What's going on, guys? Welcome back to
this video. Today, we're doing another TryHackMe video,
and we're going to focus
on the Security Engineer track. We
have reached Active Directory
hardening, which will be the
subject of this video. There are some methods
discussed,
and I say "some" because there are
many methods to harden and secure Active
Directory, meaning Windows Server
with Active Directory. But here there are
some methods that are discussed. We're
going to go over these methods and we're
going to answer a couple questions and
try to make this as simple as I
can. And for my members, I released a new
note file. It’s under the Blue Team
track, in the Blue Team notes, and it’s
called Windows Security. You’ll find
this in the Google Drive notes. Alright,
let’s get back to the room.
So we have a machine to spawn. We're going to
click on "Start the machine,"
so basically, Task 2 is about
concepts on Active Directory. It’s not
a comprehensive list or comprehensive,
you know, it doesn't contain
everything about Active Directory, but
if you're going through Active
Directory hardening, you must know what a
domain is, what a domain controller is, and the
definitions of trees and forests. We are
going to talk about this, but
there are two questions here. One
question is, "What is the root domain in
the attached AD machine?" So, basically, here
let’s see...
the machine is still starting.
Here we have TryHackMe.IOC
is the root domain, and ZA.TryHackMe
is not a subdomain; it’s called a child domain.
So, both
these domains exist under the same tree.
We call it a tree because
it contains more than one domain.
Now, the subject of this video will be
securing authentication methods
and the other tasks. So, let’s
first make sure that the machine is up
and running, and then click on Split View.
Okay, going to Task 3. In
Task 3, we have the LAN Manager hash, SMB
signing,
LDAP signing,
password policies, and rotation,
along with some suggestions on
password policies. These are settings
that you can configure on your Active
Directory to make sure that the
authentication process is secure, meaning
MITM attacks
have little to no chance of succeeding.
At the same time, you configure a strong
password policy for your users.
Simultaneously, in Task 4, they
talk about general security
concepts. For example,
role-based access control,
methods of access control, the principle
of least privilege--these are all
general security controls that you can
apply to Active Directory or
Windows Server Active Directory.
There are two questions here:
"Computers and printers must
be added to Tier 0?" This is about the
tiered access model. The tiered
access model is not discussed in
CompTIA Security+. So here,
I’m preparing a note file for you guys to help you
prepare for CompTIA Security+.
In CompTIA Security+,
there are certain
models for access control. Oh my
god, there are many things about access control: access
control methods, models. It’s
just too hard to find them... MAC,
okay... As you can see, in CompTIA Security+,
we discuss discretionary
access control, role-based,
mandatory, and rule-based
access control as well. If you scroll
down, you’ll find it--
maybe rule--based access control. All of
these access controls
are used depending on the
scenario or the organization. A
tiered access model groups your
resources based on tiers. For example,
Tier 0 includes top-level
resources such as admin
accounts, domain controllers, and
groups. Tier 1 contains applications and
servers, and Tier 2 consists of end-user devices. The
higher the tier, the less sensitive it
becomes. So, as you can see, Tier 0, it's
the highest, contains the highest
sensitive resources such as admin
accounts, domain controllers, and groups. So
here, the question is: "Computers and
printers must be added to Tier 0?" Nope,
because computers and printers are endpoints,
so we can add them to Tier 2.
Suppose a vendor arrives at your
facility for a two-week visit task.
Being a system administrator, should you
create a high-privileged account for him?
Nope, because this goes to role-based
access control. In role-based access
control, we assign people
resources and permissions based on their
job. Additionally, we apply the
principle of least privilege.
Least privilege, meaning... Least privilege
means that if they don't need access to
a certain resource, we don’t grant them
permission to access that
resource depending on your job
description and on your needs as well.
Okay, so finally, the machine has started.
Alright, we’re going to
demonstrate Task 3 now. Alright. So,
we’re going to allow this, and we’re
going to start with GPEDIT,
the Group Policy Editor. Most of the
policies you configure in Active
Directory, whether to harden, secure, or
even to set certain settings, are done
via the Group Policy Editor.
So it’s good practice to
go over the policies here and understand
what every single one of them... the
purpose of every single one of them. So
the first thing we're going to do is the
LAN Manager Hash.
So here, we're going to make sure
that Windows stores the hashes for the
user’s password in NTLM, not
not LM, because LM is relatively
weaker than NTLM, right? And is
vulnerable to brute-force attacks. So we
make sure that the passwords or
hashes are stored
in NTLM. What
we’re going to do here is go
to Computer Configuration, as you can see
here, and then go to
Policies, Windows Settings. In Windows
Settings, we expand this
(the machine is too slow, frustrating...)
Okay. Security Settings--we can
highlight this and expand to Local
Policies. If we expand Local
Policies, we go to Security Options, and
from Security Options, we have the
security policies. So as you can see,
there’s one here about the
LAN Manager. Let’s see where it is.
It starts with "Don’t store..." Let’s
see where it is...
Yeah, this is done.
Properties--NetworkSecure--don’t store
LAN Manager hash value on next password
change. By default, this is enabled,
which is good. Make sure on your end
this is enabled because you don’t want
the password to be stored as an LM hash
because it's going to be susceptible to
brute-force attacks. It's going to be
easily cracked. Alright, that’s the
first thing to securing... or that's the
first thing you can do to secure Active
Directory. The other thing is SMB signing.
SMB (Server Message Block) is
the protocol responsible for file and
printer sharing. So, if you have file
sharing or printer sharing enabled, this
protocol is most probably enabled. The
problem is that the communications happen
in clear text, so it’s vulnerable to MITM
attacks. So in order to prevent this, we're
going to need to configure some security
policies Again, we go back to
Windows Settings, then to Security
Settings, back to Local Policies, Security Options,
and we’ll look for the
digitally signed
communication. Let’s see where it is--
Digitally Sign Secure Channel.
Microsoft Network,
this is the one. Digitally Sign
Communication, properties. It is disabled,
so we’ll make sure this is
enabled. If we go to the "Explain" section, you
can see more information about this.
Digitally signed communications. The
security setting determines whether
packet signing is required by the SMB client component.
So, you want the
communications through SMB to be signed
and not available to MITM attacks. So you need
to... Or, therefore, you need to enable this.
Alright.
Another thing for securing protocols
in Active Directory is the LDAP protocol.
LDAP is the main protocol that Active Directory is
based on; it’s a Lightweight
Directory Access Protocol. We also
want to secure the communications
based on that protocol to prevent MITM attacks.
So, what we’re going to do again.
Also, to enable the signing of these
communications. On the same pane
here, we’ll find the Domain
Controller section, and then we’ll
look for LDAP Server Channel Binding
Tokens and LDAP Server Signing Requirements.
Modifying the setting
may affect compatibility with
clients. Here, it doesn’t allow me to
enable it for some reason related to
this explanation, but usually, this needs to be enabled.
The most important part
of this video is the password
policies. Password policies can be
configured from... oh, we’re going to go
back to Security Settings and we're
going to check on Account Policies.
So, Account Policy--there’s a
Password Policy here, and from here, we
can configure the minimum and maximum
length of the password, the complexity,
the age, and so on. For example,
as you can see here, the maximum age
of the password is 42 days, which means after
42 days, your users will be prompted to
change their password.
That’s the maximum age, and
that's the minimum age is
one, meaning you cannot change your
password during the first day of the
assignment. Here we have a minimum password
length of seven characters.
These are some
settings you can see. There
are some questions to answer, so let’s
scroll down. Yeah, change the... "What’s
the default minimum password length?" It
was seven, as you can see here.
Going back and showing it one more time
to you guys: seven characters. Alright,
these are some
policies that you can enable to harden
your Active Directory or to secure
the authentication. Additionally,
in Task 5, there’s this nice new tool
that I hadn’t heard of before: the
Microsoft Security Compliance Toolkit.
So, this tool...
Let’s go to the relative folder. Scripts,
open that... Okay,
opening the link of the tool. If
you download this tool, it will give you
recommendations and ready
templates that you can download and
configure Active Directory. If you don’t
know what to do and what
policies to configure, you can
download this tool and retrieve ready
templates to configure. For example, on
Group Policy, there are already-made
configurations. For example, here’s the
Windows Server 2019 Security Baseline
downloaded from the tool itself.
To illustrate further, in the figures
here, as you can see, when you run this
tool, it gives you the templates.
Now here, Windows Server 2022
Security Baseline zip--this is a zip file, and
it was downloaded to this machine.
Once downloaded, you can see the relative folder.
If you open it and go to Local
Scripts, you can see the PowerShell script
that, if you run it, will configure
the settings based on this baseline.
So, the baseline is actually a
collection and combination of
configurations that ensure your
Windows Server is secure based on a specific
baseline, right? And you can use this as a
start if you don’t know what to do.
Additionally, there’s the Policy
Analyzer. Again, guys, these can be
downloaded by running the tool on your
machine and then selecting the
configuration you want. It will be
downloaded in a zip file, and you can
extract and see it this way. The Policy
Analyzer analyzes the Group Policy
settings in your environment, okay,
and as you can see here, you have the demonstrations.
So, if you go back here to
Policy Analyzer, you can see these are
the scripts that, if you run them, will
configure your Group Policy based on the
settings. Let’s go over one of them. So, if
you go back to the Windows Server Security
Baseline and check the GPOs,
as you can see, these GPOs can be
directly imported to your Group Policy
Editor based on the machine and the user.
If you open this in XML format,
hopefully, it’s going to open...
yeah, see, guys, these are the configurations.
Now, the best thing to do
is to import them into your security or
Group Policy Editor (LGPO).
As you can see, this is an executable file.
Alright, so on the task here,
there’s “Find and open Baseline Local
Install script” and “Find the flag.” Let’s
go here and see where that script is--
Local Script--and there’s Baseline Local
Install. Let’s open this and see what it does.
Okay, so the description says:
“Applies a Windows Security Configuration
baseline to a local Group Policy.
Execute the script with one of
these required command line switches to
install the corresponding baseline.”
So here you specify you execute
this either on a domain controller or on
a domain-joined machine. Requirements:
PowerShell execution policy,
domain-joined machine. And this is the flag.
So, as you can see, guys, these
are a set of configurations that will be
applied on any domain or any computer
you apply it to,
and it will configure the Group Policy
based on the mentioned configurations here.
Okay, the other question is: “Find and open the
Merge Policy Rule script
imported from Policy Analyzer
in PowerShell Editor.”
So, back to Policy Analyzer,
you can check the scripts. Merge
Policy--let’s take a look at the
script here. What does it do? So, Merge Policy Analyzer
policy files... What? Merge policy
analyzer policy rule files into one
policy rule set written into the pipeline.
So, one of the things that
Policy Analyzer does is that
it gets rid of redundant policies
configured in GPO.
If you scroll down, as you can see, this is the flag.
Other questions we have to ask:
These are the common attacks against
Active Directory. We have discussed many
rooms on Active Directory penetration
testing; you can get back with them, guys, and
see how attacks are conducted against
these kinds of environments. So, does Kerberos
Tasting utilize an offline attack,
scanning for cracking encrypted passwords? We
explained previously, guys, about Kerberos
Tasting. I'm just going to go through this again, and
the answer is yes, it's offline because,
at the end, you take the
ticket and crack it offline as per the generated report.
How many users have
the same password as Aaron Booth? For
you guys who are asking, "Where is the
report?" The report is here. If you go
to the image here, you click on it and
see--this is the report.
These are the usernames who have the same password.
As you can see, Aaron Booth’s...
The number of accounts with the
same password is 186.
Lastly, this is a cheat sheet from
TryHackMe. You can download it to take
a look at more details on Active
Directory hardening. So that was it, guys.
I hope you enjoyed the video, and
definitely, I’m going to see you later to complete this track.