Windows Active Directory Hardening and Security | TryHackMe

Edit subtitles

0:01 - 0:03

What's going on, guys? Welcome back to
0:03 - 0:06

this video. Today, we're doing another TryHackMe video,
0:06 - 0:07

and we're going to focus
0:07 - 0:09

on the Security Engineer track. We
0:09 - 0:11

have reached Active Directory
0:11 - 0:13

hardening, which will be the
0:13 - 0:16

subject of this video. There are some methods
0:16 - 0:17

discussed,
0:17 - 0:19

and I say "some" because there are
0:19 - 0:22

many methods to harden and secure Active
0:22 - 0:25

Directory, meaning Windows Server
0:25 - 0:28

with Active Directory. But here there are
0:28 - 0:29

some methods that are discussed. We're
0:29 - 0:30

going to go over these methods and we're
0:30 - 0:32

going to answer a couple questions and
0:32 - 0:35

try to make this as simple as I
0:35 - 0:39

can. And for my members, I released a new
0:39 - 0:42

note file. It’s under the Blue Team
0:42 - 0:46

track, in the Blue Team notes, and it’s
0:46 - 0:48

called Windows Security. You’ll find
0:48 - 0:51

this in the Google Drive notes. Alright,
0:51 - 0:53

let’s get back to the room.
0:53 - 0:58

So we have a machine to spawn. We're going to
0:58 - 1:00

click on "Start the machine,"
1:01 - 1:04

so basically, Task 2 is about
1:04 - 1:08

concepts on Active Directory. It’s not
1:08 - 1:12

a comprehensive list or comprehensive,
1:12 - 1:14

you know, it doesn't contain
1:14 - 1:17

everything about Active Directory, but
1:17 - 1:18

if you're going through Active
1:18 - 1:19

Directory hardening, you must know what a
1:19 - 1:22

domain is, what a domain controller is, and the
1:22 - 1:24

definitions of trees and forests. We are
1:24 - 1:26

going to talk about this, but
1:26 - 1:27

there are two questions here. One
1:27 - 1:30

question is, "What is the root domain in
1:30 - 1:34

the attached AD machine?" So, basically, here
1:34 - 1:35

let’s see...
1:36 - 1:40

the machine is still starting.
1:40 - 1:43

Here we have TryHackMe.IOC
1:43 - 1:46

is the root domain, and ZA.TryHackMe
1:46 - 1:50

is not a subdomain; it’s called a child domain.
1:50 - 1:51

So, both
1:51 - 1:56

these domains exist under the same tree.
1:56 - 1:59

We call it a tree because
1:59 - 2:01

it contains more than one domain.
2:02 - 2:04

Now, the subject of this video will be
2:04 - 2:07

securing authentication methods
2:07 - 2:10

and the other tasks. So, let’s
2:10 - 2:12

first make sure that the machine is up
2:12 - 2:14

and running, and then click on Split View.
2:21 - 2:24

Okay, going to Task 3. In
2:24 - 2:30

Task 3, we have the LAN Manager hash, SMB
2:30 - 2:31

signing,
2:31 - 2:34

LDAP signing,
2:34 - 2:37

password policies, and rotation,
2:37 - 2:39

along with some suggestions on
2:39 - 2:42

password policies. These are settings
2:42 - 2:44

that you can configure on your Active
2:44 - 2:46

Directory to make sure that the
2:46 - 2:49

authentication process is secure, meaning
2:49 - 2:51

MITM attacks
2:51 - 2:54

have little to no chance of succeeding.
2:54 - 2:56

At the same time, you configure a strong
2:56 - 3:00

password policy for your users.
3:00 - 3:02

Simultaneously, in Task 4, they
3:02 - 3:06

talk about general security
3:06 - 3:09

concepts. For example,
3:09 - 3:12

role-based access control,
3:13 - 3:14

methods of access control, the principle
3:14 - 3:17

of least privilege--these are all
3:17 - 3:20

general security controls that you can
3:20 - 3:22

apply to Active Directory or
3:22 - 3:24

Windows Server Active Directory.
3:24 - 3:25

There are two questions here:
3:25 - 3:28

"Computers and printers must
3:28 - 3:30

be added to Tier 0?" This is about the
3:30 - 3:33

tiered access model. The tiered
3:33 - 3:35

access model is not discussed in
3:35 - 3:38

CompTIA Security+. So here,
3:38 - 3:41

I’m preparing a note file for you guys to help you
3:41 - 3:45

prepare for CompTIA Security+.
3:45 - 3:49

In CompTIA Security+,
3:49 - 3:51

there are certain
3:51 - 3:54

models for access control. Oh my
3:54 - 3:57

god, there are many things about access control: access
3:57 - 4:01

control methods, models. It’s
4:01 - 4:05

just too hard to find them... MAC,
4:12 - 4:17

okay... As you can see, in CompTIA Security+,
4:17 - 4:18

we discuss discretionary
4:18 - 4:20

access control, role-based,
4:20 - 4:23

mandatory, and rule-based
4:23 - 4:25

access control as well. If you scroll
4:25 - 4:27

down, you’ll find it--
4:27 - 4:31

maybe rule--based access control. All of
4:31 - 4:32

these access controls
4:32 - 4:37

are used depending on the
4:37 - 4:39

scenario or the organization. A
4:39 - 4:43

tiered access model groups your
4:43 - 4:45

resources based on tiers. For example,
4:45 - 4:48

Tier 0 includes top-level
4:48 - 4:51

resources such as admin
4:51 - 4:53

accounts, domain controllers, and
4:53 - 4:57

groups. Tier 1 contains applications and
4:57 - 5:02

servers, and Tier 2 consists of end-user devices. The
5:02 - 5:04

higher the tier, the less sensitive it
5:04 - 5:08

becomes. So, as you can see, Tier 0, it's
5:08 - 5:10

the highest, contains the highest
5:10 - 5:12

sensitive resources such as admin
5:12 - 5:14

accounts, domain controllers, and groups. So
5:14 - 5:16

here, the question is: "Computers and
5:16 - 5:20

printers must be added to Tier 0?" Nope,
5:20 - 5:22

because computers and printers are endpoints,
5:22 - 5:24

so we can add them to Tier 2.
5:24 - 5:26

Suppose a vendor arrives at your
5:26 - 5:30

facility for a two-week visit task.
5:30 - 5:32

Being a system administrator, should you
5:32 - 5:35

create a high-privileged account for him?
5:35 - 5:39

Nope, because this goes to role-based
5:39 - 5:41

access control. In role-based access
5:41 - 5:44

control, we assign people
5:44 - 5:47

resources and permissions based on their
5:47 - 5:51

job. Additionally, we apply the
5:51 - 5:54

principle of least privilege.
5:54 - 5:55

Least privilege, meaning... Least privilege
5:55 - 5:59

means that if they don't need access to
5:59 - 6:01

a certain resource, we don’t grant them
6:01 - 6:03

permission to access that
6:03 - 6:05

resource depending on your job
6:05 - 6:08

description and on your needs as well.
6:08 - 6:11

Okay, so finally, the machine has started.
6:12 - 6:14

Alright, we’re going to
6:14 - 6:17

demonstrate Task 3 now. Alright. So,
6:17 - 6:18

we’re going to allow this, and we’re
6:18 - 6:23

going to start with GPEDIT,
6:23 - 6:25

the Group Policy Editor. Most of the
6:25 - 6:27

policies you configure in Active
6:27 - 6:30

Directory, whether to harden, secure, or
6:30 - 6:34

even to set certain settings, are done
6:34 - 6:36

via the Group Policy Editor.
6:36 - 6:39

So it’s good practice to
6:39 - 6:43

go over the policies here and understand
6:43 - 6:44

what every single one of them... the
6:44 - 6:47

purpose of every single one of them. So
6:47 - 6:48

the first thing we're going to do is the
6:48 - 6:50

LAN Manager Hash.
6:50 - 6:52

So here, we're going to make sure
6:52 - 6:56

that Windows stores the hashes for the
6:56 - 6:59

user’s password in NTLM, not
6:59 - 7:02

not LM, because LM is relatively
7:02 - 7:05

weaker than NTLM, right? And is
7:05 - 7:07

vulnerable to brute-force attacks. So we
7:07 - 7:08

make sure that the passwords or
7:08 - 7:11

hashes are stored
7:11 - 7:13

in NTLM. What
7:13 - 7:14

we’re going to do here is go
7:14 - 7:16

to Computer Configuration, as you can see
7:16 - 7:18

here, and then go to
7:18 - 7:21

Policies, Windows Settings. In Windows
7:21 - 7:23

Settings, we expand this
7:23 - 7:27

(the machine is too slow, frustrating...)
7:27 - 7:29

Okay. Security Settings--we can
7:29 - 7:32

highlight this and expand to Local
7:32 - 7:34

Policies. If we expand Local
7:34 - 7:37

Policies, we go to Security Options, and
7:37 - 7:42

from Security Options, we have the
7:42 - 7:44

security policies. So as you can see,
7:44 - 7:48

there’s one here about the
7:48 - 7:51

LAN Manager. Let’s see where it is.
7:54 - 7:59

It starts with "Don’t store..." Let’s
7:59 - 8:00

see where it is...
8:02 - 8:05

Yeah, this is done.
8:05 - 8:07

Properties--NetworkSecure--don’t store
8:07 - 8:09

LAN Manager hash value on next password
8:09 - 8:12

change. By default, this is enabled,
8:12 - 8:14

which is good. Make sure on your end
8:14 - 8:17

this is enabled because you don’t want
8:17 - 8:20

the password to be stored as an LM hash
8:20 - 8:23

because it's going to be susceptible to
8:23 - 8:25

brute-force attacks. It's going to be
8:25 - 8:27

easily cracked. Alright, that’s the
8:27 - 8:30

first thing to securing... or that's the
8:30 - 8:32

first thing you can do to secure Active
8:32 - 8:35

Directory. The other thing is SMB signing.
8:35 - 8:38

SMB (Server Message Block) is
8:38 - 8:40

the protocol responsible for file and
8:40 - 8:42

printer sharing. So, if you have file
8:42 - 8:44

sharing or printer sharing enabled, this
8:44 - 8:46

protocol is most probably enabled. The
8:46 - 8:49

problem is that the communications happen
8:49 - 8:52

in clear text, so it’s vulnerable to MITM
8:52 - 8:56

attacks. So in order to prevent this, we're
8:56 - 8:58

going to need to configure some security
8:58 - 8:59

policies Again, we go back to
8:59 - 9:02

Windows Settings, then to Security
9:02 - 9:08

Settings, back to Local Policies, Security Options,
9:09 - 9:13

and we’ll look for the
9:13 - 9:14

digitally signed
9:14 - 9:17

communication. Let’s see where it is--
9:17 - 9:19

Digitally Sign Secure Channel.
9:21 - 9:24

Microsoft Network,
9:24 - 9:27

this is the one. Digitally Sign
9:27 - 9:30

Communication, properties. It is disabled,
9:30 - 9:32

so we’ll make sure this is
9:32 - 9:36

enabled. If we go to the "Explain" section, you
9:36 - 9:38

can see more information about this.
9:38 - 9:41

Digitally signed communications. The
9:41 - 9:42

security setting determines whether
9:42 - 9:46

packet signing is required by the SMB client component.
9:46 - 9:49

So, you want the
9:49 - 9:51

communications through SMB to be signed
9:51 - 9:53

and not available to MITM attacks. So you need
9:53 - 9:56

to... Or, therefore, you need to enable this.
9:58 - 10:00

Alright.
10:00 - 10:03

Another thing for securing protocols
10:03 - 10:06

in Active Directory is the LDAP protocol.
10:06 - 10:08

LDAP is the main protocol that Active Directory is
10:08 - 10:11

based on; it’s a Lightweight
10:11 - 10:14

Directory Access Protocol. We also
10:14 - 10:17

want to secure the communications
10:17 - 10:20

based on that protocol to prevent MITM attacks.
10:20 - 10:21

So, what we’re going to do again.
10:21 - 10:23

Also, to enable the signing of these
10:23 - 10:27

communications. On the same pane
10:27 - 10:29

here, we’ll find the Domain
10:29 - 10:32

Controller section, and then we’ll
10:32 - 10:35

look for LDAP Server Channel Binding
10:35 - 10:38

Tokens and LDAP Server Signing Requirements.
10:42 - 10:45

Modifying the setting
10:45 - 10:46

may affect compatibility with
10:46 - 10:49

clients. Here, it doesn’t allow me to
10:49 - 10:51

enable it for some reason related to
10:51 - 10:55

this explanation, but usually, this needs to be enabled.
10:56 - 11:00

The most important part
11:00 - 11:02

of this video is the password
11:02 - 11:05

policies. Password policies can be
11:05 - 11:09

configured from... oh, we’re going to go
11:09 - 11:11

back to Security Settings and we're
11:11 - 11:13

going to check on Account Policies.
11:13 - 11:14

So, Account Policy--there’s a
11:14 - 11:16

Password Policy here, and from here, we
11:16 - 11:20

can configure the minimum and maximum
11:20 - 11:22

length of the password, the complexity,
11:22 - 11:24

the age, and so on. For example,
11:24 - 11:27

as you can see here, the maximum age
11:27 - 11:30

of the password is 42 days, which means after
11:30 - 11:33

42 days, your users will be prompted to
11:33 - 11:35

change their password.
11:35 - 11:37

That’s the maximum age, and
11:37 - 11:39

that's the minimum age is
11:39 - 11:41

one, meaning you cannot change your
11:41 - 11:44

password during the first day of the
11:44 - 11:46

assignment. Here we have a minimum password
11:46 - 11:48

length of seven characters.
11:50 - 11:53

These are some
11:53 - 11:55

settings you can see. There
11:55 - 11:57

are some questions to answer, so let’s
11:57 - 12:00

scroll down. Yeah, change the... "What’s
12:00 - 12:02

the default minimum password length?" It
12:02 - 12:05

was seven, as you can see here.
12:05 - 12:09

Going back and showing it one more time
12:09 - 12:12

to you guys: seven characters. Alright,
12:12 - 12:14

these are some
12:14 - 12:16

policies that you can enable to harden
12:16 - 12:20

your Active Directory or to secure
12:20 - 12:22

the authentication. Additionally,
12:22 - 12:26

in Task 5, there’s this nice new tool
12:26 - 12:28

that I hadn’t heard of before: the
12:28 - 12:31

Microsoft Security Compliance Toolkit.
12:31 - 12:33

So, this tool...
12:34 - 12:38

Let’s go to the relative folder. Scripts,
12:38 - 12:42

open that... Okay,
12:43 - 12:46

opening the link of the tool. If
12:46 - 12:48

you download this tool, it will give you
12:48 - 12:51

recommendations and ready
12:51 - 12:53

templates that you can download and
12:53 - 12:55

configure Active Directory. If you don’t
12:55 - 12:57

know what to do and what
12:57 - 12:59

policies to configure, you can
12:59 - 13:03

download this tool and retrieve ready
13:03 - 13:05

templates to configure. For example, on
13:05 - 13:08

Group Policy, there are already-made
13:08 - 13:12

configurations. For example, here’s the
13:12 - 13:16

Windows Server 2019 Security Baseline
13:16 - 13:19

downloaded from the tool itself.
13:19 - 13:22

To illustrate further, in the figures
13:22 - 13:24

here, as you can see, when you run this
13:24 - 13:26

tool, it gives you the templates.
13:26 - 13:29

Now here, Windows Server 2022
13:29 - 13:33

Security Baseline zip--this is a zip file, and
13:33 - 13:35

it was downloaded to this machine.
13:35 - 13:38

Once downloaded, you can see the relative folder.
13:38 - 13:40

If you open it and go to Local
13:40 - 13:42

Scripts, you can see the PowerShell script
13:42 - 13:47

that, if you run it, will configure
13:47 - 13:50

the settings based on this baseline.
13:50 - 13:53

So, the baseline is actually a
13:53 - 13:55

collection and combination of
13:55 - 13:57

configurations that ensure your
13:57 - 14:01

Windows Server is secure based on a specific
14:01 - 14:04

baseline, right? And you can use this as a
14:04 - 14:06

start if you don’t know what to do.
14:06 - 14:10

Additionally, there’s the Policy
14:10 - 14:14

Analyzer. Again, guys, these can be
14:14 - 14:16

downloaded by running the tool on your
14:16 - 14:18

machine and then selecting the
14:18 - 14:20

configuration you want. It will be
14:20 - 14:21

downloaded in a zip file, and you can
14:21 - 14:24

extract and see it this way. The Policy
14:24 - 14:26

Analyzer analyzes the Group Policy
14:26 - 14:31

settings in your environment, okay,
14:31 - 14:35

and as you can see here, you have the demonstrations.
14:37 - 14:39

So, if you go back here to
14:39 - 14:42

Policy Analyzer, you can see these are
14:42 - 14:45

the scripts that, if you run them, will
14:45 - 14:48

configure your Group Policy based on the
14:48 - 14:50

settings. Let’s go over one of them. So, if
14:50 - 14:53

you go back to the Windows Server Security
14:53 - 14:57

Baseline and check the GPOs,
14:58 - 15:01

as you can see, these GPOs can be
15:01 - 15:04

directly imported to your Group Policy
15:04 - 15:07

Editor based on the machine and the user.
15:10 - 15:14

If you open this in XML format,
15:20 - 15:23

hopefully, it’s going to open...
15:30 - 15:35

yeah, see, guys, these are the configurations.
15:37 - 15:39

Now, the best thing to do
15:39 - 15:42

is to import them into your security or
15:42 - 15:47

Group Policy Editor (LGPO).
15:47 - 15:50

As you can see, this is an executable file.
15:50 - 15:52

Alright, so on the task here,
15:52 - 15:55

there’s “Find and open Baseline Local
15:55 - 15:58

Install script” and “Find the flag.” Let’s
15:58 - 16:00

go here and see where that script is--
16:00 - 16:02

Local Script--and there’s Baseline Local
16:02 - 16:05

Install. Let’s open this and see what it does.
16:18 - 16:21

Okay, so the description says:
16:21 - 16:23

“Applies a Windows Security Configuration
16:23 - 16:26

baseline to a local Group Policy.
16:26 - 16:28

Execute the script with one of
16:28 - 16:31

these required command line switches to
16:31 - 16:33

install the corresponding baseline.”
16:33 - 16:37

So here you specify you execute
16:37 - 16:40

this either on a domain controller or on
16:40 - 16:43

a domain-joined machine. Requirements:
16:43 - 16:45

PowerShell execution policy,
16:45 - 16:48

domain-joined machine. And this is the flag.
16:48 - 16:50

So, as you can see, guys, these
16:50 - 16:52

are a set of configurations that will be
16:52 - 16:54

applied on any domain or any computer
16:54 - 16:55

you apply it to,
16:55 - 16:58

and it will configure the Group Policy
16:58 - 17:02

based on the mentioned configurations here.
17:12 - 17:16

Okay, the other question is: “Find and open the
17:16 - 17:19

Merge Policy Rule script
17:19 - 17:21

imported from Policy Analyzer
17:21 - 17:23

in PowerShell Editor.”
17:27 - 17:31

So, back to Policy Analyzer,
17:31 - 17:34

you can check the scripts. Merge
17:34 - 17:36

Policy--let’s take a look at the
17:36 - 17:40

script here. What does it do? So, Merge Policy Analyzer
17:40 - 17:44

policy files... What? Merge policy
17:44 - 17:46

analyzer policy rule files into one
17:46 - 17:49

policy rule set written into the pipeline.
17:49 - 17:52

So, one of the things that
17:52 - 17:54

Policy Analyzer does is that
17:54 - 17:58

it gets rid of redundant policies
17:58 - 18:00

configured in GPO.
18:00 - 18:04

If you scroll down, as you can see, this is the flag.
18:06 - 18:09

Other questions we have to ask:
18:09 - 18:11

These are the common attacks against
18:11 - 18:13

Active Directory. We have discussed many
18:13 - 18:14

rooms on Active Directory penetration
18:14 - 18:16

testing; you can get back with them, guys, and
18:16 - 18:19

see how attacks are conducted against
18:19 - 18:22

these kinds of environments. So, does Kerberos
18:22 - 18:23

Tasting utilize an offline attack,
18:23 - 18:26

scanning for cracking encrypted passwords? We
18:26 - 18:27

explained previously, guys, about Kerberos
18:27 - 18:30

Tasting. I'm just going to go through this again, and
18:30 - 18:32

the answer is yes, it's offline because,
18:32 - 18:34

at the end, you take the
18:34 - 18:38

ticket and crack it offline as per the generated report.
18:38 - 18:39

How many users have
18:39 - 18:42

the same password as Aaron Booth? For
18:42 - 18:44

you guys who are asking, "Where is the
18:44 - 18:47

report?" The report is here. If you go
18:47 - 18:51

to the image here, you click on it and
18:51 - 18:53

see--this is the report.
18:53 - 19:00

These are the usernames who have the same password.
19:00 - 19:03

As you can see, Aaron Booth’s...
19:03 - 19:05

The number of accounts with the
19:05 - 19:07

same password is 186.
19:08 - 19:12

Lastly, this is a cheat sheet from
19:12 - 19:16

TryHackMe. You can download it to take
19:16 - 19:17

a look at more details on Active
19:17 - 19:21

Directory hardening. So that was it, guys.
19:21 - 19:24

I hope you enjoyed the video, and
19:24 - 19:27

definitely, I’m going to see you later to complete this track.

Title:: Windows Active Directory Hardening and Security | TryHackMe
Description:: more » « less
Video Language:: English
Duration:: 19:27

	OEVIDEOS edited English subtitles for Windows Active Directory Hardening and Security \| TryHackMe
	OEVIDEOS edited English subtitles for Windows Active Directory Hardening and Security \| TryHackMe

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

Windows Active Directory Hardening and Security | TryHackMe

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)