WEBVTT 00:00:00.799 --> 00:00:02.600 What's going on, guys? Welcome back to 00:00:02.600 --> 00:00:05.669 this video. Today, we're doing another TryHackMe video, 00:00:05.669 --> 00:00:07.000 and we're going to focus 00:00:07.000 --> 00:00:09.400 on the Security Engineer track. We 00:00:09.400 --> 00:00:11.000 have reached Active Directory 00:00:11.000 --> 00:00:12.759 hardening, which will be the 00:00:12.759 --> 00:00:15.519 subject of this video. There are some methods 00:00:15.519 --> 00:00:16.840 discussed, 00:00:16.840 --> 00:00:19.039 and I say "some" because there are 00:00:19.039 --> 00:00:22.199 many methods to harden and secure Active 00:00:22.199 --> 00:00:25.359 Directory, meaning Windows Server 00:00:25.359 --> 00:00:27.800 with Active Directory. But here there are 00:00:27.800 --> 00:00:29.160 some methods that are discussed. We're 00:00:29.160 --> 00:00:30.400 going to go over these methods and we're 00:00:30.400 --> 00:00:32.200 going to answer a couple questions and 00:00:32.200 --> 00:00:34.719 try to make this as simple as I 00:00:34.719 --> 00:00:39.000 can. And for my members, I released a new 00:00:39.000 --> 00:00:42.280 note file. It’s under the Blue Team 00:00:42.280 --> 00:00:45.640 track, in the Blue Team notes, and it’s 00:00:45.640 --> 00:00:47.760 called Windows Security. You’ll find 00:00:47.760 --> 00:00:50.879 this in the Google Drive notes. Alright, 00:00:50.879 --> 00:00:53.104 let’s get back to the room. 00:00:53.104 --> 00:00:57.520 So we have a machine to spawn. We're going to 00:00:57.520 --> 00:01:00.469 click on "Start the machine," 00:01:01.359 --> 00:01:04.319 so basically, Task 2 is about 00:01:04.319 --> 00:01:08.400 concepts on Active Directory. It’s not 00:01:08.400 --> 00:01:11.640 a comprehensive list or comprehensive, 00:01:11.640 --> 00:01:14.360 you know, it doesn't contain 00:01:14.360 --> 00:01:16.560 everything about Active Directory, but 00:01:16.560 --> 00:01:17.720 if you're going through Active 00:01:17.720 --> 00:01:19.200 Directory hardening, you must know what a 00:01:19.200 --> 00:01:22.040 domain is, what a domain controller is, and the 00:01:22.040 --> 00:01:23.680 definitions of trees and forests. We are 00:01:23.680 --> 00:01:25.840 going to talk about this, but 00:01:25.840 --> 00:01:27.400 there are two questions here. One 00:01:27.400 --> 00:01:29.640 question is, "What is the root domain in 00:01:29.640 --> 00:01:33.680 the attached AD machine?" So, basically, here 00:01:33.680 --> 00:01:34.540 let’s see... 00:01:35.850 --> 00:01:39.669 the machine is still starting. 00:01:39.669 --> 00:01:43.209 Here we have TryHackMe.IOC 00:01:43.209 --> 00:01:46.139 is the root domain, and ZA.TryHackMe 00:01:46.139 --> 00:01:50.010 is not a subdomain; it’s called a child domain. 00:01:50.010 --> 00:01:50.880 So, both 00:01:50.880 --> 00:01:56.490 these domains exist under the same tree. 00:01:56.490 --> 00:01:58.880 We call it a tree because 00:01:58.880 --> 00:02:01.439 it contains more than one domain. 00:02:01.759 --> 00:02:03.920 Now, the subject of this video will be 00:02:03.920 --> 00:02:07.019 securing authentication methods 00:02:07.019 --> 00:02:10.038 and the other tasks. So, let’s 00:02:10.038 --> 00:02:11.720 first make sure that the machine is up 00:02:11.720 --> 00:02:14.301 and running, and then click on Split View. 00:02:20.890 --> 00:02:24.400 Okay, going to Task 3. In 00:02:24.400 --> 00:02:30.470 Task 3, we have the LAN Manager hash, SMB 00:02:30.470 --> 00:02:31.160 signing, 00:02:31.160 --> 00:02:33.560 LDAP signing, 00:02:33.560 --> 00:02:36.600 password policies, and rotation, 00:02:36.600 --> 00:02:38.640 along with some suggestions on 00:02:38.640 --> 00:02:41.920 password policies. These are settings 00:02:41.920 --> 00:02:44.080 that you can configure on your Active 00:02:44.080 --> 00:02:46.000 Directory to make sure that the 00:02:46.000 --> 00:02:49.000 authentication process is secure, meaning 00:02:49.000 --> 00:02:50.870 MITM attacks 00:02:50.870 --> 00:02:54.000 have little to no chance of succeeding. 00:02:54.000 --> 00:02:55.840 At the same time, you configure a strong 00:02:55.840 --> 00:02:59.570 password policy for your users. 00:03:00.400 --> 00:03:02.440 Simultaneously, in Task 4, they 00:03:02.440 --> 00:03:05.990 talk about general security 00:03:05.990 --> 00:03:09.200 concepts. For example, 00:03:09.200 --> 00:03:11.700 role-based access control, 00:03:12.599 --> 00:03:14.480 methods of access control, the principle 00:03:14.480 --> 00:03:16.760 of least privilege--these are all 00:03:16.760 --> 00:03:19.560 general security controls that you can 00:03:19.560 --> 00:03:21.599 apply to Active Directory or 00:03:21.599 --> 00:03:24.000 Windows Server Active Directory. 00:03:24.000 --> 00:03:25.470 There are two questions here: 00:03:25.470 --> 00:03:27.959 "Computers and printers must 00:03:27.959 --> 00:03:30.159 be added to Tier 0?" This is about the 00:03:30.159 --> 00:03:33.120 tiered access model. The tiered 00:03:33.120 --> 00:03:35.000 access model is not discussed in 00:03:35.000 --> 00:03:38.439 CompTIA Security+. So here, 00:03:38.439 --> 00:03:41.200 I’m preparing a note file for you guys to help you 00:03:41.200 --> 00:03:44.519 prepare for CompTIA Security+. 00:03:44.519 --> 00:03:48.969 In CompTIA Security+, 00:03:48.969 --> 00:03:50.799 there are certain 00:03:50.799 --> 00:03:53.599 models for access control. Oh my 00:03:53.599 --> 00:03:56.959 god, there are many things about access control: access 00:03:56.959 --> 00:04:01.400 control methods, models. It’s 00:04:01.400 --> 00:04:05.400 just too hard to find them... MAC, 00:04:12.439 --> 00:04:16.650 okay... As you can see, in CompTIA Security+, 00:04:16.650 --> 00:04:18.238 we discuss discretionary 00:04:18.238 --> 00:04:20.320 access control, role-based, 00:04:20.320 --> 00:04:22.639 mandatory, and rule-based 00:04:22.639 --> 00:04:24.639 access control as well. If you scroll 00:04:24.639 --> 00:04:27.479 down, you’ll find it-- 00:04:27.479 --> 00:04:30.759 maybe rule--based access control. All of 00:04:30.759 --> 00:04:32.440 these access controls 00:04:32.440 --> 00:04:36.720 are used depending on the 00:04:36.720 --> 00:04:39.360 scenario or the organization. A 00:04:39.360 --> 00:04:42.759 tiered access model groups your 00:04:42.759 --> 00:04:44.840 resources based on tiers. For example, 00:04:44.840 --> 00:04:47.960 Tier 0 includes top-level 00:04:47.960 --> 00:04:50.759 resources such as admin 00:04:50.759 --> 00:04:53.000 accounts, domain controllers, and 00:04:53.000 --> 00:04:57.320 groups. Tier 1 contains applications and 00:04:57.320 --> 00:05:01.560 servers, and Tier 2 consists of end-user devices. The 00:05:01.560 --> 00:05:04.320 higher the tier, the less sensitive it 00:05:04.320 --> 00:05:07.639 becomes. So, as you can see, Tier 0, it's 00:05:07.639 --> 00:05:10.320 the highest, contains the highest 00:05:10.320 --> 00:05:12.240 sensitive resources such as admin 00:05:12.240 --> 00:05:14.160 accounts, domain controllers, and groups. So 00:05:14.160 --> 00:05:16.160 here, the question is: "Computers and 00:05:16.160 --> 00:05:19.880 printers must be added to Tier 0?" Nope, 00:05:19.880 --> 00:05:22.320 because computers and printers are endpoints, 00:05:22.320 --> 00:05:24.240 so we can add them to Tier 2. 00:05:24.240 --> 00:05:25.919 Suppose a vendor arrives at your 00:05:25.919 --> 00:05:29.680 facility for a two-week visit task. 00:05:29.680 --> 00:05:31.639 Being a system administrator, should you 00:05:31.639 --> 00:05:34.800 create a high-privileged account for him? 00:05:34.800 --> 00:05:38.710 Nope, because this goes to role-based 00:05:38.710 --> 00:05:40.960 access control. In role-based access 00:05:40.960 --> 00:05:43.800 control, we assign people 00:05:43.800 --> 00:05:47.319 resources and permissions based on their 00:05:47.319 --> 00:05:50.600 job. Additionally, we apply the 00:05:50.600 --> 00:05:53.669 principle of least privilege. 00:05:53.669 --> 00:05:55.319 Least privilege, meaning... Least privilege 00:05:55.319 --> 00:05:58.520 means that if they don't need access to 00:05:58.520 --> 00:06:00.840 a certain resource, we don’t grant them 00:06:00.840 --> 00:06:03.160 permission to access that 00:06:03.160 --> 00:06:05.360 resource depending on your job 00:06:05.360 --> 00:06:07.880 description and on your needs as well. 00:06:07.880 --> 00:06:11.023 Okay, so finally, the machine has started. 00:06:12.039 --> 00:06:13.720 Alright, we’re going to 00:06:13.720 --> 00:06:16.560 demonstrate Task 3 now. Alright. So, 00:06:16.560 --> 00:06:18.080 we’re going to allow this, and we’re 00:06:18.080 --> 00:06:22.560 going to start with GPEDIT, 00:06:22.560 --> 00:06:25.199 the Group Policy Editor. Most of the 00:06:25.199 --> 00:06:27.039 policies you configure in Active 00:06:27.039 --> 00:06:30.240 Directory, whether to harden, secure, or 00:06:30.240 --> 00:06:33.720 even to set certain settings, are done 00:06:33.720 --> 00:06:36.160 via the Group Policy Editor. 00:06:36.160 --> 00:06:39.319 So it’s good practice to 00:06:39.319 --> 00:06:43.000 go over the policies here and understand 00:06:43.000 --> 00:06:44.440 what every single one of them... the 00:06:44.440 --> 00:06:46.599 purpose of every single one of them. So 00:06:46.599 --> 00:06:47.800 the first thing we're going to do is the 00:06:47.800 --> 00:06:50.120 LAN Manager Hash. 00:06:50.120 --> 00:06:52.120 So here, we're going to make sure 00:06:52.120 --> 00:06:55.960 that Windows stores the hashes for the 00:06:55.960 --> 00:06:59.440 user’s password in NTLM, not 00:06:59.440 --> 00:07:02.120 not LM, because LM is relatively 00:07:02.120 --> 00:07:04.960 weaker than NTLM, right? And is 00:07:04.960 --> 00:07:06.759 vulnerable to brute-force attacks. So we 00:07:06.759 --> 00:07:08.400 make sure that the passwords or 00:07:08.400 --> 00:07:10.819 hashes are stored 00:07:10.819 --> 00:07:13.240 in NTLM. What 00:07:13.240 --> 00:07:14.400 we’re going to do here is go 00:07:14.400 --> 00:07:16.319 to Computer Configuration, as you can see 00:07:16.319 --> 00:07:17.840 here, and then go to 00:07:17.840 --> 00:07:20.840 Policies, Windows Settings. In Windows 00:07:20.840 --> 00:07:23.319 Settings, we expand this 00:07:23.319 --> 00:07:27.020 (the machine is too slow, frustrating...) 00:07:27.020 --> 00:07:29.039 Okay. Security Settings--we can 00:07:29.039 --> 00:07:32.080 highlight this and expand to Local 00:07:32.080 --> 00:07:34.120 Policies. If we expand Local 00:07:34.120 --> 00:07:36.919 Policies, we go to Security Options, and 00:07:36.919 --> 00:07:41.840 from Security Options, we have the 00:07:41.840 --> 00:07:43.560 security policies. So as you can see, 00:07:43.560 --> 00:07:47.759 there’s one here about the 00:07:47.759 --> 00:07:50.952 LAN Manager. Let’s see where it is. 00:07:54.440 --> 00:07:58.520 It starts with "Don’t store..." Let’s 00:07:58.520 --> 00:07:59.999 see where it is... 00:08:01.549 --> 00:08:04.539 Yeah, this is done. 00:08:04.539 --> 00:08:07.080 Properties--NetworkSecure--don’t store 00:08:07.080 --> 00:08:09.479 LAN Manager hash value on next password 00:08:09.479 --> 00:08:11.919 change. By default, this is enabled, 00:08:11.919 --> 00:08:13.599 which is good. Make sure on your end 00:08:13.599 --> 00:08:16.560 this is enabled because you don’t want 00:08:16.560 --> 00:08:20.400 the password to be stored as an LM hash 00:08:20.400 --> 00:08:23.080 because it's going to be susceptible to 00:08:23.080 --> 00:08:24.520 brute-force attacks. It's going to be 00:08:24.520 --> 00:08:26.720 easily cracked. Alright, that’s the 00:08:26.720 --> 00:08:30.039 first thing to securing... or that's the 00:08:30.039 --> 00:08:31.959 first thing you can do to secure Active 00:08:31.959 --> 00:08:35.240 Directory. The other thing is SMB signing. 00:08:35.240 --> 00:08:38.120 SMB (Server Message Block) is 00:08:38.120 --> 00:08:40.479 the protocol responsible for file and 00:08:40.479 --> 00:08:41.880 printer sharing. So, if you have file 00:08:41.880 --> 00:08:44.279 sharing or printer sharing enabled, this 00:08:44.279 --> 00:08:46.399 protocol is most probably enabled. The 00:08:46.399 --> 00:08:49.160 problem is that the communications happen 00:08:49.160 --> 00:08:51.680 in clear text, so it’s vulnerable to MITM 00:08:51.680 --> 00:08:56.000 attacks. So in order to prevent this, we're 00:08:56.000 --> 00:08:57.920 going to need to configure some security 00:08:57.920 --> 00:08:59.440 policies Again, we go back to 00:08:59.440 --> 00:09:02.320 Windows Settings, then to Security 00:09:02.320 --> 00:09:07.880 Settings, back to Local Policies, Security Options, 00:09:08.560 --> 00:09:12.519 and we’ll look for the 00:09:12.519 --> 00:09:14.320 digitally signed 00:09:14.320 --> 00:09:16.760 communication. Let’s see where it is-- 00:09:16.760 --> 00:09:19.241 Digitally Sign Secure Channel. 00:09:20.720 --> 00:09:24.320 Microsoft Network, 00:09:24.360 --> 00:09:27.240 this is the one. Digitally Sign 00:09:27.240 --> 00:09:30.240 Communication, properties. It is disabled, 00:09:30.240 --> 00:09:32.320 so we’ll make sure this is 00:09:32.320 --> 00:09:35.680 enabled. If we go to the "Explain" section, you 00:09:35.680 --> 00:09:37.959 can see more information about this. 00:09:37.959 --> 00:09:40.600 Digitally signed communications. The 00:09:40.600 --> 00:09:42.440 security setting determines whether 00:09:42.440 --> 00:09:46.170 packet signing is required by the SMB client component. 00:09:46.170 --> 00:09:48.920 So, you want the 00:09:48.920 --> 00:09:50.880 communications through SMB to be signed 00:09:50.880 --> 00:09:53.160 and not available to MITM attacks. So you need 00:09:53.160 --> 00:09:56.452 to... Or, therefore, you need to enable this. 00:09:57.600 --> 00:09:59.640 Alright. 00:09:59.640 --> 00:10:02.839 Another thing for securing protocols 00:10:02.839 --> 00:10:05.760 in Active Directory is the LDAP protocol. 00:10:05.760 --> 00:10:08.160 LDAP is the main protocol that Active Directory is 00:10:08.160 --> 00:10:10.640 based on; it’s a Lightweight 00:10:10.640 --> 00:10:14.399 Directory Access Protocol. We also 00:10:14.399 --> 00:10:17.000 want to secure the communications 00:10:17.000 --> 00:10:19.839 based on that protocol to prevent MITM attacks. 00:10:19.839 --> 00:10:20.839 So, what we’re going to do again. 00:10:20.839 --> 00:10:23.440 Also, to enable the signing of these 00:10:23.440 --> 00:10:26.839 communications. On the same pane 00:10:26.839 --> 00:10:28.680 here, we’ll find the Domain 00:10:28.680 --> 00:10:31.640 Controller section, and then we’ll 00:10:31.640 --> 00:10:34.839 look for LDAP Server Channel Binding 00:10:34.839 --> 00:10:38.313 Tokens and LDAP Server Signing Requirements. 00:10:42.200 --> 00:10:44.519 Modifying the setting 00:10:44.519 --> 00:10:46.040 may affect compatibility with 00:10:46.040 --> 00:10:48.839 clients. Here, it doesn’t allow me to 00:10:48.839 --> 00:10:50.639 enable it for some reason related to 00:10:50.639 --> 00:10:54.820 this explanation, but usually, this needs to be enabled. 00:10:56.399 --> 00:10:59.800 The most important part 00:10:59.800 --> 00:11:02.399 of this video is the password 00:11:02.399 --> 00:11:04.720 policies. Password policies can be 00:11:04.720 --> 00:11:08.519 configured from... oh, we’re going to go 00:11:08.519 --> 00:11:10.639 back to Security Settings and we're 00:11:10.639 --> 00:11:12.760 going to check on Account Policies. 00:11:12.760 --> 00:11:14.480 So, Account Policy--there’s a 00:11:14.480 --> 00:11:16.399 Password Policy here, and from here, we 00:11:16.399 --> 00:11:19.639 can configure the minimum and maximum 00:11:19.639 --> 00:11:22.160 length of the password, the complexity, 00:11:22.160 --> 00:11:24.240 the age, and so on. For example, 00:11:24.240 --> 00:11:26.600 as you can see here, the maximum age 00:11:26.600 --> 00:11:29.680 of the password is 42 days, which means after 00:11:29.680 --> 00:11:32.560 42 days, your users will be prompted to 00:11:32.560 --> 00:11:34.530 change their password. 00:11:35.160 --> 00:11:37.279 That’s the maximum age, and 00:11:37.279 --> 00:11:39.040 that's the minimum age is 00:11:39.040 --> 00:11:41.120 one, meaning you cannot change your 00:11:41.120 --> 00:11:44.120 password during the first day of the 00:11:44.120 --> 00:11:46.399 assignment. Here we have a minimum password 00:11:46.399 --> 00:11:48.223 length of seven characters. 00:11:49.560 --> 00:11:53.079 These are some 00:11:53.079 --> 00:11:54.959 settings you can see. There 00:11:54.959 --> 00:11:57.279 are some questions to answer, so let’s 00:11:57.279 --> 00:12:00.079 scroll down. Yeah, change the... "What’s 00:12:00.079 --> 00:12:02.240 the default minimum password length?" It 00:12:02.240 --> 00:12:04.639 was seven, as you can see here. 00:12:04.639 --> 00:12:08.800 Going back and showing it one more time 00:12:08.800 --> 00:12:11.920 to you guys: seven characters. Alright, 00:12:11.920 --> 00:12:14.160 these are some 00:12:14.160 --> 00:12:16.240 policies that you can enable to harden 00:12:16.240 --> 00:12:19.800 your Active Directory or to secure 00:12:19.800 --> 00:12:22.240 the authentication. Additionally, 00:12:22.240 --> 00:12:25.720 in Task 5, there’s this nice new tool 00:12:25.720 --> 00:12:27.560 that I hadn’t heard of before: the 00:12:27.560 --> 00:12:31.240 Microsoft Security Compliance Toolkit. 00:12:31.240 --> 00:12:33.360 So, this tool... 00:12:33.790 --> 00:12:38.000 Let’s go to the relative folder. Scripts, 00:12:38.279 --> 00:12:42.360 open that... Okay, 00:12:43.240 --> 00:12:46.000 opening the link of the tool. If 00:12:46.000 --> 00:12:48.399 you download this tool, it will give you 00:12:48.399 --> 00:12:50.720 recommendations and ready 00:12:50.720 --> 00:12:53.240 templates that you can download and 00:12:53.240 --> 00:12:54.720 configure Active Directory. If you don’t 00:12:54.720 --> 00:12:56.800 know what to do and what 00:12:56.800 --> 00:12:59.279 policies to configure, you can 00:12:59.279 --> 00:13:02.760 download this tool and retrieve ready 00:13:02.760 --> 00:13:05.480 templates to configure. For example, on 00:13:05.480 --> 00:13:08.480 Group Policy, there are already-made 00:13:08.480 --> 00:13:12.240 configurations. For example, here’s the 00:13:12.240 --> 00:13:15.720 Windows Server 2019 Security Baseline 00:13:15.720 --> 00:13:18.560 downloaded from the tool itself. 00:13:18.560 --> 00:13:22.279 To illustrate further, in the figures 00:13:22.279 --> 00:13:23.560 here, as you can see, when you run this 00:13:23.560 --> 00:13:26.320 tool, it gives you the templates. 00:13:26.320 --> 00:13:29.399 Now here, Windows Server 2022 00:13:29.399 --> 00:13:32.920 Security Baseline zip--this is a zip file, and 00:13:32.920 --> 00:13:35.399 it was downloaded to this machine. 00:13:35.399 --> 00:13:38.210 Once downloaded, you can see the relative folder. 00:13:38.210 --> 00:13:39.880 If you open it and go to Local 00:13:39.880 --> 00:13:42.360 Scripts, you can see the PowerShell script 00:13:42.360 --> 00:13:46.959 that, if you run it, will configure 00:13:46.959 --> 00:13:50.120 the settings based on this baseline. 00:13:50.120 --> 00:13:52.519 So, the baseline is actually a 00:13:52.519 --> 00:13:54.800 collection and combination of 00:13:54.800 --> 00:13:56.839 configurations that ensure your 00:13:56.839 --> 00:14:00.920 Windows Server is secure based on a specific 00:14:00.920 --> 00:14:03.880 baseline, right? And you can use this as a 00:14:03.880 --> 00:14:05.959 start if you don’t know what to do. 00:14:05.959 --> 00:14:09.959 Additionally, there’s the Policy 00:14:09.959 --> 00:14:14.120 Analyzer. Again, guys, these can be 00:14:14.120 --> 00:14:16.160 downloaded by running the tool on your 00:14:16.160 --> 00:14:18.040 machine and then selecting the 00:14:18.040 --> 00:14:20.040 configuration you want. It will be 00:14:20.040 --> 00:14:21.440 downloaded in a zip file, and you can 00:14:21.440 --> 00:14:23.800 extract and see it this way. The Policy 00:14:23.800 --> 00:14:25.720 Analyzer analyzes the Group Policy 00:14:25.720 --> 00:14:30.680 settings in your environment, okay, 00:14:31.279 --> 00:14:35.320 and as you can see here, you have the demonstrations. 00:14:37.040 --> 00:14:39.079 So, if you go back here to 00:14:39.079 --> 00:14:41.639 Policy Analyzer, you can see these are 00:14:41.639 --> 00:14:44.720 the scripts that, if you run them, will 00:14:44.720 --> 00:14:47.600 configure your Group Policy based on the 00:14:47.600 --> 00:14:49.800 settings. Let’s go over one of them. So, if 00:14:49.800 --> 00:14:52.720 you go back to the Windows Server Security 00:14:52.720 --> 00:14:56.680 Baseline and check the GPOs, 00:14:57.680 --> 00:15:01.320 as you can see, these GPOs can be 00:15:01.320 --> 00:15:03.839 directly imported to your Group Policy 00:15:03.839 --> 00:15:06.957 Editor based on the machine and the user. 00:15:09.600 --> 00:15:13.920 If you open this in XML format, 00:15:20.279 --> 00:15:23.049 hopefully, it’s going to open... 00:15:29.920 --> 00:15:35.289 yeah, see, guys, these are the configurations. 00:15:37.079 --> 00:15:39.360 Now, the best thing to do 00:15:39.360 --> 00:15:42.040 is to import them into your security or 00:15:42.040 --> 00:15:46.880 Group Policy Editor (LGPO). 00:15:46.880 --> 00:15:50.139 As you can see, this is an executable file. 00:15:50.139 --> 00:15:52.480 Alright, so on the task here, 00:15:52.480 --> 00:15:55.120 there’s “Find and open Baseline Local 00:15:55.120 --> 00:15:58.199 Install script” and “Find the flag.” Let’s 00:15:58.199 --> 00:15:59.720 go here and see where that script is-- 00:15:59.720 --> 00:16:02.079 Local Script--and there’s Baseline Local 00:16:02.079 --> 00:16:05.440 Install. Let’s open this and see what it does. 00:16:17.959 --> 00:16:21.199 Okay, so the description says: 00:16:21.199 --> 00:16:23.040 “Applies a Windows Security Configuration 00:16:23.040 --> 00:16:25.959 baseline to a local Group Policy. 00:16:25.959 --> 00:16:28.360 Execute the script with one of 00:16:28.360 --> 00:16:30.600 these required command line switches to 00:16:30.600 --> 00:16:33.279 install the corresponding baseline.” 00:16:33.279 --> 00:16:37.120 So here you specify you execute 00:16:37.120 --> 00:16:39.880 this either on a domain controller or on 00:16:39.880 --> 00:16:42.600 a domain-joined machine. Requirements: 00:16:42.600 --> 00:16:44.759 PowerShell execution policy, 00:16:44.759 --> 00:16:47.880 domain-joined machine. And this is the flag. 00:16:47.880 --> 00:16:49.800 So, as you can see, guys, these 00:16:49.800 --> 00:16:51.600 are a set of configurations that will be 00:16:51.600 --> 00:16:54.040 applied on any domain or any computer 00:16:54.040 --> 00:16:55.279 you apply it to, 00:16:55.279 --> 00:16:58.143 and it will configure the Group Policy 00:16:58.143 --> 00:17:01.679 based on the mentioned configurations here. 00:17:12.439 --> 00:17:16.160 Okay, the other question is: “Find and open the 00:17:16.160 --> 00:17:18.679 Merge Policy Rule script 00:17:18.679 --> 00:17:21.400 imported from Policy Analyzer 00:17:21.400 --> 00:17:23.080 in PowerShell Editor.” 00:17:26.880 --> 00:17:31.280 So, back to Policy Analyzer, 00:17:31.280 --> 00:17:33.880 you can check the scripts. Merge 00:17:33.880 --> 00:17:35.960 Policy--let’s take a look at the 00:17:35.960 --> 00:17:40.360 script here. What does it do? So, Merge Policy Analyzer 00:17:40.400 --> 00:17:44.080 policy files... What? Merge policy 00:17:44.080 --> 00:17:46.440 analyzer policy rule files into one 00:17:46.440 --> 00:17:49.120 policy rule set written into the pipeline. 00:17:49.120 --> 00:17:51.799 So, one of the things that 00:17:51.799 --> 00:17:54.200 Policy Analyzer does is that 00:17:54.200 --> 00:17:57.919 it gets rid of redundant policies 00:17:57.919 --> 00:18:00.000 configured in GPO. 00:18:00.000 --> 00:18:03.710 If you scroll down, as you can see, this is the flag. 00:18:06.080 --> 00:18:08.799 Other questions we have to ask: 00:18:08.799 --> 00:18:11.080 These are the common attacks against 00:18:11.080 --> 00:18:12.520 Active Directory. We have discussed many 00:18:12.520 --> 00:18:14.120 rooms on Active Directory penetration 00:18:14.120 --> 00:18:15.799 testing; you can get back with them, guys, and 00:18:15.799 --> 00:18:19.320 see how attacks are conducted against 00:18:19.320 --> 00:18:21.760 these kinds of environments. So, does Kerberos 00:18:21.760 --> 00:18:23.480 Tasting utilize an offline attack, 00:18:23.480 --> 00:18:25.520 scanning for cracking encrypted passwords? We 00:18:25.520 --> 00:18:26.880 explained previously, guys, about Kerberos 00:18:26.880 --> 00:18:30.440 Tasting. I'm just going to go through this again, and 00:18:30.440 --> 00:18:32.120 the answer is yes, it's offline because, 00:18:32.120 --> 00:18:34.440 at the end, you take the 00:18:34.440 --> 00:18:38.269 ticket and crack it offline as per the generated report. 00:18:38.269 --> 00:18:39.120 How many users have 00:18:39.120 --> 00:18:41.840 the same password as Aaron Booth? For 00:18:41.840 --> 00:18:43.600 you guys who are asking, "Where is the 00:18:43.600 --> 00:18:47.440 report?" The report is here. If you go 00:18:47.440 --> 00:18:50.919 to the image here, you click on it and 00:18:50.919 --> 00:18:52.559 see--this is the report. 00:18:52.559 --> 00:18:59.600 These are the usernames who have the same password. 00:18:59.600 --> 00:19:02.760 As you can see, Aaron Booth’s... 00:19:02.760 --> 00:19:04.960 The number of accounts with the 00:19:04.960 --> 00:19:07.229 same password is 186. 00:19:08.159 --> 00:19:11.720 Lastly, this is a cheat sheet from 00:19:11.720 --> 00:19:16.159 TryHackMe. You can download it to take 00:19:16.159 --> 00:19:17.480 a look at more details on Active 00:19:17.480 --> 00:19:21.480 Directory hardening. So that was it, guys. 00:19:21.480 --> 00:19:23.880 I hope you enjoyed the video, and 00:19:23.880 --> 00:19:26.661 definitely, I’m going to see you later to complete this track.