what's going on guys welcome back to
this video today we're doing again a try
hack me video and we're going to focus
on SEC the security engineer track so we
have reached the active directory
hardening and it's going to be the
subject of this video so there are some
discussed
methods and I say some because there are
many methods to harden and secure active
uh directory meaning uh Windows server
with active directory but here there are
some methods that are discussed we're
going to go over these methods and we're
going to answer a couple questions going
try to make this as simple as I
can and for my members I released a new
uh Note file it is under the blue team
track The Blue Team notes and the name
is Windows security we'll be finding
this in the uh Google Drive notes all
right let let get back to the room
so we have a machine to spawn we going
to click on start the machine
so basically the task two is about
Concepts on active directory so it's not
a comprehensive uh list or comprehensive
uh you know uh it doesn't contain all
everything about directory but you know
if you are going through active
directory hardening you must know what
is domain domain controller and the
definition of trees and Forest we're
going to talk about this but there is
there are two questions here one
question what is the root domain in the
tab ad machine so basically here uh
let's
see yeah the machine is
still uh starting so here we have triac
me. ioc is the root domain and Z a.
triac me is not the subdomain uh we it's
it's called the child domain so both
these domains um exists under uh the
same tree so we call this a tree because
it contains more more than one domain
now the subject of this video will be on
the securing authentication
methods and the other tasks so let's
first make sure that the machine is up
and running going click on split
view okay so going to task three so in
task three we have the land manager
hash SMB
signing ldb
signing password policies and
rotation and some suggestions on
password policies so these are settings
that you can configure on your active
directory to make sure that the
authentication process is secure meaning
uh MIT
Maxs have little to no chance to succeed
at the same time you configure strong
password policy for uh your users
simultaneously in task four here they
talk about the General
Security um Concepts here so for example
the role based access control the uh
methods of Access Control the principle
of leas privilege all of these are
General Security controls that you can
um apply to the active directory or
Windows Server active directory and here
there are two
questions so computers and printers must
be added to tier zero so here's about
tiered access model now the tiered
access model is not discussed in
computer in comp Security Plus so here
I'm preparing for you guys a note file
to prepare for comp Security Plus
so here in comp Security
Plus there are
certain models for Access Control oh my
God many things about as control as
control uh methods model
just too hard to find them
Mac okay as you can see guys in comp
Security Plus we discuss discretionary
Access Control role pce
mandatory and there is the rule based
access control as well if you scroll
down you're going to find it
maybe rule pay access control so all of
these access
controls are used depending on the
scenario or depending on organization so
tiered access model groups your
resources based on tiers for example as
you can see tier zero includes top
level uh resources such as admin
accounts domain controller and
groups so tier one applications and
servers tier two and user devices so the
higher it goes the less sensitive it
becomes so as you can see tier zero it's
the highest contains the highest
sensitive resources such as admin
accounts domain controller and groups so
here the question is computers and
printers must be added to tier zero nope
because computers and printers are end
points so we can add them to tier two
suppose a vendor arrived at your
facility for a twoe duration visit task
being a system administrator you should
create a high privileged account for him
nope because this goes to uh the role
ped access control so in role ped Access
Control we assign people
resources and permissions pays on their
uh job and additionally we apply the
principle of lease
privilege meaning the least privileged
means that if they don't need access to
a certain resource we don't grant them
that uh permission to access that
resource depending on your job
description on your need as
well okay so finally the machine
started all right so we're going to
demonstrate task three now all right so
we're going to allow this and we're
going to start with the GP
edit the group policy editor most of the
policies you configure in active
directory whether to harden sec cure or
even to set certain settings are done
via the group policy
editor so it's good practice if you uh
go over the policies here and understand
what every single one of them the
purpose of every single one of them so
the first thing we're going to do is the
Lan hash
manager so here we're going to make sure
that Windows stores the hashes for the
user's password in the ntlm not the L
the LM because the LM is relatively
weaker than the NT right and it's
vulnerable to Brute Force attacks so we
make sure that the passwords or the
hashes are
stored uh in entty so we're going what
we're going to do here we're going to go
to computer configuration as you can see
here and then we're going to go to
policies Windows settings so in Windows
settings going to expand
this the machine is too slow frustration
frustrating okay security settings can
highlight this and expand to local
policies and if we expand the local
policies we go to Security Options and
from Security Options here we have the
security policies so as you can see
there is one here that's about the uh
land manager let's see what it
is so it starts with don't store let's
see what it is
yeah this is done
properties so now secure don't store
Land manager hash value on next password
change so by default this is enabled
which is good so make sure on your end
this is enabled because you don't want
um the password to be stored as LM hash
because it's going to be susceptible to
Brute Force attacks it's going to be
easily cracked all right that's the
first thing to securing uh or that's the
first thing you can do to secure active
directory other thing is SMB signing so
SMB as you know server message block is
the protocol responsible for file and
printer sharing so if you have file
sharing printer sharing enabled this
protocol most probably is enabled so the
problem is the the communications happen
in clear text so it's vable to mitm
attack so in order to prevent this we're
going to need to configure some security
policies again we go to back back to
window settings and then to security
settings back to local policies Security
Options and we're going to look for the
digital sign digitally signed
communication let's see what it is
digitally sign secure
Channel Microsoft
network this is the one digitally sign
communication properties and is disabled
so we're going to make sure this is
enabled explain go to explain going you
can see more information about this
digitally sign Communications the
security setting determines whether
packet signing is required by the SB
client
component so you want to you want the
communications through theb to be signed
and not vulnerable to mitm so you need
to or therefore you need to enable
this all right
another thing to securing uh protocols
in active directory is the lb protocol
so lb is the main protocol directory is
based on it's the light lightweight
directory access protocol so also we
want to PR secure the communications
based on that protocol for mitm attacks
so what we're going to do we're going
need also to enable the signing of these
communications so on the same uh pain
here we're going to need to find domain
control rer section and then we're going
to look for elab Server Channel binding
tokens yeah elab server signing
requirements so modifying the setting
may affect compatibility with the
clients so here it doesn't allow me to
enable it for some reason related to
this explanation but usually this needs
to be
enabled and to the most important part
is of this video is the password
policies so password policies can be
configured from the oh we're going to go
back to security headings and we're
going to check on account policies so
account Poli there is account there is
password policy here and from here you
can configure the minimum uh and maximum
length of the password the complexity
the age so on and so forth for example
as you can see here the Min maximum age
of the pass is 42 days which means after
42 days your users will be prompted to
change their
password that's the maximum age and
that's the minimum age minimum age is
one meaning you cannot change your
password uh during the first day of the
assignment and you have minimum password
link is seven
characters so these are the uh some
settings you can see and you askk there
are some questions to answer so we
scroll down change CH the yeah what is
the default minimum password length it
was seven as you can see
here going back showing it one more time
to you guys so seven characters all
right so these are these are some
policies that you can enable to harden
your active directory or to maybe secure
the authentication so additionally there
is in Task 5 there is this nice new tool
that I haven't heard before it is a
Microsoft security compliance tool kit
so this
tool let's go to the relative folder
scripts open that
okay opening the link of the tool so if
you download this tool it will give you
recommendations and give you ready
templates so that you download them and
configure active directory if you don't
know what to what to do and what
policies to configure you can uh
download this tool and retrieve ready
templates to configure for example on
Group Policy there are already readymade
um uh configurations for example here
Windows Server 2019 security Baseline
downloaded from the tool itself
so to illustrate further in the figures
here as you can see when you run this
tool it gives you the
templates now here Windows server 22
security peline zip this is zip file and
it was downloaded to this machine and
once downloaded you can see the relative
folder if you open it and go to local
scripts you can see the partial script
that if you um run it will configure uh
the uh configurations set on this Bas
line so the P line it's actually
collection and combination of
configurations that makes sure your
Windows server is secure Bas on specific
Baseline right and you can use this as a
start if you don't know what to do
additionally there is the policy
analyzer again Guys these are uh can be
downloaded by running the tool on your
machine and then selecting the
configuration you want to download it be
downloaded in zip file and you can
extract and see it this way so policy
analyzer analyzes the group policy
settings in your environment okay
and as you can see here there are the
demonstrations so if you go back here to
policy analyzer you can see these are
the uh scripts that if you run we
configure your group policy based on the
settings let's go over one of them so if
you go back to Windows Server security
Baseline and check the
gpos so as you can see these gpos can be
directly imported to your group policy
editor based on the machine and the
user if you open this in XML
format hopefully it's going to
open
yeah see guys these are
the
configurations now the best thing to do
is to import them to your security or to
to the the uh Group Policy editor
lgpo as you can see is an executable
file all right so on the task here there
is find an open Baseline local and
install script and find the flag let's
go here and see where is that script
local script and there is Baseline local
and install let's open this and see what
it
does okay so the description says
applies a Windows security configuration
peline to a local Group
Policy execute the script with one of
the required command line switches to
install the corresponding pay
line so here you specify you execute
this either on a domain controller or in
a domain joined machine requirements
partial execution
policy domain join machine and this is
the flag so as you can see guys these
are set of configurations that will be
applied on any domain or any computer
you apply it
to and it will configure the group
policy pays on the mentioned
configurations
here
okay the other question find an open
merge policy rule
script imported from policy analyzer
impartial
editor so back back to policy
analyzer can check the scripts merge
policy let's take a look at the uh
script here what it does so merge policy
analyzer policy files what merge policy
analyzer policy rules files into one
policy rules set written into the
pipeline so one of the things that
policy analyzer does is that
it gets rid of redundant uh policies
configured in
GP and if you scroll down as you can see
this is the
flag uh other questions we have to ask
so these are the common attacks against
active director we have discussed many
rooms on active director penetration
testing we can get back to them guys and
see how uh attacks are conducted against
these kind of environments so does Cur
roasting utilize an offline attack
scheme for cracking gted passwords we
explained previously guys about C
roasting just go through this again and
the answer is yes it's offline because
at the end you you you will you take the
ticket and you crack it offline as per
the generated report how many users have
the same password as Aon Booth so for
you guys who are asking where is the
report the report is here if you go
to the image here you click on it and
see this is the
report these are the
usernames who who have the same password
as you can see Iron
Booth the number of accounts with the
same password is
186 and lastly this is cheat sheet from
tryck me you can download it to uh take
a look at more details on active
directory hardening so that was it guys
I hope you enjoyed the video and
definitely I'm going to see you later to
complete this track