Understanding Active Directory Authentication and Security

/ blog / By

 /By Tamer Hellah

1. Active Directory (AD) Authentication

Active Directory (AD) Authentication is a Windows-based system that manages both network access (authentication) and user permissions (authorization).

  • Centralized Management: AD offers centralized control over user and device settings, streamlining user and rights management with Group Policy.
  • Single Sign-On (SSO): Users can log in once and access all authorized resources within the network without additional logins.

2. Authentication Protocols

  • Kerberos Protocol:
    • Secure Logins: Users receive a “ticket” upon logging in, avoiding password transmission over the network.
    • Key Distribution Center (KDC): Comprises an Authentication Server (AS) that verifies users and provides a Ticket Granting Ticket (TGT), and a Ticket Granting Server (TGS) that issues access tokens.
    • Session Keys: Temporary keys used during sessions to ensure secure communication.
  • Lightweight Directory Access Protocol (LDAP):
    • Open-Source Protocol: Facilitates AD’s authentication services.
    • Simple Authentication: Uses basic login credentials.
    • SASL (Simple Authentication and Security Layer): Enhances security by employing methods like Kerberos.

3. Older and Less Secure Protocols

  • LAN Manager (LM) Hash:
    • Weak Security: Splits passwords into two 7-character chunks and hashes them separately, making them easier to crack.
    • Outdated: Not used by modern systems but might still be found in older ones.
  • NT LAN Manager (NTLM) Hash:
    • Improved Security: Supports longer, case-sensitive passwords.
    • Pass-the-Hash Attack: Attackers can use the hash to impersonate a user without knowing the password.
  • NTLMv1 and NTLMv2:
    • Challenge-Response Mechanism: The server sends a challenge, and the client responds with an encrypted version.
    • NTLMv2: More secure with additional client challenge and server timestamp, but still less secure than Kerberos.

4. AD Domain Users and the KRBTGT Account

  • Domain Users:
    • Access Resources: Can access shared resources like file servers and printers.
    • Log in Anywhere: Can log in to any computer within the domain.
  • KRBTGT Account:
    • Special Account: Essential for the Kerberos authentication process.
    • Target for Attackers: If compromised, it can create “Golden Tickets” granting attackers unlimited access.

5. Golden Ticket Attack

  • Step-by-Step Attack:
    • Initial Compromise: Attackers infiltrate the network, often via phishing.
    • Privilege Escalation: Gain higher access by targeting admin accounts.
    • Extract KRBTGT Hash: Use tools to extract the hash from the AD database.
    • Create Golden Tickets: Use the KRBTGT hash to forge tickets granting unrestricted domain access.

6. Local Accounts

  • Types of Local Accounts:
    • Administrator: Full control over the system.
    • Guest: Disabled by default, provides temporary access.
    • SYSTEM: Used by the OS for internal functions.
    • Network Service: For services requiring network resource access.
    • Local Service: For services needing minimal privileges.

Summary

  • Authentication: Verifies user identity.
  • Authorization: Determines user permissions.
  • Access Control: Manages user permissions.
  • Users: Individuals with network access.
  • KRBTGT: Key account in Kerberos authentication.
  • Golden Ticket Attack: Major security threat exploiting the KRBTGT account to gain full domain access.

Understanding these elements helps you grasp how Active Directory secures a Windows-based network and the importance of protecting against threats like the Golden Ticket attack.

0