# Active Directory Pentest

## Active Directory

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It provides a centralized and hierarchical database that stores information about network resources such as users, computers, groups, and services. AD is a critical component in many organizations as it simplifies the management of users and resources by providing a single sign-on (SSO) experience and implementing security policies across the network.

### **Key Features of Active Directory:**

* **Domain Services**: AD is organized into one or more domains, each representing a logical group of objects within a network. Domains can have hierarchical relationships to form a tree-like structure called a forest.
* **Domain Controller (DC)**: A domain controller is a server that authenticates users, stores AD databases, and enforces security policies within a domain.
* **LDAP Protocol**: AD uses the Lightweight Directory Access Protocol (LDAP) to manage and query directory data.
* **Kerberos Authentication**: AD employs the Kerberos protocol for secure authentication.
* **Global Catalog (GC)**: The Global Catalog is a distributed data repository that contains a partial replica of all objects in the forest, facilitating searches across domains. It is stored in the DC.&#x20;
  * Note: The **replication service** is responsible for maintaining the GC if there are two DC in a domain.
* **Schema**: The AD schema defines the object classes and attributes that can be stored in the directory.

## **AD Terminology**

Before diving deeper into Active Directory, let's familiarize ourselves with some essential terms used in this context:

* **Domain**: A domain is a logical grouping of computers and users in an AD network. It is identified by a DNS name, such as "example.com."
* **Forest**: A forest is a collection of one or more domains that share a common schema and trust relationship. It represents the highest level of organization in AD.
  * Forest is the security boundary. Once a component in the Forest is compromised, there is always a trust path from one domain to another to compromise it.
* **Domain Controller (DC)**: A domain controller is a Windows server responsible for authenticating users and managing AD databases for a domain.
* **Organizational Unit (OU)**: An OU is a container within a domain used to organize objects (users, computers, groups) for easier management and delegation of administrative tasks.
* **Group Policy**: Group Policy allows administrators to apply specific configurations to users and computers in an organized manner.
* **Trust Relationship**: Trust relationships define how domains and forests trust each other for authentication and resource access.

## **AD Deployment Scenarios**

Active Directory can be deployed in various configurations based on an organization's needs and scale:

* **Single-Domain Model**: Suitable for small to medium-sized organizations where a single domain is sufficient to manage all users and resources.
* **Multi-Domain Model**: Designed for larger organizations with multiple departments or locations, each having its own domain. Trust relationships connect these domains.
* **Forest Model**: In complex enterprise environments, multiple domains are organized into a forest. A forest represents the highest level of security and administrative boundaries.

## **AD Roles and Permissions**

AD objects, such as users, groups, and computers, have specific roles and permissions within the directory. Some crucial roles include:

* **Domain Administrator**: Full control over the entire domain and all objects within it.
* **Enterprise Administrator**: Full control over the entire forest and all objects within all domains.
* **Domain User**: Standard user account with limited privileges.
* **Domain Controller**: Holds the AD database and performs authentication for users and computers.

## **AD Security Best Practices**

Securing Active Directory is of paramount importance to prevent unauthorized access and potential breaches. Some best practices include:

* **Regular Patching**: Keep all domain controllers and systems up-to-date with security patches to mitigate known vulnerabilities.
* **Privilege Minimization**: Assign permissions and roles only when necessary to limit potential attack surfaces.
* **Strong Password Policies**: Enforce strong password policies, multi-factor authentication (MFA), and account lockout policies.
* **Monitoring and Logging**: Implement robust monitoring and logging solutions to detect and respond to suspicious activities.
* **Backup and Recovery**: Regularly back up AD data to ensure recoverability in case of data loss or ransomware attacks.