HomeNotesWrite-Up'sBookshelfArticles

Introduction to Active Directory

What is Active Directory?

  • Active Directory (AD) is an authentication, authorization and centralized management service that runs on Windows Servers and is used to organize and control users, computers, and rules within a network.

  • The main components of AD include:

    • Domains – The core unit that groups users, computers, and resources under a common security boundary.

    • Organizational Units (OUs)Sub-divisions within a domain used to organize users, computers, and apply policies more efficiently.

    • Group Policies (GPOs)Rules and settings applied to users and computers to enforce security and management policies.

AD is based on LDAP and X.500 protocols.

Key Functions:

  • Manages permissions and access to network resources.

  • Provides single sign-on (SSO) for users.

  • Stores critical data in NTDS.DIT (AD database file).

Why is AD Important?

  • Most widely used Identity & Access Management (IAM) solution.

  • A compromised AD means full access to all systems and data (violating CIA—Confidentiality, Integrity, Availability).

  • Frequent vulnerabilities (over 3000 in the last 3 years) require proper patch management.

AD Structure – Key Terms

  • Domain – Group of objects sharing the same AD database.

  • Tree – Collection of related domains (e.g., test.local, dev.test.local).

  • Forest – Top-level structure containing multiple trees.

  • Organizational Unit (OU) – Container for users, groups, and computers.

  • Domain Controller (DC) – Server managing AD authentication and policies.

Authentication in AD

  • Username/Password (stored as NTLM/LM hashes).

Kerberos Tickets (TGT for identity proof, TGS for service access).

  • Key Distribution Center (KDC)**: a Kerberos service installed on a DC that creates tickets. Components of the KDC are the authentication server (AS) and the ticket-granting server (TGS).

  • Kerberos Tickets are tokens that serve as proof of identity (created by the KDC):

  • TGT is proof that the client submitted valid user information to the KDC.

  • TGS is created for each service the client (with a valid TGT) wants to access.

  • LDAP (a protocol that systems in the network environment use to communicate with Active Directory.).

Security Risks & Best Practices

  • Default groups (like Domain Admins, Enterprise Admins) are highly privileged – misuse leads to major breaches.

  • Account Operators group can be abused for privilege escalation.

  • Logon types leave credential traces (except Network Logon, Type 3).

Key Network Ports

  • 53 (DNS)

  • 88 (Kerberos),

  • 389/636 (LDAP)

  • 445 (SMB)

  • 3389 (RDP)

  • 5985/5986 (WinRM).

AD Weaknesses & Attack Vectors

  1. Complexity – Nested group memberships can lead to unintended admin access.

  2. Design Flaws – SMB protocol allows remote code execution on DCs.

  3. Legacy IssuesNetBIOS/LLMNR broadcast credentials, making them easy to steal.

Real-World Considerations

  • Classify critical systems (ERP, backups, etc.) to prioritize security.

  • Services like DNS, PKI, or SCCM can be exploited for AD takeover.

Next Steps:

  • Study AD Enumeration & Attacks for common exploitation techniques.

  • Ensure patch management and least privilege principles are enforced.

PreviousModule 6 - Active DirectoryNextOverview

Last updated