Windows Domains
- windows domains
- group of users and computers
- under administration of given business
- centralise administration of common components of windows computers to single repository
- Active Directory, server that runs it Domain Controller
Active Directory
- users
- one of the objects known as security principals
- can be authenticated by the domain, and be assigned privileges over resource
- can represent
- people: person in an organisation
- service: IIS or MSSQL
- machines
- for every computer that joins the AD, a machine object exists
- assigned account like regular user, but limited rights
- machine accounts are local administrators
- passwords automatically rotated and generally 120 chars long
- machine account name in scheme of
<computer name>$
- security groups
- group access rights and permissons
- users will inherit these
- can include others groups
Preexisting groups
| name | description |
|---|---|
| Domain Admins | Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs. |
| Server Operators | Users in this group can administer Domain Controllers. They cannot change any administrative group memberships. |
| Backup Operators | Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers. |
| Account Operators | Users in this group can create or modify other accounts in the domain. |
| Domain Users | Includes all existing user accounts in the domain. |
| Domain Computers | Includes all existing computers in the domain. |
| Domain Controllers | Includes all existing DCs on the domain. |
Managing Users
- to delete Organizational Units, enable view, advanced features
- right click on object to delete, properties, object, un-tick protect objects from accidental deletion
- delegate control over Organizational Units to other Organizational Units
- right click on object to delegate, delegate control
- next, add, enter names into field, check names to autocomplete
- next, select tasks to delegate from list
Managing Computers
- devices generally grouped into 3 categories
- workstations
- servers
- domain controllers
Authentication Methods
- authentication protocols
- kerberos: used by recent versions of windows
- NetNTLM: legacy authentication for compatibility
Kerberos
- users logging in will be assigned a ticket
- ticket = proof of previous authentitacion
- authentication process
- user sends username and timestamp using kez derived from password to Key Distribution Center
- KDC will send back Ticket Granting Ticket, enables user to request more tickets to access services, and * Session Key*
- TGT is encrypted using krbtgt account password hash
- to access other services with TGT
- user sends username, timestamp and TGT and asks KDC for a Ticket Granting Service for that service
- TGS sends back Server Session Key for user to access server with and a Service Owner Hash
NetNTLM
- using challenge response mechanisms
- client sends authentication request to server they want to access
- server generates random number and sets it as challenge to client
- client combines NTLM password hash with challenge to generate response and sends to server for verification
- server forwards challenge and response to domain controller for verification
- domain controllers uses challenge to recalculate response and compare, if correct client is authenticated, forward to server
- server forward authentication result to client