The core of any Windows Domain is the Active Directory Domain Service (AD DS). This
service acts as a catalogue that holds the information of all of the "objects" that exist on
your network. Amongst the many objects supported by AD, we have users, groups,
machines, printers, shares and many others. Let's look at some of them:

1. Users:
Users are one of the most common object types in Active Directory. Users are one of the
objects known as security principals, meaning that they can be authenticated by the
domain and can be assigned privileges over resources like files or printers. You could say
that a security principal is an object that can act upon resources in the network.

Users can be used to represent two types of entities:

- People: users will generally represent persons in your organisation that need to
access the network, like employees.
- Services: you can also define users to be used by services like IIS or MSSQL. Every
single service requires a user to run, but service users are different from regular
users as they will only have the privileges needed to run their specific service.

2. Machines:
Machines are another type of object within Active Directory; for every computer that
joins the Active Directory domain, a machine object will be created. Machines are also
considered "security principals" and are assigned an account just as any regular user.
This account has somewhat limited rights within the domain itself.

The machine accounts themselves are local administrators on the assigned computer,
they are generally not supposed to be accessed by anyone except the computer itself,
but as with any other account, if you have the password, you can use it to log in.

Note: Machine Account passwords are automatically rotated out and are generally
comprised of 120 random characters.

Identifying machine accounts is relatively easy. They follow a specific naming scheme.
The machine account name is the computer's name followed by a dollar sign. For
example, a machine named DC01 will have a machine account called DC01$.

3. Security Groups:
If you are familiar with Windows, you probably know that you can define user groups to
assign access rights to files or other resources to entire groups instead of single users.
This allows for better manageability as you can add users to an existing group, and they
will automatically inherit all of the group's privileges. Security groups are also considered
security principals and, therefore, can have privileges over resources on the network.

Groups can have both users and machines as members. If needed, groups can include
other groups as well.

Several groups are created by default in a domain that can be used to grant specific
privileges to users. As an example, here are some of the most important groups in a
domain:

Security Group Domain

Users of this group have administrative privileges over the
Domain Admins entire domain. By default, they can administer any computer
on the domain, including the DCs
Users in this group can administer Domain Controllers. They
Server Operators
cannot change any administrative group memberships.
Users in this group are allowed to access any file, ignoring
Backup Operators their permissions. They are used to perform backups of data
on computers.
Users in this group can create or modify other accounts in the
Account Operators
domain.
Domain Users Includes all existing user accounts in the domain.
Domain Computer Includes all existing computers in the domain.
Domain controllers Includes all existing DCs on the domain.
 Security Groups vs OUs
You are probably wondering why we have both groups and OUs. While both are used to
classify users and computers, their purposes are entirely different:

- OUs are handy for applying policies to users and computers, which include specific
configurations that pertain to sets of users depending on their particular role in the
enterprise. Remember, a user can only be a member of a single OU at a time, as it
wouldn't make sense to try to apply two different sets of policies to a single user.
- Security Groups, on the other hand, are used to grant permissions over resources.
For example, you will use groups if you want to allow some users to access a
shared folder or network printer. A user can be a part of many groups, which is
needed to grant access to multiple resources.

AUTHENTICATION METHODS
When using Windows domains, all credentials are stored in the Domain Controllers.
Whenever a user tries to authenticate to a service using domain credentials, the service
will need to ask the Domain Controller to verify if they are correct. Two protocols can be
used for network authentication in windows domains:

1. Kerberos: Used by any recent version of Windows. This is the default protocol in
any recent domain.
2. NetNTLM: Legacy authentication protocol kept for compatibility purposes.

Kerberos Authentication Summary

Kerberos is the default authentication protocol in modern Windows environments. It uses

tickets to prove a user's identity without resending credentials repeatedly.

1. Authentication with the KDC:

The user sends their username and a timestamp (encrypted with a key from their
password) to the Key Distribution Center (KDC).

The KDC responds with a Ticket Granting Ticket (TGT) and a Session Key.

The TGT is encrypted with the krbtgt account’s password hash, preventing the
user from reading its contents.

The TGT contains the Session Key and allows the user to request further tickets without
resending credentials.
 2. Requesting Access to a Service:

To access a specific service, the user sends:

 The TGT
 Their username and timestamp (encrypted with the Session Key)
 The Service Principal Name (SPN) of the target service

The KDC returns a Ticket Granting Service (TGS) ticket and a Service Session Key.

The TGS is encrypted with the service account's hash, and includes the Service
Session Key.

3. Accessing the Service:

The user sends the TGS to the service. The service decrypts the TGS using its own
account password hash to validate the request and establish a secure session.

NetNTLM Authentication

NetNTLM works using a challenge-response mechanism. The entire process is as follows:

1. The client sends an authentication request to the server they want to access.
2. The server generates a random number and sends it as a challenge to the client.
3. The client combines their NTLM password hash with the challenge (and other
known data) to generate a response to the challenge and sends it back to the
server for verification.
4. The server forwards the challenge and the response to the Domain Controller for
verification.
5. The domain controller uses the challenge to recalculate the response and
compares it to the original response sent by the client. If they both match, the
client is authenticated; otherwise, access is denied. The authentication result is
sent back to the server.
6. The server forwards the authentication result to the client.

Note that the user's password (or hash) is never transmitted through the network for
security.

Note: The described process applies when using a domain account. If a local account is
used, the server
can verify the response to the challenge itself without requiring interaction with the
domain controller since it has the password hash stored locally on its SAM.