What's going on, guys? Welcome back to this video. Today, we're doing another TryHackMe video, and we're going to focus on the Security Engineer track. We have reached Active Directory hardening, which will be the subject of this video. There are some methods discussed, and I say "some" because there are many methods to harden and secure Active Directory, meaning Windows Server with Active Directory. But here there are some methods that are discussed. We're going to go over these methods and we're going to answer a couple questions and try to make this as simple as I can. And for my members, I released a new note file. It’s under the Blue Team track, in the Blue Team notes, and it’s called Windows Security. You’ll find this in the Google Drive notes. Alright, let’s get back to the room. So we have a machine to spawn. We're going to click on "Start the machine," so basically, Task 2 is about concepts on Active Directory. It’s not a comprehensive list or comprehensive, you know, it doesn't contain everything about Active Directory, but if you're going through Active Directory hardening, you must know what a domain is, what a domain controller is, and the definitions of trees and forests. We are going to talk about this, but there are two questions here. One question is, "What is the root domain in the attached AD machine?" So, basically, here let’s see... the machine is still starting. Here we have TryHackMe.IOC is the root domain, and ZA.TryHackMe is not a subdomain; it’s called a child domain. So, both these domains exist under the same tree. We call it a tree because it contains more than one domain. Now, the subject of this video will be securing authentication methods and the other tasks. So, let’s first make sure that the machine is up and running, and then click on Split View. Okay, going to Task 3. In Task 3, we have the LAN Manager hash, SMB signing, LDAP signing, password policies, and rotation, along with some suggestions on password policies. These are settings that you can configure on your Active Directory to make sure that the authentication process is secure, meaning MITM attacks have little to no chance of succeeding. At the same time, you configure a strong password policy for your users. Simultaneously, in Task 4, they talk about general security concepts. For example, role-based access control, methods of access control, the principle of least privilege--these are all general security controls that you can apply to Active Directory or Windows Server Active Directory. There are two questions here: "Computers and printers must be added to Tier 0?" This is about the tiered access model. The tiered access model is not discussed in CompTIA Security+. So here, I’m preparing a note file for you guys to help you prepare for CompTIA Security+. In CompTIA Security+, there are certain models for access control. Oh my god, there are many things about access control: access control methods, models. It’s just too hard to find them... MAC, okay... As you can see, in CompTIA Security+, we discuss discretionary access control, role-based, mandatory, and rule-based access control as well. If you scroll down, you’ll find it-- maybe rule--based access control. All of these access controls are used depending on the scenario or the organization. A tiered access model groups your resources based on tiers. For example, Tier 0 includes top-level resources such as admin accounts, domain controllers, and groups. Tier 1 contains applications and servers, and Tier 2 consists of end-user devices. The higher the tier, the less sensitive it becomes. So, as you can see, Tier 0, it's the highest, contains the highest sensitive resources such as admin accounts, domain controllers, and groups. So here, the question is: "Computers and printers must be added to Tier 0?" Nope, because computers and printers are endpoints, so we can add them to Tier 2. Suppose a vendor arrives at your facility for a two-week visit task. Being a system administrator, should you create a high-privileged account for him? Nope, because this goes to role-based access control. In role-based access control, we assign people resources and permissions based on their job. Additionally, we apply the principle of least privilege. Least privilege, meaning... Least privilege means that if they don't need access to a certain resource, we don’t grant them permission to access that resource depending on your job description and on your needs as well. Okay, so finally, the machine has started. Alright, we’re going to demonstrate Task 3 now. Alright. So, we’re going to allow this, and we’re going to start with GPEDIT, the Group Policy Editor. Most of the policies you configure in Active Directory, whether to harden, secure, or even to set certain settings, are done via the Group Policy Editor. So it’s good practice to go over the policies here and understand what every single one of them... the purpose of every single one of them. So the first thing we're going to do is the LAN Manager Hash. So here, we're going to make sure that Windows stores the hashes for the user’s password in NTLM, not not LM, because LM is relatively weaker than NTLM, right? And is vulnerable to brute-force attacks. So we make sure that the passwords or hashes are stored in NTLM. What we’re going to do here is go to Computer Configuration, as you can see here, and then go to Policies, Windows Settings. In Windows Settings, we expand this (the machine is too slow, frustrating...) Okay. Security Settings--we can highlight this and expand to Local Policies. If we expand Local Policies, we go to Security Options, and from Security Options, we have the security policies. So as you can see, there’s one here about the LAN Manager. Let’s see where it is. It starts with "Don’t store..." Let’s see where it is... Yeah, this is done. Properties--NetworkSecure--don’t store LAN Manager hash value on next password change. By default, this is enabled, which is good. Make sure on your end this is enabled because you don’t want the password to be stored as an LM hash because it's going to be susceptible to brute-force attacks. It's going to be easily cracked. Alright, that’s the first thing to securing... or that's the first thing you can do to secure Active Directory. The other thing is SMB signing. SMB (Server Message Block) is the protocol responsible for file and printer sharing. So, if you have file sharing or printer sharing enabled, this protocol is most probably enabled. The problem is that the communications happen in clear text, so it’s vulnerable to MITM attacks. So in order to prevent this, we're going to need to configure some security policies Again, we go back to Windows Settings, then to Security Settings, back to Local Policies, Security Options, and we’ll look for the digitally signed communication. Let’s see where it is-- Digitally Sign Secure Channel. Microsoft Network, this is the one. Digitally Sign Communication, properties. It is disabled, so we’ll make sure this is enabled. If we go to the "Explain" section, you can see more information about this. Digitally signed communications. The security setting determines whether packet signing is required by the SMB client component. So, you want the communications through SMB to be signed and not available to MITM attacks. So you need to... Or, therefore, you need to enable this. Alright. Another thing for securing protocols in Active Directory is the LDAP protocol. LDAP is the main protocol that Active Directory is based on; it’s a Lightweight Directory Access Protocol. We also want to secure the communications based on that protocol to prevent MITM attacks. So, what we’re going to do again. Also, to enable the signing of these communications. On the same pane here, we’ll find the Domain Controller section, and then we’ll look for LDAP Server Channel Binding Tokens and LDAP Server Signing Requirements. Modifying the setting may affect compatibility with clients. Here, it doesn’t allow me to enable it for some reason related to this explanation, but usually, this needs to be enabled. The most important part of this video is the password policies. Password policies can be configured from... oh, we’re going to go back to Security Settings and we're going to check on Account Policies. So, Account Policy--there’s a Password Policy here, and from here, we can configure the minimum and maximum length of the password, the complexity, the age, and so on. For example, as you can see here, the maximum age of the password is 42 days, which means after 42 days, your users will be prompted to change their password. That’s the maximum age, and that's the minimum age is one, meaning you cannot change your password during the first day of the assignment. Here we have a minimum password length of seven characters. These are some settings you can see. There are some questions to answer, so let’s scroll down. Yeah, change the... "What’s the default minimum password length?" It was seven, as you can see here. Going back and showing it one more time to you guys: seven characters. Alright, these are some policies that you can enable to harden your Active Directory or to secure the authentication. Additionally, in Task 5, there’s this nice new tool that I hadn’t heard of before: the Microsoft Security Compliance Toolkit. So, this tool... Let’s go to the relative folder. Scripts, open that... Okay, opening the link of the tool. If you download this tool, it will give you recommendations and ready templates that you can download and configure Active Directory. If you don’t know what to do and what policies to configure, you can download this tool and retrieve ready templates to configure. For example, on Group Policy, there are already-made configurations. For example, here’s the Windows Server 2019 Security Baseline downloaded from the tool itself. To illustrate further, in the figures here, as you can see, when you run this tool, it gives you the templates. Now here, Windows Server 2022 Security Baseline zip--this is a zip file, and it was downloaded to this machine. Once downloaded, you can see the relative folder. If you open it and go to Local Scripts, you can see the PowerShell script that, if you run it, will configure the settings based on this baseline. So, the baseline is actually a collection and combination of configurations that ensure your Windows Server is secure based on a specific baseline, right? And you can use this as a start if you don’t know what to do. Additionally, there’s the Policy Analyzer. Again, guys, these can be downloaded by running the tool on your machine and then selecting the configuration you want. It will be downloaded in a zip file, and you can extract and see it this way. The Policy Analyzer analyzes the Group Policy settings in your environment, okay, and as you can see here, you have the demonstrations. So, if you go back here to Policy Analyzer, you can see these are the scripts that, if you run them, will configure your Group Policy based on the settings. Let’s go over one of them. So, if you go back to the Windows Server Security Baseline and check the GPOs, as you can see, these GPOs can be directly imported to your Group Policy Editor based on the machine and the user. If you open this in XML format, hopefully, it’s going to open... yeah, see, guys, these are the configurations. Now, the best thing to do is to import them into your security or Group Policy Editor (LGPO). As you can see, this is an executable file. Alright, so on the task here, there’s “Find and open Baseline Local Install script” and “Find the flag.” Let’s go here and see where that script is-- Local Script--and there’s Baseline Local Install. Let’s open this and see what it does. Okay, so the description says: “Applies a Windows Security Configuration baseline to a local Group Policy. Execute the script with one of these required command line switches to install the corresponding baseline.” So here you specify you execute this either on a domain controller or on a domain-joined machine. Requirements: PowerShell execution policy, domain-joined machine. And this is the flag. So, as you can see, guys, these are a set of configurations that will be applied on any domain or any computer you apply it to, and it will configure the Group Policy based on the mentioned configurations here. Okay, the other question is: “Find and open the Merge Policy Rule script imported from Policy Analyzer in PowerShell Editor.” So, back to Policy Analyzer, you can check the scripts. Merge Policy--let’s take a look at the script here. What does it do? So, Merge Policy Analyzer policy files... What? Merge policy analyzer policy rule files into one policy rule set written into the pipeline. So, one of the things that Policy Analyzer does is that it gets rid of redundant policies configured in GPO. If you scroll down, as you can see, this is the flag. Other questions we have to ask: These are the common attacks against Active Directory. We have discussed many rooms on Active Directory penetration testing; you can get back with them, guys, and see how attacks are conducted against these kinds of environments. So, does Kerberos Tasting utilize an offline attack, scanning for cracking encrypted passwords? We explained previously, guys, about Kerberos Tasting. I'm just going to go through this again, and the answer is yes, it's offline because, at the end, you take the ticket and crack it offline as per the generated report. How many users have the same password as Aaron Booth? For you guys who are asking, "Where is the report?" The report is here. If you go to the image here, you click on it and see--this is the report. These are the usernames who have the same password. As you can see, Aaron Booth’s... The number of accounts with the same password is 186. Lastly, this is a cheat sheet from TryHackMe. You can download it to take a look at more details on Active Directory hardening. So that was it, guys. I hope you enjoyed the video, and definitely, I’m going to see you later to complete this track.