Day-6 - An Overview of the Active Directory Security Lab Domain

Folks,

Hello. I hope this finds you doing well. This post is Day-6 of Active Directory Security for Cyber Security Experts.


Today, I'll share an overview of the contents of the Active Directory Security Lab VM setup, i.e. the contents of the lab domain that we will be using to learn more about Active Directory security, so we are all sufficiently familiar with it.



Overview

The lab Active Directory Security virtual machine contains a Windows Server 2019 based single domain forest.

The following is an overview of this lab domain, corp.local -

1. There are 3002 objects in this domain, located in and across 277 organizational units and 141 containers
2. There are 277 OUs in a well-defined hierarchy, based on administrative delegation and GP inheritance needs
3. There are 1000 domain user accounts, including privileged, employee, contractor and executive accounts
4. There are 1191 domain computer accounts, including for laptops, workstations and  servers in data-centers
5. There are 284 domain security groups, including 50 privileged access groups and various departmental groups
6. There are 14 GPOs linked to various OUs, as well as 4 service connection points, 10 contacts and 3 printers
7. There are 5 managed service accounts (MSAs), 5 MSA groups, and 7 legacy service accounts in the domain
8. There are 100 IT personnel that are members of 33 IT security groups representing various IT/security roles
9. There are 182,866 ACEs in 3002 ACLs that specify various security permissions for various security principals
10. There are 17 default administrative (privileged access) groups that contain a total of 23 domain user accounts

OU Structure

The realistic OU structure for the corp.local domain of this fictional organization is designed based on the organization's geographical locations, administrative delegation requirements and group policy inheritance needs.

The following is how the OU structure is laid out -

1. The top-most level OU is the Global OU,  ou=global,dc=corp,dc=local
2. Within the Global OU are the OUs for each continent/region in which the company has operations
3. Within each continent/region OU are OUs for all countries in that region where the company has a presence
4. Within each country, there are OUs for each city where the company has an office
5. Within each city, there is Users OU and an Computers OU, the only exception being the San Francisco OU
6. This company is headquartered in San Francisco so its OU contains departmental OUs for various departments including Research, Development, Sales, Marketing, Finance, Legal, Human Resources, Executives, Security & IT
7. All IT user accounts, workstations and security groups are located in the IT OU within the San Francisco OU

There are several administrative delegations done in the ACLs of various OUs, including a common set of delegations on the top-level Global OU, and continent/region specific delegations at the those OU levels, and finally on departmental OUs.

The IT OU is noteworthy, for in it reside all the IT admin accounts, IT workstations, IT groups as well as all legacy service accounts. There are several delegations made in this OU to provide additional protection for IT accounts, computers and security groups. IT accounts that are members of the various default admin groups are protected by AdminSDHolder.




IT/Privileged Access Groups

There are 33 IT groups that are used to delegate administrative (privileged) access across this Active Directory domain, and they reside in the IT Security Groups OU, which resides in the IT OU within the San Francisco OU.

These 33 IT security groups span the following IT management categories and have been duly delegated/provisioned privileged access (i.e. security permissions) in Active Directory to facilitate their respective role responsibilities -

1. IT Management and Internal Audit - IT Managers, IT Service Management Team, IT Auditors, IT Contractors
2. Directory Services Management - IT Critical Infrastructure Admins, IT Directory Services Management Team
3. Privileged Access Management - IT Access Control Team, IT Admin Support Backup Team, IT Admin Support Team
4. Identity & Access Management - IT Identity Management Team, IT Access Management Team, IT Help Desk Team
5. Host Management - IT Host Management Team, IT Americas Admins, IT EMEA Admins, IT APAC Admins
6. Messaging & Collaboration - IT Exchange Admins, IT Exchange Support Team
7. Application & Database Management - IT Database Admins, IT Application Development Team
8. Security Incident and Response - IT Security Incident Response Team, IT Contingency Support Team
9. Cyber & Network Security - IT Cyber Security Team, IT Network Operations Team, IT Data Security Team, IT Group Policy Management Team, IT Executive Support Team, IT Network Security Team, IT Local Admin Teams
10. Special Operations - IT Special Ops, IT Cloud Computing Team, IT Security Analysts, IT Data Center Team

Thus, as seen above, there are numerous IT groups that have been granted various levels of access in this domain.




Administrative Delegations

As noted above, numerous administrative delegations have been done across this Active Directory domain to facilitate the access that the above mentioned groups need in order to carry out their responsibilities.

For instance, here are some high-level delegations that have been done to provision sufficient access -

1. Identity Management Team - Privileged access to be able to create, manage and delete domain user accounts
2. Access Management Team - Privileged access to be able to create, manage and delete domain security groups 
3. IT Help Desk Team - Privileged access to be able to perform password resets and unlock accounts
4. IT Admin Support Team - Privileged access to be able to manage IT/privileged access accounts
5. IT Local Admin Teams - Privileged access to be able to manage local computer accounts 
6. IT Group Policy Management Teams - Privileged access to be able to link manager GPOs and link them to OUs
7. IT Access Control Team - Privileged access to be able to modify permissions in Active Directory 
8. IT Executive Support Team - Privileged access to be able to manage high-value executive accounts
9. IT Cloud Computing Team - Privileged access to be able to integrate AD with cloud services
10. IT Special Ops -  Special privileged access to be able to perform certain sensitive operations  

In this manner, every domain security group listed above has been granted various security permissions in this domain.




Default Administrative Group Memberships

To make this lab VM as realistic as possible, just like in the real world, several default administrative groups are in use, and custom IT security groups have been made members of these groups to facilitate unrestricted privileged access.

For instance, the following are the direct group memberships of some of the default administrative groups -

1. Administrators - Administrator account, Enterprise Admins, Domain Admins
2. Enterprise Admins - Administrator account, IT Critical Infrastructure Admins
3. Domain Admins - Administrator account, IT Directory Services Management Team, Privileged Service Accounts
4. Schema Admins - Administrator account
5. Backup Operators - IT Directory Services Management Team
6. Server Operators - IT Directory Services Management Team, IT Host Management Team
7. Accounts Operators - <empty>
8. Print Operators - <empty>
9. Domain Controllers - <empty>
10. Read-only Domain Controllers - <empty>
11. Replicator - <empty>
12. Key Admins - <empty>
13. Enterprise Key Admins - <empty>

Thus, as seen above, most default administrative groups have been used as they would be in a real-world deployment.




AdminSDHolder

As you know, the ACL protecting the AdminSDHolder object in the System container is stamped on all default administrative accounts and groups and serves to provide them additional protection.

To facilitate privileged access management of these default administrative accounts and groups, as well as to explicitly prevent certain groups from having any access on them, the AdminSDHolder ACL has been accordingly modified, and includes several Deny and Allow permissions for various non-default administrative/IT groups.

Further, there are a total of 13 default administrative groups and 4 non-default administrative groups protected by AdminSDHolder, and they contain a total of 23 domain user accounts, including the default Administrator account.




Domain Root ACL

The ACL protecting the domain root object has also been modified, as is usually the case in most Active Directory deployments, and several administrative delegations have been made in this ACL.

Thus, there are many additional security permissions in this ACL, some controlling access on the domain root object itself, and other inherited permissions controlling and impacting access domain-wide.




Summary

In today's lesson, we took a closer look at the contents of our lab VM Active Directory domain so that we could become familiar with its contents. We now have a better understanding of its OU structure, its contents, administrative delegations and the existence of various custom permissions across the domain, including notably on the domain root, the Global OU, the Executives OU, the IT OU and on the AdminSDHolder object.

Further, and more importantly, as it pertains to privileged access, we know also know that there are a total of 21 domain user accounts (which includes 7 legacy service accounts) that are considered to be privileged in nature, as they are all directly or indirectly members of all default and other administrative groups that are being protected by AdminSDHolder.

However, is the real number of individuals who possess privileged access in this domain 21, or is it greater?!

Tomorrow onwards, we'll start deep-diving into various aspects of privileged access, and during these exercises, we will learn how to correctly identify and lockdown privileged access in Active Directory, and how to bullet-proof Active Directory.

That's all for now.

Best wishes,
Sanjay