Active Directory (AD)

What is Active Directory?

Active Directory (AD) is a system that allows to manage a set of computers and users connected in the same network from a central server.

       ____                         __ 
  o   |    |                       |==|
 /|\  |____| <--------.    .-----> |  |
 / \  /::::/          |    |       |__|
                      v    v
                       .---.
                      /   /|
                     .---. |
                     |   | '
                     |   |/ 
                     '---'  
       ____          ^    ^        ____ 
  o   |    |         |    |       |    |  \o/
 /|\  |____| <-------'    '-----> |____|   | 
 / \  /::::/                      /::::/  / \

The above diagram is known as a domain. A domain is a set of connected computers that shares an Active Directory database, which is managed by the central servers of a domain, that are called domain controllers.

Physical AD Components

Domain Controller

A domain controller is a server with the AD DS (Active Directory data store) server role installed that has specifically been promoted to a domain controller. It can:

  • host a copy of the AD DS

  • provide authentication and authorization services (Kerberos)

  • replicate updates to other domain controllers in the domain and forest

  • allow administrative access to manage user accounts and network resources

AD DS

The AD DS contains the database files and processes that store and manage directory information for users, services, and applications. It:

  • consists of the Ntds.dit file

  • is stored by default in the %SystemRoot%\NTDS folder on all domain controllers

  • is accessible only through the domain controller processes and protocols

Logical AD Components

AD Schema

The AD DS schema:

  • defines every type of object that can be stored in the directory

  • enforces rules regarding object creation and configuration.

For example:

Objects TypesFunctionExamples

Class Object

What objects can be created in the directory

User, Computer

Attribute Object

Information that can be attached to an object

Display name

Domains

Domains are used to group and manage objects in an organization. It is:

  • an administrative boundary for applying policies to groups of objects

  • A replication boundary for replicating data between domain controllers

  • An authentication and authorization boundary that provides a way to limit the scope of access to resources

Trees

A tree is a hierarchy of domains in AD DS. All domains in the tree:

  • share a contiguous namespace with the parent domain

  • can have additional child domains

  • by default create a two-way transitive trust with other domains

Forests

A forest is a collection of one or more domain trees. Forests:

  • share a common schema

  • share a common configuration partition

  • share a common global catalog to enable searching

  • enable trusts between all domains in the forest

  • share the Enterprise Admins and Schema Admins groups

Organizational Units (OUs)

OUs are AD containers that can contain users, groups, computers, and other OUs. OUs are used to:

  • represent your organization hierarchically and logically

  • manage a collection of objects in a consistent way

  • delegate permissions to administer groups of objects

  • apply policies

Trusts

Trusts provide a mechanism for users to gain access to resources in another domain. Types of trusts:

  • All domains in a forest trust all other domains in the forest

  • Trusts can extend outside the forest

Objects

NTLM Authentication

NTLM (NT LAN Manager) authentication is used when a client authenticates to a server by IP address (instead of by hostname), or if the user attempts to authenticate to a hostname that is not registered on the AD integrated DNS server. Likewise, third-party applications may choose to use NTLM authentication instead of Kerberos authentication.

The NTLM authentication is composed by 3 messages/phases: NEGOTIATE, CHALLENGE and AUTHENTICATE:

                         Client               Server
                           |                    |
 AcquireCredentialsHandle  |                    |
           |               |                    |
           v               |                    |
 InitializeSecurityContext |                    |
           |               |     NEGOTIATE      |
           '-------------> | -----------------> | ----------.
                           |     - flags        |           |
                           |                    |           v
                           |                    | AcceptSecurityContext
                           |                    |           |
                           |                    |       challenge
                           |     CHALLENGE      |           |
           .-------------- | <----------------- | <---------'
           |               |   - flags          |
       challenge           |   - challenge      |
           |               |   - server info    |
           v               |                    |
 InitializeSecurityContext |                    |
       |       |           |                    |
    session  response      |                    |
      key      |           |    AUTHENTICATE    |
       '-------'---------> | -----------------> | ------.--------.
                           |   - response       |       |        |
                           |   - session key    |       |        |
                           |     (encrypted)    |   response  session
                           |   - attributes     |       |       key
                           |     + client info  |       |        |
                           |     + flags        |       v        v
                           |   - MIC            | AcceptSecurityContext
                           |                    |           |
                           |                    |           v
                           |                    |           OK
                           |                    |

Kerberos Authentication

While NTLM authentication works through a principle of challenge-response, Windows-based Kerberos authentication uses a ticket system. Kerberos focuses on the use of tokens called "tickets" that allows an user to be authenticated against a principal. At a high level, Kerberos client authentication to a service in AD involves the user of a domain controller in the role of a key distribution center (KDC).

Reference

Attacking Active Directory: 0 to 0.9 - zer1t0

Last updated