I’ve been learning about Active Directory and while learning I couldn’t find a compiled resource which could take me from zero to a level to understand the security posture of AD. So I thought, why not to club my learning from all the sources into one series of blogs to help others who might be interested to learn it too and so, here we are. I’ll be writing in parts, every blog taking a level up with all the references and links at the last.
What is AD?
The simplest representation of Active Directory can be done by a phone-book. Just like a phone-book has a hierarchical structure, an AD also has a hierarchical structure. An Active Directory Domain Service (AD DS) provides ways to store data and make it accessible on a network for other users and administrators.
A domain can be considered as an invisible boundary structure that restricts the rules and regulations set up by the administrator. It is used to group and manage objects in an organization and serve as a boundary for different policies, meant for different groups of objects.
Taking the example of a phone-book, every contact has various details with it such as: home address, office contact, home contact, city etc. and in a similar manner, objects in AD are these different details. Some of the objects can be as follows:
→ User: Enables network resource access for a user.
→ Groups: Used to simplify the administration of access control.
→ Shared Folders: Enables users to search for shared folders based on properties.
Objects are what comprise and make an organizational unit.
- Organizational Unit (OU): An organizational unit can be considered as a manner of classification. It can contain users, groups, computers and other OUs. You can also think of an OU as an imaginary way to club different objects into one, for the purpose of defining specific permissions and trusts for them. They help to manage a collection of object and apply policies in a consistent manner.
Building Up On Basics:
- Domain Controller:
A Domain Controller is nothing but a Windows Server, with the AD DS (Domain Services) role installed on it and has been specifically promoted to that role to host that directory storage. It also provides authentication and authorization services and administrator access to manage other user accounts and network resources.
- AD Data Store:
The AD DS contains the database files and processes that store and manage directory information for users, services and other applications. It contains the NDTS.dit file which not only stores information about user objects, groups and group memberships but it also stores the password hashes for all the users present in that particular domain.
- AS DS Schema:
As the name states, this contains the structural definition or the blueprint of any object which can be stored in the directory and enforces the rules regarding object creation and configuration.
A tree in an AD can be defined as a hierarchy of domains. It is made up of several domains, sharing a common schema and configuration to form a contiguous namespace. It can have additional child domains and also create two way transitive trust with other domains. The following figure represents a tree in the namespace view of a domain (We’ll talk about the different views in the next post):
When multiple trees come together, they form a forest. Forests share a common schema, share common configuration partition, enable trusts between all domains in the forest ad share enterprise admins and schema admin groups.
Security is offered in a forest on the basis of trust. A trust can be described as a mechanism for users to gain access to a resource in other domain. Before authenticating, Windows check if the domain being requested has a trust relationship with the domain of the requesting account.