Windows Active Directory Hardening and Security | TryHackMe

Rollback to version 1

0:01 - 0:03

what's going on guys welcome back to
0:03 - 0:05

this video today we're doing again a try
0:05 - 0:07

hack me video and we're going to focus
0:07 - 0:09

on SEC the security engineer track so we
0:09 - 0:11

have reached the active directory
0:11 - 0:13

hardening and it's going to be the
0:13 - 0:16

subject of this video so there are some
0:16 - 0:17

discussed
0:17 - 0:19

methods and I say some because there are
0:19 - 0:22

many methods to harden and secure active
0:22 - 0:25

uh directory meaning uh Windows server
0:25 - 0:28

with active directory but here there are
0:28 - 0:29

some methods that are discussed we're
0:29 - 0:30

going to go over these methods and we're
0:30 - 0:32

going to answer a couple questions going
0:32 - 0:35

try to make this as simple as I
0:35 - 0:39

can and for my members I released a new
0:39 - 0:42

uh Note file it is under the blue team
0:42 - 0:46

track The Blue Team notes and the name
0:46 - 0:48

is Windows security we'll be finding
0:48 - 0:50

this in the uh Google Drive notes all
0:50 - 0:55

right let let get back to the room
0:55 - 0:58

so we have a machine to spawn we going
0:58 - 1:01

to click on start the machine
1:01 - 1:04

so basically the task two is about
1:04 - 1:08

Concepts on active directory so it's not
1:08 - 1:12

a comprehensive uh list or comprehensive
1:12 - 1:14

uh you know uh it doesn't contain all
1:14 - 1:17

everything about directory but you know
1:17 - 1:18

if you are going through active
1:18 - 1:19

directory hardening you must know what
1:19 - 1:22

is domain domain controller and the
1:22 - 1:24

definition of trees and Forest we're
1:24 - 1:26

going to talk about this but there is
1:26 - 1:27

there are two questions here one
1:27 - 1:30

question what is the root domain in the
1:30 - 1:34

tab ad machine so basically here uh
1:34 - 1:35

let's
1:35 - 1:37

see yeah the machine is
1:37 - 1:42

still uh starting so here we have triac
1:42 - 1:45

me. ioc is the root domain and Z a.
1:45 - 1:49

triac me is not the subdomain uh we it's
1:49 - 1:51

it's called the child domain so both
1:51 - 1:56

these domains um exists under uh the
1:56 - 1:59

same tree so we call this a tree because
1:59 - 2:02

it contains more more than one domain
2:02 - 2:04

now the subject of this video will be on
2:04 - 2:07

the securing authentication
2:07 - 2:10

methods and the other tasks so let's
2:10 - 2:12

first make sure that the machine is up
2:12 - 2:15

and running going click on split
2:20 - 2:24

view okay so going to task three so in
2:24 - 2:29

task three we have the land manager
2:29 - 2:31

hash SMB
2:31 - 2:34

signing ldb
2:34 - 2:36

signing password policies and
2:36 - 2:39

rotation and some suggestions on
2:39 - 2:42

password policies so these are settings
2:42 - 2:44

that you can configure on your active
2:44 - 2:46

directory to make sure that the
2:46 - 2:49

authentication process is secure meaning
2:49 - 2:50

uh MIT
2:50 - 2:54

Maxs have little to no chance to succeed
2:54 - 2:56

at the same time you configure strong
2:56 - 3:00

password policy for uh your users
3:00 - 3:02

simultaneously in task four here they
3:02 - 3:05

talk about the General
3:05 - 3:09

Security um Concepts here so for example
3:09 - 3:13

the role based access control the uh
3:13 - 3:14

methods of Access Control the principle
3:14 - 3:17

of leas privilege all of these are
3:17 - 3:20

General Security controls that you can
3:20 - 3:22

um apply to the active directory or
3:22 - 3:24

Windows Server active directory and here
3:24 - 3:25

there are two
3:25 - 3:28

questions so computers and printers must
3:28 - 3:30

be added to tier zero so here's about
3:30 - 3:33

tiered access model now the tiered
3:33 - 3:35

access model is not discussed in
3:35 - 3:38

computer in comp Security Plus so here
3:38 - 3:41

I'm preparing for you guys a note file
3:41 - 3:45

to prepare for comp Security Plus
3:45 - 3:48

so here in comp Security
3:48 - 3:51

Plus there are
3:51 - 3:54

certain models for Access Control oh my
3:54 - 3:57

God many things about as control as
3:57 - 4:01

control uh methods model
4:01 - 4:05

just too hard to find them
4:12 - 4:16

Mac okay as you can see guys in comp
4:16 - 4:18

Security Plus we discuss discretionary
4:18 - 4:20

Access Control role pce
4:20 - 4:23

mandatory and there is the rule based
4:23 - 4:25

access control as well if you scroll
4:25 - 4:27

down you're going to find it
4:27 - 4:31

maybe rule pay access control so all of
4:31 - 4:32

these access
4:32 - 4:37

controls are used depending on the
4:37 - 4:39

scenario or depending on organization so
4:39 - 4:43

tiered access model groups your
4:43 - 4:45

resources based on tiers for example as
4:45 - 4:48

you can see tier zero includes top
4:48 - 4:51

level uh resources such as admin
4:51 - 4:53

accounts domain controller and
4:53 - 4:57

groups so tier one applications and
4:57 - 5:02

servers tier two and user devices so the
5:02 - 5:04

higher it goes the less sensitive it
5:04 - 5:08

becomes so as you can see tier zero it's
5:08 - 5:10

the highest contains the highest
5:10 - 5:12

sensitive resources such as admin
5:12 - 5:14

accounts domain controller and groups so
5:14 - 5:16

here the question is computers and
5:16 - 5:20

printers must be added to tier zero nope
5:20 - 5:22

because computers and printers are end
5:22 - 5:24

points so we can add them to tier two
5:24 - 5:26

suppose a vendor arrived at your
5:26 - 5:30

facility for a twoe duration visit task
5:30 - 5:32

being a system administrator you should
5:32 - 5:35

create a high privileged account for him
5:35 - 5:38

nope because this goes to uh the role
5:38 - 5:41

ped access control so in role ped Access
5:41 - 5:44

Control we assign people
5:44 - 5:47

resources and permissions pays on their
5:47 - 5:51

uh job and additionally we apply the
5:51 - 5:53

principle of lease
5:53 - 5:55

privilege meaning the least privileged
5:55 - 5:59

means that if they don't need access to
5:59 - 6:01

a certain resource we don't grant them
6:01 - 6:03

that uh permission to access that
6:03 - 6:05

resource depending on your job
6:05 - 6:08

description on your need as
6:08 - 6:12

well okay so finally the machine
6:12 - 6:14

started all right so we're going to
6:14 - 6:17

demonstrate task three now all right so
6:17 - 6:18

we're going to allow this and we're
6:18 - 6:23

going to start with the GP
6:23 - 6:25

edit the group policy editor most of the
6:25 - 6:27

policies you configure in active
6:27 - 6:30

directory whether to harden sec cure or
6:30 - 6:34

even to set certain settings are done
6:34 - 6:36

via the group policy
6:36 - 6:39

editor so it's good practice if you uh
6:39 - 6:43

go over the policies here and understand
6:43 - 6:44

what every single one of them the
6:44 - 6:47

purpose of every single one of them so
6:47 - 6:48

the first thing we're going to do is the
6:48 - 6:50

Lan hash
6:50 - 6:52

manager so here we're going to make sure
6:52 - 6:56

that Windows stores the hashes for the
6:56 - 6:59

user's password in the ntlm not the L
6:59 - 7:02

the LM because the LM is relatively
7:02 - 7:05

weaker than the NT right and it's
7:05 - 7:07

vulnerable to Brute Force attacks so we
7:07 - 7:08

make sure that the passwords or the
7:08 - 7:10

hashes are
7:10 - 7:13

stored uh in entty so we're going what
7:13 - 7:14

we're going to do here we're going to go
7:14 - 7:16

to computer configuration as you can see
7:16 - 7:18

here and then we're going to go to
7:18 - 7:21

policies Windows settings so in Windows
7:21 - 7:23

settings going to expand
7:23 - 7:26

this the machine is too slow frustration
7:26 - 7:29

frustrating okay security settings can
7:29 - 7:32

highlight this and expand to local
7:32 - 7:34

policies and if we expand the local
7:34 - 7:37

policies we go to Security Options and
7:37 - 7:42

from Security Options here we have the
7:42 - 7:44

security policies so as you can see
7:44 - 7:48

there is one here that's about the uh
7:48 - 7:52

land manager let's see what it
7:54 - 7:59

is so it starts with don't store let's
7:59 - 8:01

see what it is
8:02 - 8:05

yeah this is done
8:05 - 8:07

properties so now secure don't store
8:07 - 8:09

Land manager hash value on next password
8:09 - 8:12

change so by default this is enabled
8:12 - 8:14

which is good so make sure on your end
8:14 - 8:17

this is enabled because you don't want
8:17 - 8:20

um the password to be stored as LM hash
8:20 - 8:23

because it's going to be susceptible to
8:23 - 8:25

Brute Force attacks it's going to be
8:25 - 8:27

easily cracked all right that's the
8:27 - 8:30

first thing to securing uh or that's the
8:30 - 8:32

first thing you can do to secure active
8:32 - 8:35

directory other thing is SMB signing so
8:35 - 8:38

SMB as you know server message block is
8:38 - 8:40

the protocol responsible for file and
8:40 - 8:42

printer sharing so if you have file
8:42 - 8:44

sharing printer sharing enabled this
8:44 - 8:46

protocol most probably is enabled so the
8:46 - 8:49

problem is the the communications happen
8:49 - 8:52

in clear text so it's vable to mitm
8:52 - 8:56

attack so in order to prevent this we're
8:56 - 8:58

going to need to configure some security
8:58 - 8:59

policies again we go to back back to
8:59 - 9:02

window settings and then to security
9:02 - 9:08

settings back to local policies Security
9:09 - 9:13

Options and we're going to look for the
9:13 - 9:14

digital sign digitally signed
9:14 - 9:17

communication let's see what it is
9:17 - 9:20

digitally sign secure
9:21 - 9:24

Channel Microsoft
9:24 - 9:27

network this is the one digitally sign
9:27 - 9:30

communication properties and is disabled
9:30 - 9:32

so we're going to make sure this is
9:32 - 9:36

enabled explain go to explain going you
9:36 - 9:38

can see more information about this
9:38 - 9:41

digitally sign Communications the
9:41 - 9:42

security setting determines whether
9:42 - 9:45

packet signing is required by the SB
9:45 - 9:47

client
9:47 - 9:49

component so you want to you want the
9:49 - 9:51

communications through theb to be signed
9:51 - 9:53

and not vulnerable to mitm so you need
9:53 - 9:57

to or therefore you need to enable
9:58 - 10:00

this all right
10:00 - 10:03

another thing to securing uh protocols
10:03 - 10:06

in active directory is the lb protocol
10:06 - 10:08

so lb is the main protocol directory is
10:08 - 10:11

based on it's the light lightweight
10:11 - 10:14

directory access protocol so also we
10:14 - 10:17

want to PR secure the communications
10:17 - 10:20

based on that protocol for mitm attacks
10:20 - 10:21

so what we're going to do we're going
10:21 - 10:23

need also to enable the signing of these
10:23 - 10:27

communications so on the same uh pain
10:27 - 10:29

here we're going to need to find domain
10:29 - 10:32

control rer section and then we're going
10:32 - 10:35

to look for elab Server Channel binding
10:35 - 10:39

tokens yeah elab server signing
10:42 - 10:45

requirements so modifying the setting
10:45 - 10:46

may affect compatibility with the
10:46 - 10:49

clients so here it doesn't allow me to
10:49 - 10:51

enable it for some reason related to
10:51 - 10:53

this explanation but usually this needs
10:53 - 10:56

to be
10:56 - 11:00

enabled and to the most important part
11:00 - 11:02

is of this video is the password
11:02 - 11:05

policies so password policies can be
11:05 - 11:09

configured from the oh we're going to go
11:09 - 11:11

back to security headings and we're
11:11 - 11:13

going to check on account policies so
11:13 - 11:14

account Poli there is account there is
11:14 - 11:16

password policy here and from here you
11:16 - 11:20

can configure the minimum uh and maximum
11:20 - 11:22

length of the password the complexity
11:22 - 11:24

the age so on and so forth for example
11:24 - 11:27

as you can see here the Min maximum age
11:27 - 11:30

of the pass is 42 days which means after
11:30 - 11:33

42 days your users will be prompted to
11:33 - 11:35

change their
11:35 - 11:37

password that's the maximum age and
11:37 - 11:39

that's the minimum age minimum age is
11:39 - 11:41

one meaning you cannot change your
11:41 - 11:44

password uh during the first day of the
11:44 - 11:46

assignment and you have minimum password
11:46 - 11:49

link is seven
11:50 - 11:53

characters so these are the uh some
11:53 - 11:55

settings you can see and you askk there
11:55 - 11:57

are some questions to answer so we
11:57 - 12:00

scroll down change CH the yeah what is
12:00 - 12:02

the default minimum password length it
12:02 - 12:05

was seven as you can see
12:05 - 12:09

here going back showing it one more time
12:09 - 12:12

to you guys so seven characters all
12:12 - 12:14

right so these are these are some
12:14 - 12:16

policies that you can enable to harden
12:16 - 12:20

your active directory or to maybe secure
12:20 - 12:22

the authentication so additionally there
12:22 - 12:26

is in Task 5 there is this nice new tool
12:26 - 12:28

that I haven't heard before it is a
12:28 - 12:31

Microsoft security compliance tool kit
12:31 - 12:33

so this
12:33 - 12:38

tool let's go to the relative folder
12:38 - 12:42

scripts open that
12:43 - 12:46

okay opening the link of the tool so if
12:46 - 12:48

you download this tool it will give you
12:48 - 12:51

recommendations and give you ready
12:51 - 12:53

templates so that you download them and
12:53 - 12:55

configure active directory if you don't
12:55 - 12:57

know what to what to do and what
12:57 - 12:59

policies to configure you can uh
12:59 - 13:03

download this tool and retrieve ready
13:03 - 13:05

templates to configure for example on
13:05 - 13:08

Group Policy there are already readymade
13:08 - 13:12

um uh configurations for example here
13:12 - 13:16

Windows Server 2019 security Baseline
13:16 - 13:19

downloaded from the tool itself
13:19 - 13:22

so to illustrate further in the figures
13:22 - 13:24

here as you can see when you run this
13:24 - 13:26

tool it gives you the
13:26 - 13:29

templates now here Windows server 22
13:29 - 13:33

security peline zip this is zip file and
13:33 - 13:35

it was downloaded to this machine and
13:35 - 13:37

once downloaded you can see the relative
13:37 - 13:40

folder if you open it and go to local
13:40 - 13:42

scripts you can see the partial script
13:42 - 13:47

that if you um run it will configure uh
13:47 - 13:50

the uh configurations set on this Bas
13:50 - 13:53

line so the P line it's actually
13:53 - 13:55

collection and combination of
13:55 - 13:57

configurations that makes sure your
13:57 - 14:01

Windows server is secure Bas on specific
14:01 - 14:04

Baseline right and you can use this as a
14:04 - 14:06

start if you don't know what to do
14:06 - 14:10

additionally there is the policy
14:10 - 14:14

analyzer again Guys these are uh can be
14:14 - 14:16

downloaded by running the tool on your
14:16 - 14:18

machine and then selecting the
14:18 - 14:20

configuration you want to download it be
14:20 - 14:21

downloaded in zip file and you can
14:21 - 14:24

extract and see it this way so policy
14:24 - 14:26

analyzer analyzes the group policy
14:26 - 14:31

settings in your environment okay
14:31 - 14:35

and as you can see here there are the
14:37 - 14:39

demonstrations so if you go back here to
14:39 - 14:42

policy analyzer you can see these are
14:42 - 14:45

the uh scripts that if you run we
14:45 - 14:48

configure your group policy based on the
14:48 - 14:50

settings let's go over one of them so if
14:50 - 14:53

you go back to Windows Server security
14:53 - 14:57

Baseline and check the
14:58 - 15:01

gpos so as you can see these gpos can be
15:01 - 15:04

directly imported to your group policy
15:04 - 15:08

editor based on the machine and the
15:10 - 15:14

user if you open this in XML
15:20 - 15:24

format hopefully it's going to
15:28 - 15:30

open
15:30 - 15:34

yeah see guys these are
15:34 - 15:37

the
15:37 - 15:39

configurations now the best thing to do
15:39 - 15:42

is to import them to your security or to
15:42 - 15:47

to the the uh Group Policy editor
15:47 - 15:50

lgpo as you can see is an executable
15:50 - 15:52

file all right so on the task here there
15:52 - 15:55

is find an open Baseline local and
15:55 - 15:58

install script and find the flag let's
15:58 - 16:00

go here and see where is that script
16:00 - 16:02

local script and there is Baseline local
16:02 - 16:05

and install let's open this and see what
16:05 - 16:07

it
16:18 - 16:21

does okay so the description says
16:21 - 16:23

applies a Windows security configuration
16:23 - 16:26

peline to a local Group
16:26 - 16:28

Policy execute the script with one of
16:28 - 16:31

the required command line switches to
16:31 - 16:33

install the corresponding pay
16:33 - 16:37

line so here you specify you execute
16:37 - 16:40

this either on a domain controller or in
16:40 - 16:43

a domain joined machine requirements
16:43 - 16:45

partial execution
16:45 - 16:47

policy domain join machine and this is
16:47 - 16:50

the flag so as you can see guys these
16:50 - 16:52

are set of configurations that will be
16:52 - 16:54

applied on any domain or any computer
16:54 - 16:55

you apply it
16:55 - 16:58

to and it will configure the group
16:58 - 17:00

policy pays on the mentioned
17:00 - 17:03

configurations
17:10 - 17:12

here
17:12 - 17:16

okay the other question find an open
17:16 - 17:18

merge policy rule
17:18 - 17:21

script imported from policy analyzer
17:21 - 17:24

impartial
17:27 - 17:31

editor so back back to policy
17:31 - 17:34

analyzer can check the scripts merge
17:34 - 17:36

policy let's take a look at the uh
17:36 - 17:40

script here what it does so merge policy
17:40 - 17:44

analyzer policy files what merge policy
17:44 - 17:46

analyzer policy rules files into one
17:46 - 17:49

policy rules set written into the
17:49 - 17:52

pipeline so one of the things that
17:52 - 17:54

policy analyzer does is that
17:54 - 17:58

it gets rid of redundant uh policies
17:58 - 18:00

configured in
18:00 - 18:02

GP and if you scroll down as you can see
18:02 - 18:05

this is the
18:06 - 18:09

flag uh other questions we have to ask
18:09 - 18:11

so these are the common attacks against
18:11 - 18:13

active director we have discussed many
18:13 - 18:14

rooms on active director penetration
18:14 - 18:16

testing we can get back to them guys and
18:16 - 18:19

see how uh attacks are conducted against
18:19 - 18:22

these kind of environments so does Cur
18:22 - 18:23

roasting utilize an offline attack
18:23 - 18:26

scheme for cracking gted passwords we
18:26 - 18:27

explained previously guys about C
18:27 - 18:30

roasting just go through this again and
18:30 - 18:32

the answer is yes it's offline because
18:32 - 18:34

at the end you you you will you take the
18:34 - 18:37

ticket and you crack it offline as per
18:37 - 18:39

the generated report how many users have
18:39 - 18:42

the same password as Aon Booth so for
18:42 - 18:44

you guys who are asking where is the
18:44 - 18:47

report the report is here if you go
18:47 - 18:51

to the image here you click on it and
18:51 - 18:53

see this is the
18:53 - 18:56

report these are the
18:56 - 19:00

usernames who who have the same password
19:00 - 19:03

as you can see Iron
19:03 - 19:05

Booth the number of accounts with the
19:05 - 19:08

same password is
19:08 - 19:12

186 and lastly this is cheat sheet from
19:12 - 19:16

tryck me you can download it to uh take
19:16 - 19:17

a look at more details on active
19:17 - 19:21

directory hardening so that was it guys
19:21 - 19:24

I hope you enjoyed the video and
19:24 - 19:26

definitely I'm going to see you later to
19:26 - 19:29

complete this track

Title:: Windows Active Directory Hardening and Security | TryHackMe
Description:: more » « less
Video Language:: English
Duration:: 19:27

	OEVIDEOS edited English subtitles for Windows Active Directory Hardening and Security \| TryHackMe
	OEVIDEOS edited English subtitles for Windows Active Directory Hardening and Security \| TryHackMe

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

Windows Active Directory Hardening and Security | TryHackMe

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)