1 00:00:00,799 --> 00:00:02,600 What's going on, guys? Welcome back to 2 00:00:02,600 --> 00:00:05,669 this video. Today, we're doing another TryHackMe video, 3 00:00:05,669 --> 00:00:07,000 and we're going to focus 4 00:00:07,000 --> 00:00:09,400 on the Security Engineer track. We 5 00:00:09,400 --> 00:00:11,000 have reached Active Directory 6 00:00:11,000 --> 00:00:12,759 hardening, which will be the 7 00:00:12,759 --> 00:00:15,519 subject of this video. There are some methods 8 00:00:15,519 --> 00:00:16,840 discussed, 9 00:00:16,840 --> 00:00:19,039 and I say "some" because there are 10 00:00:19,039 --> 00:00:22,199 many methods to harden and secure Active 11 00:00:22,199 --> 00:00:25,359 Directory, meaning Windows Server 12 00:00:25,359 --> 00:00:27,800 with Active Directory. But here there are 13 00:00:27,800 --> 00:00:29,160 some methods that are discussed. We're 14 00:00:29,160 --> 00:00:30,400 going to go over these methods and we're 15 00:00:30,400 --> 00:00:32,200 going to answer a couple questions and 16 00:00:32,200 --> 00:00:34,719 try to make this as simple as I 17 00:00:34,719 --> 00:00:39,000 can. And for my members, I released a new 18 00:00:39,000 --> 00:00:42,280 note file. It’s under the Blue Team 19 00:00:42,280 --> 00:00:45,640 track, in the Blue Team notes, and it’s 20 00:00:45,640 --> 00:00:47,760 called Windows Security. You’ll find 21 00:00:47,760 --> 00:00:50,879 this in the Google Drive notes. Alright, 22 00:00:50,879 --> 00:00:53,104 let’s get back to the room. 23 00:00:53,104 --> 00:00:57,520 So we have a machine to spawn. We're going to 24 00:00:57,520 --> 00:01:00,469 click on "Start the machine," 25 00:01:01,359 --> 00:01:04,319 so basically, Task 2 is about 26 00:01:04,319 --> 00:01:08,400 concepts on Active Directory. It’s not 27 00:01:08,400 --> 00:01:11,640 a comprehensive list or comprehensive, 28 00:01:11,640 --> 00:01:14,360 you know, it doesn't contain 29 00:01:14,360 --> 00:01:16,560 everything about Active Directory, but 30 00:01:16,560 --> 00:01:17,720 if you're going through Active 31 00:01:17,720 --> 00:01:19,200 Directory hardening, you must know what a 32 00:01:19,200 --> 00:01:22,040 domain is, what a domain controller is, and the 33 00:01:22,040 --> 00:01:23,680 definitions of trees and forests. We are 34 00:01:23,680 --> 00:01:25,840 going to talk about this, but 35 00:01:25,840 --> 00:01:27,400 there are two questions here. One 36 00:01:27,400 --> 00:01:29,640 question is, "What is the root domain in 37 00:01:29,640 --> 00:01:33,680 the attached AD machine?" So, basically, here 38 00:01:33,680 --> 00:01:34,540 let’s see... 39 00:01:35,850 --> 00:01:39,669 the machine is still starting. 40 00:01:39,669 --> 00:01:43,209 Here we have TryHackMe.IOC 41 00:01:43,209 --> 00:01:46,139 is the root domain, and ZA.TryHackMe 42 00:01:46,139 --> 00:01:50,010 is not a subdomain; it’s called a child domain. 43 00:01:50,010 --> 00:01:50,880 So, both 44 00:01:50,880 --> 00:01:56,490 these domains exist under the same tree. 45 00:01:56,490 --> 00:01:58,880 We call it a tree because 46 00:01:58,880 --> 00:02:01,439 it contains more than one domain. 47 00:02:01,759 --> 00:02:03,920 Now, the subject of this video will be 48 00:02:03,920 --> 00:02:07,019 securing authentication methods 49 00:02:07,019 --> 00:02:10,038 and the other tasks. So, let’s 50 00:02:10,038 --> 00:02:11,720 first make sure that the machine is up 51 00:02:11,720 --> 00:02:14,301 and running, and then click on Split View. 52 00:02:20,890 --> 00:02:24,400 Okay, going to Task 3. In 53 00:02:24,400 --> 00:02:30,470 Task 3, we have the LAN Manager hash, SMB 54 00:02:30,470 --> 00:02:31,160 signing, 55 00:02:31,160 --> 00:02:33,560 LDAP signing, 56 00:02:33,560 --> 00:02:36,600 password policies, and rotation, 57 00:02:36,600 --> 00:02:38,640 along with some suggestions on 58 00:02:38,640 --> 00:02:41,920 password policies. These are settings 59 00:02:41,920 --> 00:02:44,080 that you can configure on your Active 60 00:02:44,080 --> 00:02:46,000 Directory to make sure that the 61 00:02:46,000 --> 00:02:49,000 authentication process is secure, meaning 62 00:02:49,000 --> 00:02:50,870 MITM attacks 63 00:02:50,870 --> 00:02:54,000 have little to no chance of succeeding. 64 00:02:54,000 --> 00:02:55,840 At the same time, you configure a strong 65 00:02:55,840 --> 00:02:59,570 password policy for your users. 66 00:03:00,400 --> 00:03:02,440 Simultaneously, in Task 4, they 67 00:03:02,440 --> 00:03:05,990 talk about general security 68 00:03:05,990 --> 00:03:09,200 concepts. For example, 69 00:03:09,200 --> 00:03:11,700 role-based access control, 70 00:03:12,599 --> 00:03:14,480 methods of access control, the principle 71 00:03:14,480 --> 00:03:16,760 of least privilege--these are all 72 00:03:16,760 --> 00:03:19,560 general security controls that you can 73 00:03:19,560 --> 00:03:21,599 apply to Active Directory or 74 00:03:21,599 --> 00:03:24,000 Windows Server Active Directory. 75 00:03:24,000 --> 00:03:25,470 There are two questions here: 76 00:03:25,470 --> 00:03:27,959 "Computers and printers must 77 00:03:27,959 --> 00:03:30,159 be added to Tier 0?" This is about the 78 00:03:30,159 --> 00:03:33,120 tiered access model. The tiered 79 00:03:33,120 --> 00:03:35,000 access model is not discussed in 80 00:03:35,000 --> 00:03:38,439 CompTIA Security+. So here, 81 00:03:38,439 --> 00:03:41,200 I’m preparing a note file for you guys to help you 82 00:03:41,200 --> 00:03:44,519 prepare for CompTIA Security+. 83 00:03:44,519 --> 00:03:48,969 In CompTIA Security+, 84 00:03:48,969 --> 00:03:50,799 there are certain 85 00:03:50,799 --> 00:03:53,599 models for access control. Oh my 86 00:03:53,599 --> 00:03:56,959 god, there are many things about access control: access 87 00:03:56,959 --> 00:04:01,400 control methods, models. It’s 88 00:04:01,400 --> 00:04:05,400 just too hard to find them... MAC, 89 00:04:12,439 --> 00:04:16,650 okay... As you can see, in CompTIA Security+, 90 00:04:16,650 --> 00:04:18,238 we discuss discretionary 91 00:04:18,238 --> 00:04:20,320 access control, role-based, 92 00:04:20,320 --> 00:04:22,639 mandatory, and rule-based 93 00:04:22,639 --> 00:04:24,639 access control as well. If you scroll 94 00:04:24,639 --> 00:04:27,479 down, you’ll find it-- 95 00:04:27,479 --> 00:04:30,759 maybe rule--based access control. All of 96 00:04:30,759 --> 00:04:32,440 these access controls 97 00:04:32,440 --> 00:04:36,720 are used depending on the 98 00:04:36,720 --> 00:04:39,360 scenario or the organization. A 99 00:04:39,360 --> 00:04:42,759 tiered access model groups your 100 00:04:42,759 --> 00:04:44,840 resources based on tiers. For example, 101 00:04:44,840 --> 00:04:47,960 Tier 0 includes top-level 102 00:04:47,960 --> 00:04:50,759 resources such as admin 103 00:04:50,759 --> 00:04:53,000 accounts, domain controllers, and 104 00:04:53,000 --> 00:04:57,320 groups. Tier 1 contains applications and 105 00:04:57,320 --> 00:05:01,560 servers, and Tier 2 consists of end-user devices. The 106 00:05:01,560 --> 00:05:04,320 higher the tier, the less sensitive it 107 00:05:04,320 --> 00:05:07,639 becomes. So, as you can see, Tier 0, it's 108 00:05:07,639 --> 00:05:10,320 the highest, contains the highest 109 00:05:10,320 --> 00:05:12,240 sensitive resources such as admin 110 00:05:12,240 --> 00:05:14,160 accounts, domain controllers, and groups. So 111 00:05:14,160 --> 00:05:16,160 here, the question is: "Computers and 112 00:05:16,160 --> 00:05:19,880 printers must be added to Tier 0?" Nope, 113 00:05:19,880 --> 00:05:22,320 because computers and printers are endpoints, 114 00:05:22,320 --> 00:05:24,240 so we can add them to Tier 2. 115 00:05:24,240 --> 00:05:25,919 Suppose a vendor arrives at your 116 00:05:25,919 --> 00:05:29,680 facility for a two-week visit task. 117 00:05:29,680 --> 00:05:31,639 Being a system administrator, should you 118 00:05:31,639 --> 00:05:34,800 create a high-privileged account for him? 119 00:05:34,800 --> 00:05:38,710 Nope, because this goes to role-based 120 00:05:38,710 --> 00:05:40,960 access control. In role-based access 121 00:05:40,960 --> 00:05:43,800 control, we assign people 122 00:05:43,800 --> 00:05:47,319 resources and permissions based on their 123 00:05:47,319 --> 00:05:50,600 job. Additionally, we apply the 124 00:05:50,600 --> 00:05:53,669 principle of least privilege. 125 00:05:53,669 --> 00:05:55,319 Least privilege, meaning... Least privilege 126 00:05:55,319 --> 00:05:58,520 means that if they don't need access to 127 00:05:58,520 --> 00:06:00,840 a certain resource, we don’t grant them 128 00:06:00,840 --> 00:06:03,160 permission to access that 129 00:06:03,160 --> 00:06:05,360 resource depending on your job 130 00:06:05,360 --> 00:06:07,880 description and on your needs as well. 131 00:06:07,880 --> 00:06:11,023 Okay, so finally, the machine has started. 132 00:06:12,039 --> 00:06:13,720 Alright, we’re going to 133 00:06:13,720 --> 00:06:16,560 demonstrate Task 3 now. Alright. So, 134 00:06:16,560 --> 00:06:18,080 we’re going to allow this, and we’re 135 00:06:18,080 --> 00:06:22,560 going to start with GPEDIT, 136 00:06:22,560 --> 00:06:25,199 the Group Policy Editor. Most of the 137 00:06:25,199 --> 00:06:27,039 policies you configure in Active 138 00:06:27,039 --> 00:06:30,240 Directory, whether to harden, secure, or 139 00:06:30,240 --> 00:06:33,720 even to set certain settings, are done 140 00:06:33,720 --> 00:06:36,160 via the Group Policy Editor. 141 00:06:36,160 --> 00:06:39,319 So it’s good practice to 142 00:06:39,319 --> 00:06:43,000 go over the policies here and understand 143 00:06:43,000 --> 00:06:44,440 what every single one of them... the 144 00:06:44,440 --> 00:06:46,599 purpose of every single one of them. So 145 00:06:46,599 --> 00:06:47,800 the first thing we're going to do is the 146 00:06:47,800 --> 00:06:50,120 LAN Manager Hash. 147 00:06:50,120 --> 00:06:52,120 So here, we're going to make sure 148 00:06:52,120 --> 00:06:55,960 that Windows stores the hashes for the 149 00:06:55,960 --> 00:06:59,440 user’s password in NTLM, not 150 00:06:59,440 --> 00:07:02,120 not LM, because LM is relatively 151 00:07:02,120 --> 00:07:04,960 weaker than NTLM, right? And is 152 00:07:04,960 --> 00:07:06,759 vulnerable to brute-force attacks. So we 153 00:07:06,759 --> 00:07:08,400 make sure that the passwords or 154 00:07:08,400 --> 00:07:10,819 hashes are stored 155 00:07:10,819 --> 00:07:13,240 in NTLM. What 156 00:07:13,240 --> 00:07:14,400 we’re going to do here is go 157 00:07:14,400 --> 00:07:16,319 to Computer Configuration, as you can see 158 00:07:16,319 --> 00:07:17,840 here, and then go to 159 00:07:17,840 --> 00:07:20,840 Policies, Windows Settings. In Windows 160 00:07:20,840 --> 00:07:23,319 Settings, we expand this 161 00:07:23,319 --> 00:07:27,020 (the machine is too slow, frustrating...) 162 00:07:27,020 --> 00:07:29,039 Okay. Security Settings--we can 163 00:07:29,039 --> 00:07:32,080 highlight this and expand to Local 164 00:07:32,080 --> 00:07:34,120 Policies. If we expand Local 165 00:07:34,120 --> 00:07:36,919 Policies, we go to Security Options, and 166 00:07:36,919 --> 00:07:41,840 from Security Options, we have the 167 00:07:41,840 --> 00:07:43,560 security policies. So as you can see, 168 00:07:43,560 --> 00:07:47,759 there’s one here about the 169 00:07:47,759 --> 00:07:50,952 LAN Manager. Let’s see where it is. 170 00:07:54,440 --> 00:07:58,520 It starts with "Don’t store..." Let’s 171 00:07:58,520 --> 00:07:59,999 see where it is... 172 00:08:01,549 --> 00:08:04,539 Yeah, this is done. 173 00:08:04,539 --> 00:08:07,080 Properties--NetworkSecure--don’t store 174 00:08:07,080 --> 00:08:09,479 LAN Manager hash value on next password 175 00:08:09,479 --> 00:08:11,919 change. By default, this is enabled, 176 00:08:11,919 --> 00:08:13,599 which is good. Make sure on your end 177 00:08:13,599 --> 00:08:16,560 this is enabled because you don’t want 178 00:08:16,560 --> 00:08:20,400 the password to be stored as an LM hash 179 00:08:20,400 --> 00:08:23,080 because it's going to be susceptible to 180 00:08:23,080 --> 00:08:24,520 brute-force attacks. It's going to be 181 00:08:24,520 --> 00:08:26,720 easily cracked. Alright, that’s the 182 00:08:26,720 --> 00:08:30,039 first thing to securing... or that's the 183 00:08:30,039 --> 00:08:31,959 first thing you can do to secure Active 184 00:08:31,959 --> 00:08:35,240 Directory. The other thing is SMB signing. 185 00:08:35,240 --> 00:08:38,120 SMB (Server Message Block) is 186 00:08:38,120 --> 00:08:40,479 the protocol responsible for file and 187 00:08:40,479 --> 00:08:41,880 printer sharing. So, if you have file 188 00:08:41,880 --> 00:08:44,279 sharing or printer sharing enabled, this 189 00:08:44,279 --> 00:08:46,399 protocol is most probably enabled. The 190 00:08:46,399 --> 00:08:49,160 problem is that the communications happen 191 00:08:49,160 --> 00:08:51,680 in clear text, so it’s vulnerable to MITM 192 00:08:51,680 --> 00:08:56,000 attacks. So in order to prevent this, we're 193 00:08:56,000 --> 00:08:57,920 going to need to configure some security 194 00:08:57,920 --> 00:08:59,440 policies Again, we go back to 195 00:08:59,440 --> 00:09:02,320 Windows Settings, then to Security 196 00:09:02,320 --> 00:09:07,880 Settings, back to Local Policies, Security Options, 197 00:09:08,560 --> 00:09:12,519 and we’ll look for the 198 00:09:12,519 --> 00:09:14,320 digitally signed 199 00:09:14,320 --> 00:09:16,760 communication. Let’s see where it is-- 200 00:09:16,760 --> 00:09:19,241 Digitally Sign Secure Channel. 201 00:09:20,720 --> 00:09:24,320 Microsoft Network, 202 00:09:24,360 --> 00:09:27,240 this is the one. Digitally Sign 203 00:09:27,240 --> 00:09:30,240 Communication, properties. It is disabled, 204 00:09:30,240 --> 00:09:32,320 so we’ll make sure this is 205 00:09:32,320 --> 00:09:35,680 enabled. If we go to the "Explain" section, you 206 00:09:35,680 --> 00:09:37,959 can see more information about this. 207 00:09:37,959 --> 00:09:40,600 Digitally signed communications. The 208 00:09:40,600 --> 00:09:42,440 security setting determines whether 209 00:09:42,440 --> 00:09:46,170 packet signing is required by the SMB client component. 210 00:09:46,170 --> 00:09:48,920 So, you want the 211 00:09:48,920 --> 00:09:50,880 communications through SMB to be signed 212 00:09:50,880 --> 00:09:53,160 and not available to MITM attacks. So you need 213 00:09:53,160 --> 00:09:56,452 to... Or, therefore, you need to enable this. 214 00:09:57,600 --> 00:09:59,640 Alright. 215 00:09:59,640 --> 00:10:02,839 Another thing for securing protocols 216 00:10:02,839 --> 00:10:05,760 in Active Directory is the LDAP protocol. 217 00:10:05,760 --> 00:10:08,160 LDAP is the main protocol that Active Directory is 218 00:10:08,160 --> 00:10:10,640 based on; it’s a Lightweight 219 00:10:10,640 --> 00:10:14,399 Directory Access Protocol. We also 220 00:10:14,399 --> 00:10:17,000 want to secure the communications 221 00:10:17,000 --> 00:10:19,839 based on that protocol to prevent MITM attacks. 222 00:10:19,839 --> 00:10:20,839 So, what we’re going to do again. 223 00:10:20,839 --> 00:10:23,440 Also, to enable the signing of these 224 00:10:23,440 --> 00:10:26,839 communications. On the same pane 225 00:10:26,839 --> 00:10:28,680 here, we’ll find the Domain 226 00:10:28,680 --> 00:10:31,640 Controller section, and then we’ll 227 00:10:31,640 --> 00:10:34,839 look for LDAP Server Channel Binding 228 00:10:34,839 --> 00:10:38,313 Tokens and LDAP Server Signing Requirements. 229 00:10:42,200 --> 00:10:44,519 Modifying the setting 230 00:10:44,519 --> 00:10:46,040 may affect compatibility with 231 00:10:46,040 --> 00:10:48,839 clients. Here, it doesn’t allow me to 232 00:10:48,839 --> 00:10:50,639 enable it for some reason related to 233 00:10:50,639 --> 00:10:54,820 this explanation, but usually, this needs to be enabled. 234 00:10:56,399 --> 00:10:59,800 The most important part 235 00:10:59,800 --> 00:11:02,399 of this video is the password 236 00:11:02,399 --> 00:11:04,720 policies. Password policies can be 237 00:11:04,720 --> 00:11:08,519 configured from... oh, we’re going to go 238 00:11:08,519 --> 00:11:10,639 back to Security Settings and we're 239 00:11:10,639 --> 00:11:12,760 going to check on Account Policies. 240 00:11:12,760 --> 00:11:14,480 So, Account Policy--there’s a 241 00:11:14,480 --> 00:11:16,399 Password Policy here, and from here, we 242 00:11:16,399 --> 00:11:19,639 can configure the minimum and maximum 243 00:11:19,639 --> 00:11:22,160 length of the password, the complexity, 244 00:11:22,160 --> 00:11:24,240 the age, and so on. For example, 245 00:11:24,240 --> 00:11:26,600 as you can see here, the maximum age 246 00:11:26,600 --> 00:11:29,680 of the password is 42 days, which means after 247 00:11:29,680 --> 00:11:32,560 42 days, your users will be prompted to 248 00:11:32,560 --> 00:11:34,530 change their password. 249 00:11:35,160 --> 00:11:37,279 That’s the maximum age, and 250 00:11:37,279 --> 00:11:39,040 that's the minimum age is 251 00:11:39,040 --> 00:11:41,120 one, meaning you cannot change your 252 00:11:41,120 --> 00:11:44,120 password during the first day of the 253 00:11:44,120 --> 00:11:46,399 assignment. Here we have a minimum password 254 00:11:46,399 --> 00:11:48,223 length of seven characters. 255 00:11:49,560 --> 00:11:53,079 These are some 256 00:11:53,079 --> 00:11:54,959 settings you can see. There 257 00:11:54,959 --> 00:11:57,279 are some questions to answer, so let’s 258 00:11:57,279 --> 00:12:00,079 scroll down. Yeah, change the... "What’s 259 00:12:00,079 --> 00:12:02,240 the default minimum password length?" It 260 00:12:02,240 --> 00:12:04,639 was seven, as you can see here. 261 00:12:04,639 --> 00:12:08,800 Going back and showing it one more time 262 00:12:08,800 --> 00:12:11,920 to you guys: seven characters. Alright, 263 00:12:11,920 --> 00:12:14,160 these are some 264 00:12:14,160 --> 00:12:16,240 policies that you can enable to harden 265 00:12:16,240 --> 00:12:19,800 your Active Directory or to secure 266 00:12:19,800 --> 00:12:22,240 the authentication. Additionally, 267 00:12:22,240 --> 00:12:25,720 in Task 5, there’s this nice new tool 268 00:12:25,720 --> 00:12:27,560 that I hadn’t heard of before: the 269 00:12:27,560 --> 00:12:31,240 Microsoft Security Compliance Toolkit. 270 00:12:31,240 --> 00:12:33,360 So, this tool... 271 00:12:33,790 --> 00:12:38,000 Let’s go to the relative folder. Scripts, 272 00:12:38,279 --> 00:12:42,360 open that... Okay, 273 00:12:43,240 --> 00:12:46,000 opening the link of the tool. If 274 00:12:46,000 --> 00:12:48,399 you download this tool, it will give you 275 00:12:48,399 --> 00:12:50,720 recommendations and ready 276 00:12:50,720 --> 00:12:53,240 templates that you can download and 277 00:12:53,240 --> 00:12:54,720 configure Active Directory. If you don’t 278 00:12:54,720 --> 00:12:56,800 know what to do and what 279 00:12:56,800 --> 00:12:59,279 policies to configure, you can 280 00:12:59,279 --> 00:13:02,760 download this tool and retrieve ready 281 00:13:02,760 --> 00:13:05,480 templates to configure. For example, on 282 00:13:05,480 --> 00:13:08,480 Group Policy, there are already-made 283 00:13:08,480 --> 00:13:12,240 configurations. For example, here’s the 284 00:13:12,240 --> 00:13:15,720 Windows Server 2019 Security Baseline 285 00:13:15,720 --> 00:13:18,560 downloaded from the tool itself. 286 00:13:18,560 --> 00:13:22,279 To illustrate further, in the figures 287 00:13:22,279 --> 00:13:23,560 here, as you can see, when you run this 288 00:13:23,560 --> 00:13:26,320 tool, it gives you the templates. 289 00:13:26,320 --> 00:13:29,399 Now here, Windows Server 2022 290 00:13:29,399 --> 00:13:32,920 Security Baseline zip--this is a zip file, and 291 00:13:32,920 --> 00:13:35,399 it was downloaded to this machine. 292 00:13:35,399 --> 00:13:38,210 Once downloaded, you can see the relative folder. 293 00:13:38,210 --> 00:13:39,880 If you open it and go to Local 294 00:13:39,880 --> 00:13:42,360 Scripts, you can see the PowerShell script 295 00:13:42,360 --> 00:13:46,959 that, if you run it, will configure 296 00:13:46,959 --> 00:13:50,120 the settings based on this baseline. 297 00:13:50,120 --> 00:13:52,519 So, the baseline is actually a 298 00:13:52,519 --> 00:13:54,800 collection and combination of 299 00:13:54,800 --> 00:13:56,839 configurations that ensure your 300 00:13:56,839 --> 00:14:00,920 Windows Server is secure based on a specific 301 00:14:00,920 --> 00:14:03,880 baseline, right? And you can use this as a 302 00:14:03,880 --> 00:14:05,959 start if you don’t know what to do. 303 00:14:05,959 --> 00:14:09,959 Additionally, there’s the Policy 304 00:14:09,959 --> 00:14:14,120 Analyzer. Again, guys, these can be 305 00:14:14,120 --> 00:14:16,160 downloaded by running the tool on your 306 00:14:16,160 --> 00:14:18,040 machine and then selecting the 307 00:14:18,040 --> 00:14:20,040 configuration you want. It will be 308 00:14:20,040 --> 00:14:21,440 downloaded in a zip file, and you can 309 00:14:21,440 --> 00:14:23,800 extract and see it this way. The Policy 310 00:14:23,800 --> 00:14:25,720 Analyzer analyzes the Group Policy 311 00:14:25,720 --> 00:14:30,680 settings in your environment, okay, 312 00:14:31,279 --> 00:14:35,320 and as you can see here, you have the demonstrations. 313 00:14:37,040 --> 00:14:39,079 So, if you go back here to 314 00:14:39,079 --> 00:14:41,639 Policy Analyzer, you can see these are 315 00:14:41,639 --> 00:14:44,720 the scripts that, if you run them, will 316 00:14:44,720 --> 00:14:47,600 configure your Group Policy based on the 317 00:14:47,600 --> 00:14:49,800 settings. Let’s go over one of them. So, if 318 00:14:49,800 --> 00:14:52,720 you go back to the Windows Server Security 319 00:14:52,720 --> 00:14:56,680 Baseline and check the GPOs, 320 00:14:57,680 --> 00:15:01,320 as you can see, these GPOs can be 321 00:15:01,320 --> 00:15:03,839 directly imported to your Group Policy 322 00:15:03,839 --> 00:15:06,957 Editor based on the machine and the user. 323 00:15:09,600 --> 00:15:13,920 If you open this in XML format, 324 00:15:20,279 --> 00:15:23,049 hopefully, it’s going to open... 325 00:15:29,920 --> 00:15:35,289 yeah, see, guys, these are the configurations. 326 00:15:37,079 --> 00:15:39,360 Now, the best thing to do 327 00:15:39,360 --> 00:15:42,040 is to import them into your security or 328 00:15:42,040 --> 00:15:46,880 Group Policy Editor (LGPO). 329 00:15:46,880 --> 00:15:50,139 As you can see, this is an executable file. 330 00:15:50,139 --> 00:15:52,480 Alright, so on the task here, 331 00:15:52,480 --> 00:15:55,120 there’s “Find and open Baseline Local 332 00:15:55,120 --> 00:15:58,199 Install script” and “Find the flag.” Let’s 333 00:15:58,199 --> 00:15:59,720 go here and see where that script is-- 334 00:15:59,720 --> 00:16:02,079 Local Script--and there’s Baseline Local 335 00:16:02,079 --> 00:16:05,440 Install. Let’s open this and see what it does. 336 00:16:17,959 --> 00:16:21,199 Okay, so the description says: 337 00:16:21,199 --> 00:16:23,040 “Applies a Windows Security Configuration 338 00:16:23,040 --> 00:16:25,959 baseline to a local Group Policy. 339 00:16:25,959 --> 00:16:28,360 Execute the script with one of 340 00:16:28,360 --> 00:16:30,600 these required command line switches to 341 00:16:30,600 --> 00:16:33,279 install the corresponding baseline.” 342 00:16:33,279 --> 00:16:37,120 So here you specify you execute 343 00:16:37,120 --> 00:16:39,880 this either on a domain controller or on 344 00:16:39,880 --> 00:16:42,600 a domain-joined machine. Requirements: 345 00:16:42,600 --> 00:16:44,759 PowerShell execution policy, 346 00:16:44,759 --> 00:16:47,880 domain-joined machine. And this is the flag. 347 00:16:47,880 --> 00:16:49,800 So, as you can see, guys, these 348 00:16:49,800 --> 00:16:51,600 are a set of configurations that will be 349 00:16:51,600 --> 00:16:54,040 applied on any domain or any computer 350 00:16:54,040 --> 00:16:55,279 you apply it to, 351 00:16:55,279 --> 00:16:58,143 and it will configure the Group Policy 352 00:16:58,143 --> 00:17:01,679 based on the mentioned configurations here. 353 00:17:12,439 --> 00:17:16,160 Okay, the other question is: “Find and open the 354 00:17:16,160 --> 00:17:18,679 Merge Policy Rule script 355 00:17:18,679 --> 00:17:21,400 imported from Policy Analyzer 356 00:17:21,400 --> 00:17:23,080 in PowerShell Editor.” 357 00:17:26,880 --> 00:17:31,280 So, back to Policy Analyzer, 358 00:17:31,280 --> 00:17:33,880 you can check the scripts. Merge 359 00:17:33,880 --> 00:17:35,960 Policy--let’s take a look at the 360 00:17:35,960 --> 00:17:40,360 script here. What does it do? So, Merge Policy Analyzer 361 00:17:40,400 --> 00:17:44,080 policy files... What? Merge policy 362 00:17:44,080 --> 00:17:46,440 analyzer policy rule files into one 363 00:17:46,440 --> 00:17:49,120 policy rule set written into the pipeline. 364 00:17:49,120 --> 00:17:51,799 So, one of the things that 365 00:17:51,799 --> 00:17:54,200 Policy Analyzer does is that 366 00:17:54,200 --> 00:17:57,919 it gets rid of redundant policies 367 00:17:57,919 --> 00:18:00,000 configured in GPO. 368 00:18:00,000 --> 00:18:03,710 If you scroll down, as you can see, this is the flag. 369 00:18:06,080 --> 00:18:08,799 Other questions we have to ask: 370 00:18:08,799 --> 00:18:11,080 These are the common attacks against 371 00:18:11,080 --> 00:18:12,520 Active Directory. We have discussed many 372 00:18:12,520 --> 00:18:14,120 rooms on Active Directory penetration 373 00:18:14,120 --> 00:18:15,799 testing; you can get back with them, guys, and 374 00:18:15,799 --> 00:18:19,320 see how attacks are conducted against 375 00:18:19,320 --> 00:18:21,760 these kinds of environments. So, does Kerberos 376 00:18:21,760 --> 00:18:23,480 Tasting utilize an offline attack, 377 00:18:23,480 --> 00:18:25,520 scanning for cracking encrypted passwords? We 378 00:18:25,520 --> 00:18:26,880 explained previously, guys, about Kerberos 379 00:18:26,880 --> 00:18:30,440 Tasting. I'm just going to go through this again, and 380 00:18:30,440 --> 00:18:32,120 the answer is yes, it's offline because, 381 00:18:32,120 --> 00:18:34,440 at the end, you take the 382 00:18:34,440 --> 00:18:38,269 ticket and crack it offline as per the generated report. 383 00:18:38,269 --> 00:18:39,120 How many users have 384 00:18:39,120 --> 00:18:41,840 the same password as Aaron Booth? For 385 00:18:41,840 --> 00:18:43,600 you guys who are asking, "Where is the 386 00:18:43,600 --> 00:18:47,440 report?" The report is here. If you go 387 00:18:47,440 --> 00:18:50,919 to the image here, you click on it and 388 00:18:50,919 --> 00:18:52,559 see--this is the report. 389 00:18:52,559 --> 00:18:59,600 These are the usernames who have the same password. 390 00:18:59,600 --> 00:19:02,760 As you can see, Aaron Booth’s... 391 00:19:02,760 --> 00:19:04,960 The number of accounts with the 392 00:19:04,960 --> 00:19:07,229 same password is 186. 393 00:19:08,159 --> 00:19:11,720 Lastly, this is a cheat sheet from 394 00:19:11,720 --> 00:19:16,159 TryHackMe. You can download it to take 395 00:19:16,159 --> 00:19:17,480 a look at more details on Active 396 00:19:17,480 --> 00:19:21,480 Directory hardening. So that was it, guys. 397 00:19:21,480 --> 00:19:23,880 I hope you enjoyed the video, and 398 00:19:23,880 --> 00:19:26,661 definitely, I’m going to see you later to complete this track.