what's going on guys welcome back to this video today we're doing again a try hack me video and we're going to focus on SEC the security engineer track so we have reached the active directory hardening and it's going to be the subject of this video so there are some discussed methods and I say some because there are many methods to harden and secure active uh directory meaning uh Windows server with active directory but here there are some methods that are discussed we're going to go over these methods and we're going to answer a couple questions going try to make this as simple as I can and for my members I released a new uh Note file it is under the blue team track The Blue Team notes and the name is Windows security we'll be finding this in the uh Google Drive notes all right let let get back to the room so we have a machine to spawn we going to click on start the machine so basically the task two is about Concepts on active directory so it's not a comprehensive uh list or comprehensive uh you know uh it doesn't contain all everything about directory but you know if you are going through active directory hardening you must know what is domain domain controller and the definition of trees and Forest we're going to talk about this but there is there are two questions here one question what is the root domain in the tab ad machine so basically here uh let's see yeah the machine is still uh starting so here we have triac me. ioc is the root domain and Z a. triac me is not the subdomain uh we it's it's called the child domain so both these domains um exists under uh the same tree so we call this a tree because it contains more more than one domain now the subject of this video will be on the securing authentication methods and the other tasks so let's first make sure that the machine is up and running going click on split view okay so going to task three so in task three we have the land manager hash SMB signing ldb signing password policies and rotation and some suggestions on password policies so these are settings that you can configure on your active directory to make sure that the authentication process is secure meaning uh MIT Maxs have little to no chance to succeed at the same time you configure strong password policy for uh your users simultaneously in task four here they talk about the General Security um Concepts here so for example the role based access control the uh methods of Access Control the principle of leas privilege all of these are General Security controls that you can um apply to the active directory or Windows Server active directory and here there are two questions so computers and printers must be added to tier zero so here's about tiered access model now the tiered access model is not discussed in computer in comp Security Plus so here I'm preparing for you guys a note file to prepare for comp Security Plus so here in comp Security Plus there are certain models for Access Control oh my God many things about as control as control uh methods model just too hard to find them Mac okay as you can see guys in comp Security Plus we discuss discretionary Access Control role pce mandatory and there is the rule based access control as well if you scroll down you're going to find it maybe rule pay access control so all of these access controls are used depending on the scenario or depending on organization so tiered access model groups your resources based on tiers for example as you can see tier zero includes top level uh resources such as admin accounts domain controller and groups so tier one applications and servers tier two and user devices so the higher it goes the less sensitive it becomes so as you can see tier zero it's the highest contains the highest sensitive resources such as admin accounts domain controller and groups so here the question is computers and printers must be added to tier zero nope because computers and printers are end points so we can add them to tier two suppose a vendor arrived at your facility for a twoe duration visit task being a system administrator you should create a high privileged account for him nope because this goes to uh the role ped access control so in role ped Access Control we assign people resources and permissions pays on their uh job and additionally we apply the principle of lease privilege meaning the least privileged means that if they don't need access to a certain resource we don't grant them that uh permission to access that resource depending on your job description on your need as well okay so finally the machine started all right so we're going to demonstrate task three now all right so we're going to allow this and we're going to start with the GP edit the group policy editor most of the policies you configure in active directory whether to harden sec cure or even to set certain settings are done via the group policy editor so it's good practice if you uh go over the policies here and understand what every single one of them the purpose of every single one of them so the first thing we're going to do is the Lan hash manager so here we're going to make sure that Windows stores the hashes for the user's password in the ntlm not the L the LM because the LM is relatively weaker than the NT right and it's vulnerable to Brute Force attacks so we make sure that the passwords or the hashes are stored uh in entty so we're going what we're going to do here we're going to go to computer configuration as you can see here and then we're going to go to policies Windows settings so in Windows settings going to expand this the machine is too slow frustration frustrating okay security settings can highlight this and expand to local policies and if we expand the local policies we go to Security Options and from Security Options here we have the security policies so as you can see there is one here that's about the uh land manager let's see what it is so it starts with don't store let's see what it is yeah this is done properties so now secure don't store Land manager hash value on next password change so by default this is enabled which is good so make sure on your end this is enabled because you don't want um the password to be stored as LM hash because it's going to be susceptible to Brute Force attacks it's going to be easily cracked all right that's the first thing to securing uh or that's the first thing you can do to secure active directory other thing is SMB signing so SMB as you know server message block is the protocol responsible for file and printer sharing so if you have file sharing printer sharing enabled this protocol most probably is enabled so the problem is the the communications happen in clear text so it's vable to mitm attack so in order to prevent this we're going to need to configure some security policies again we go to back back to window settings and then to security settings back to local policies Security Options and we're going to look for the digital sign digitally signed communication let's see what it is digitally sign secure Channel Microsoft network this is the one digitally sign communication properties and is disabled so we're going to make sure this is enabled explain go to explain going you can see more information about this digitally sign Communications the security setting determines whether packet signing is required by the SB client component so you want to you want the communications through theb to be signed and not vulnerable to mitm so you need to or therefore you need to enable this all right another thing to securing uh protocols in active directory is the lb protocol so lb is the main protocol directory is based on it's the light lightweight directory access protocol so also we want to PR secure the communications based on that protocol for mitm attacks so what we're going to do we're going need also to enable the signing of these communications so on the same uh pain here we're going to need to find domain control rer section and then we're going to look for elab Server Channel binding tokens yeah elab server signing requirements so modifying the setting may affect compatibility with the clients so here it doesn't allow me to enable it for some reason related to this explanation but usually this needs to be enabled and to the most important part is of this video is the password policies so password policies can be configured from the oh we're going to go back to security headings and we're going to check on account policies so account Poli there is account there is password policy here and from here you can configure the minimum uh and maximum length of the password the complexity the age so on and so forth for example as you can see here the Min maximum age of the pass is 42 days which means after 42 days your users will be prompted to change their password that's the maximum age and that's the minimum age minimum age is one meaning you cannot change your password uh during the first day of the assignment and you have minimum password link is seven characters so these are the uh some settings you can see and you askk there are some questions to answer so we scroll down change CH the yeah what is the default minimum password length it was seven as you can see here going back showing it one more time to you guys so seven characters all right so these are these are some policies that you can enable to harden your active directory or to maybe secure the authentication so additionally there is in Task 5 there is this nice new tool that I haven't heard before it is a Microsoft security compliance tool kit so this tool let's go to the relative folder scripts open that okay opening the link of the tool so if you download this tool it will give you recommendations and give you ready templates so that you download them and configure active directory if you don't know what to what to do and what policies to configure you can uh download this tool and retrieve ready templates to configure for example on Group Policy there are already readymade um uh configurations for example here Windows Server 2019 security Baseline downloaded from the tool itself so to illustrate further in the figures here as you can see when you run this tool it gives you the templates now here Windows server 22 security peline zip this is zip file and it was downloaded to this machine and once downloaded you can see the relative folder if you open it and go to local scripts you can see the partial script that if you um run it will configure uh the uh configurations set on this Bas line so the P line it's actually collection and combination of configurations that makes sure your Windows server is secure Bas on specific Baseline right and you can use this as a start if you don't know what to do additionally there is the policy analyzer again Guys these are uh can be downloaded by running the tool on your machine and then selecting the configuration you want to download it be downloaded in zip file and you can extract and see it this way so policy analyzer analyzes the group policy settings in your environment okay and as you can see here there are the demonstrations so if you go back here to policy analyzer you can see these are the uh scripts that if you run we configure your group policy based on the settings let's go over one of them so if you go back to Windows Server security Baseline and check the gpos so as you can see these gpos can be directly imported to your group policy editor based on the machine and the user if you open this in XML format hopefully it's going to open yeah see guys these are the configurations now the best thing to do is to import them to your security or to to the the uh Group Policy editor lgpo as you can see is an executable file all right so on the task here there is find an open Baseline local and install script and find the flag let's go here and see where is that script local script and there is Baseline local and install let's open this and see what it does okay so the description says applies a Windows security configuration peline to a local Group Policy execute the script with one of the required command line switches to install the corresponding pay line so here you specify you execute this either on a domain controller or in a domain joined machine requirements partial execution policy domain join machine and this is the flag so as you can see guys these are set of configurations that will be applied on any domain or any computer you apply it to and it will configure the group policy pays on the mentioned configurations here okay the other question find an open merge policy rule script imported from policy analyzer impartial editor so back back to policy analyzer can check the scripts merge policy let's take a look at the uh script here what it does so merge policy analyzer policy files what merge policy analyzer policy rules files into one policy rules set written into the pipeline so one of the things that policy analyzer does is that it gets rid of redundant uh policies configured in GP and if you scroll down as you can see this is the flag uh other questions we have to ask so these are the common attacks against active director we have discussed many rooms on active director penetration testing we can get back to them guys and see how uh attacks are conducted against these kind of environments so does Cur roasting utilize an offline attack scheme for cracking gted passwords we explained previously guys about C roasting just go through this again and the answer is yes it's offline because at the end you you you will you take the ticket and you crack it offline as per the generated report how many users have the same password as Aon Booth so for you guys who are asking where is the report the report is here if you go to the image here you click on it and see this is the report these are the usernames who who have the same password as you can see Iron Booth the number of accounts with the same password is 186 and lastly this is cheat sheet from tryck me you can download it to uh take a look at more details on active directory hardening so that was it guys I hope you enjoyed the video and definitely I'm going to see you later to complete this track