Skip to main content
HashnodeFIGZ.FIGZ.

Command Palette

Search for a command to run...

What is Active Directory?

Updated
7 min read
What is Active Directory?
F
Figz

My name is Martin, I'm a Cybersecurity student at University, and aspiring professional in the infosec field.

Active Directory is an Identity Management Service, created by Microsoft and one of the most utilized in comparison to others. AD helps to manage windows domain networks, storing information related to objects, such as computers, users, printers, etc. You can think of an AD environment as a place where you can store data, organize it, and manage it to different groups in a network, for example you may want to have a specific group for the HR team, one for the Marketing team, another for the IT team, and so on. Each group with specific levels of privilege, permission, and access to do their assigned tasks.

Note: Non-Windows devices, such as Linux machines, can also authenticate to Active Directory via RADIUS (Remote Authentication Dial-In Service) or LDAP (Lightweight Directory Access Protocol).

Active Directory Services

  • Domain Services (AD DS): AD DS manages and organizes directory information about network objects such as users, groups, and devices. Basically, it’s job is to distribute information about network objects such as users, groups, and devices across the network while enforcing the policies set by network administrators. For example, if an administrator creates a network share for the HR team, AD DS ensures that only users in the HR group can access that share by applying specific permissions and access controls. Additionally, AD DS manages user privileges, authentication, and authorization, ensuring that security policies are consistently enforced across the network.

  • Certificate Services (AD CS): AD CS manages digital certificates for users, devices, and services within the network. These certificates can be used for authentication, encryption, and digital signatures. Also, AD CS is in charge of creating the Public Key Infrastructure (PKI), which supports the use of public and private keys for secure communications. Think of it as a digital ID card system, each time a user tries to communicate with another user or service, AD CS scans their digital ID card to verify their identity, making sure that they are who they claim to be.

  • Federation Services (AD FS): AD FS helps users to access multiple applications using a single account, and it supports single sign-on (SSO). AD FS is used in resource sharing situations, for example, if I want to access a specific service from a partner company, AD FS helps to securely share a digital identity in order to access that service without using multiple credentials.

  • Lightweight Directory Services (AD LDS): AD LDS provides a lighter, and more flexible alternative to the full AD DS environment. AD LDS is designed to support directory enabled applications without requiring the overhead of a full AD domain. It allows organizations to store and manage directory data in a way that is similar to AD DS, but without the need to deploy domain controllers, manage AD domains, or join systems to a domain.

  • Rights Management Services (AD RMS): Manages and protects sensitive information through encryption, rights management, and policy enforcement using information rights management (IRM). Helps organizations safeguard their property and confidential data by restricting the amount of access and actions users can take with protected data.

Active Directory is composed of both physical and logical components.

Physical:

  • Data Store (NTDS.DIT): The AD DS data store contains the database files and processes that store and manage directory information for users, services, and applications.

    • Serves as the principal database file within AD DS, it stores and organizes all information related to objects in the domain, including users, groups, computers, account details, password hashes, and more.

  • Domain Controllers: The most important component. Provides administrative access, the ability to setup group policies, change user passwords, etc. Think of the DC as the main base of a domain, it’s from where you control and mange everything under its tree.

  • Global Catalog Server: Stores a catalog of every object in the directory. Serves to look up directory information regardless of the object’s location.

  • Read-Only Domain Controller (RODC): Type of domain controller that holds a read-only copy of the AD database. Unlike a regular DC, which can both read and write to the database, an RODC only allows read operations. This means that it cannot make changes to the database, such as adding or modifying user accounts, groups, or other objects.

Logical:

  • Schema: The Schema defines every type of object that can be stored in the directory, think about it as a rule book or a blueprint that enforces rules regarding object creation and configuration.
Object TypesFunctionExamples
Class ObjectDefines what objects can be created in the directory.1. User 2. Computer
Attribute ObjectDefines the Information that can be attached to an object.1. Display name

  • Domains: Used to group and manage objects in an organization. It serves as an administrative boundary for applying policies to groups of objects, allowing administrators to manage users, systems, and other resources together. It is also a replication boundary, ensuring that directory data is replicated between domain controllers within the domain.

  • Domain Trees: A hierarchy or chain of domains in AD DS. When we have multiple domains, they are controlled in a hierarchy, just like a tree. Shares a contiguous namespace with the parent domain (ex: domain’.’com), and can have additional child domains (ex: dev.domain’.’com and hr.domain’.’com)

  • Forests: A collection of one or more domain trees. Think of forests as a group made of other groups of domains. As a family, if the forest is made of domain trees, which represent a group of domains in a parent/child style hierarchy, then the forests can be seen as the overall family, including different groups. Forests serve to share a common schema, configuration, and global searching catalog. It enables trusts between all domains in the forest and shares the enterprise admin and schema admin groups.

  • Sites: They define the physical layout of the network. Each site includes one or more subnets and is linked to other sites via site links, which represent the network connections between them.

  • Organization units (OUs): Active Directory containers that can contain users, groups, computers, and other OUs. Represents the organization hierarchically and logically, manages a collection of objects in a consistent way, applies policies, and delegates permissions to administer groups of objects.

Things to know

Trust relationships: Trusts provide a mechanism for users to gain access to resources in another domain.

  • Directional → The trust direction flows from trusting domain to the trusted domain.

  • Transitive → The trust relationship is extended beyond a two-domain trust to include other trusted domains.

Objects: An object is an element, such as a user, group, application, device, etc.

Type of ObjectsDescription
User1. Enables network resource access for a user.
InetOrgPerson1. Similar to a user account 2. Used for compatibility with other directory services.
Contacts1. Used primarily to assign e-mail addresses to external users. 2. Does not enable network access.
Groups1. Used to simplify the administration of access control.
Computers1. Enables authentication and auditing of computer access to resources.
Printers1. Used to simplify the process of locating and connecting to printers.
Shared folders1. Enables users to search for shared folders based on properties.

Understanding Kerberos

Kerberos: The network authentication protocol used in Active Directory (AD) that verifies user and service identities without transmitting passwords over the network. It utilizes tickets for authentication and relies on the Key Distribution Center (KDC) to manage secret keys and tickets used by clients and services.

  • Authentication Service (AS): When a user attempts to log in, the AS verifies the user’s credentials and issues a Ticket Granting Ticket (TGT). This ticket allows the user to request access to other services without needing to re-enter their password.

  • Ticket-Granting Service (TGS): Service used by Kerberos to grant a ticket to a user in order to access a certain service or server.

Overview of Kerberos:

  1. When a user logs on to the Active Directory environment, the user authenticates to the Domain controller using the user’s password which of course the Domain Controller knows.

  2. The Domain Controller sends the user a Ticket Granting Ticket (TGT) Kerberos Ticket. The TGT is presented to any Domain Controller to prove authentication for Kerberos service tickets.

  3. The user opens up the application it’s attempting to access, and that causes the user’s workstation to lookup the Service Principal Name (SPN) for the user’s exchange server.

  4. Once the SPN is identified, the computer communicated with the Domain Controller again and presents the user’s TGT as well as the SPN for the resource to which the user needs to communicate.

  5. The Domain Controller replies with the Ticket Granting Service (TGS) Kerberos service ticket.

    • The TGS is encrypted with the server’s account hash.

  6. The user’s workstation presents the TGS to the exchange server for access.

    • Server will decrypt the TGS and check if the user actually has the authority to access the server and proceed to authenticate.

  7. If the user is authorized, the application connects successfully.

More from this blog

F

FIGZ.

3 posts