Day-6 - An Overview of the Active Directory Security Lab Domain

Folks,

Hello. I hope this finds you doing well. This post is Day-6 of Active Directory Security for Cyber Security Experts.


Today, I'll share an overview of the contents of the Active Directory Security Lab VM setup, i.e. the contents of the lab domain that we will be using to learn more about Active Directory security, so we are all sufficiently familiar with it.



Overview

The lab Active Directory Security virtual machine contains a Windows Server 2019 based single domain forest.

The following is an overview of this lab domain, corp.local -

1. There are 3002 objects in this domain, located in and across 277 organizational units and 141 containers
2. There are 277 OUs in a well-defined hierarchy, based on administrative delegation and GP inheritance needs
3. There are 1000 domain user accounts, including privileged, employee, contractor and executive accounts
4. There are 1191 domain computer accounts, including for laptops, workstations and  servers in data-centers
5. There are 284 domain security groups, including 50 privileged access groups and various departmental groups
6. There are 14 GPOs linked to various OUs, as well as 4 service connection points, 10 contacts and 3 printers
7. There are 5 managed service accounts (MSAs), 5 MSA groups, and 7 legacy service accounts in the domain
8. There are 100 IT personnel that are members of 33 IT security groups representing various IT/security roles
9. There are 182,866 ACEs in 3002 ACLs that specify various security permissions for various security principals
10. There are 17 default administrative (privileged access) groups that contain a total of 23 domain user accounts

OU Structure

The realistic OU structure for the corp.local domain of this fictional organization is designed based on the organization's geographical locations, administrative delegation requirements and group policy inheritance needs.

The following is how the OU structure is laid out -

1. The top-most level OU is the Global OU,  ou=global,dc=corp,dc=local
2. Within the Global OU are the OUs for each continent/region in which the company has operations
3. Within each continent/region OU are OUs for all countries in that region where the company has a presence
4. Within each country, there are OUs for each city where the company has an office
5. Within each city, there is Users OU and an Computers OU, the only exception being the San Francisco OU
6. This company is headquartered in San Francisco so its OU contains departmental OUs for various departments including Research, Development, Sales, Marketing, Finance, Legal, Human Resources, Executives, Security & IT
7. All IT user accounts, workstations and security groups are located in the IT OU within the San Francisco OU

There are several administrative delegations done in the ACLs of various OUs, including a common set of delegations on the top-level Global OU, and continent/region specific delegations at the those OU levels, and finally on departmental OUs.

The IT OU is noteworthy, for in it reside all the IT admin accounts, IT workstations, IT groups as well as all legacy service accounts. There are several delegations made in this OU to provide additional protection for IT accounts, computers and security groups. IT accounts that are members of the various default admin groups are protected by AdminSDHolder.




IT/Privileged Access Groups

There are 33 IT groups that are used to delegate administrative (privileged) access across this Active Directory domain, and they reside in the IT Security Groups OU, which resides in the IT OU within the San Francisco OU.

These 33 IT security groups span the following IT management categories and have been duly delegated/provisioned privileged access (i.e. security permissions) in Active Directory to facilitate their respective role responsibilities -

1. IT Management and Internal Audit - IT Managers, IT Service Management Team, IT Auditors, IT Contractors
2. Directory Services Management - IT Critical Infrastructure Admins, IT Directory Services Management Team
3. Privileged Access Management - IT Access Control Team, IT Admin Support Backup Team, IT Admin Support Team
4. Identity & Access Management - IT Identity Management Team, IT Access Management Team, IT Help Desk Team
5. Host Management - IT Host Management Team, IT Americas Admins, IT EMEA Admins, IT APAC Admins
6. Messaging & Collaboration - IT Exchange Admins, IT Exchange Support Team
7. Application & Database Management - IT Database Admins, IT Application Development Team
8. Security Incident and Response - IT Security Incident Response Team, IT Contingency Support Team
9. Cyber & Network Security - IT Cyber Security Team, IT Network Operations Team, IT Data Security Team, IT Group Policy Management Team, IT Executive Support Team, IT Network Security Team, IT Local Admin Teams
10. Special Operations - IT Special Ops, IT Cloud Computing Team, IT Security Analysts, IT Data Center Team

Thus, as seen above, there are numerous IT groups that have been granted various levels of access in this domain.




Administrative Delegations

As noted above, numerous administrative delegations have been done across this Active Directory domain to facilitate the access that the above mentioned groups need in order to carry out their responsibilities.

For instance, here are some high-level delegations that have been done to provision sufficient access -

1. Identity Management Team - Privileged access to be able to create, manage and delete domain user accounts
2. Access Management Team - Privileged access to be able to create, manage and delete domain security groups 
3. IT Help Desk Team - Privileged access to be able to perform password resets and unlock accounts
4. IT Admin Support Team - Privileged access to be able to manage IT/privileged access accounts
5. IT Local Admin Teams - Privileged access to be able to manage local computer accounts 
6. IT Group Policy Management Teams - Privileged access to be able to link manager GPOs and link them to OUs
7. IT Access Control Team - Privileged access to be able to modify permissions in Active Directory 
8. IT Executive Support Team - Privileged access to be able to manage high-value executive accounts
9. IT Cloud Computing Team - Privileged access to be able to integrate AD with cloud services
10. IT Special Ops -  Special privileged access to be able to perform certain sensitive operations  

In this manner, every domain security group listed above has been granted various security permissions in this domain.




Default Administrative Group Memberships

To make this lab VM as realistic as possible, just like in the real world, several default administrative groups are in use, and custom IT security groups have been made members of these groups to facilitate unrestricted privileged access.

For instance, the following are the direct group memberships of some of the default administrative groups -

1. Administrators - Administrator account, Enterprise Admins, Domain Admins
2. Enterprise Admins - Administrator account, IT Critical Infrastructure Admins
3. Domain Admins - Administrator account, IT Directory Services Management Team, Privileged Service Accounts
4. Schema Admins - Administrator account
5. Backup Operators - IT Directory Services Management Team
6. Server Operators - IT Directory Services Management Team, IT Host Management Team
7. Accounts Operators - <empty>
8. Print Operators - <empty>
9. Domain Controllers - <empty>
10. Read-only Domain Controllers - <empty>
11. Replicator - <empty>
12. Key Admins - <empty>
13. Enterprise Key Admins - <empty>

Thus, as seen above, most default administrative groups have been used as they would be in a real-world deployment.




AdminSDHolder

As you know, the ACL protecting the AdminSDHolder object in the System container is stamped on all default administrative accounts and groups and serves to provide them additional protection.

To facilitate privileged access management of these default administrative accounts and groups, as well as to explicitly prevent certain groups from having any access on them, the AdminSDHolder ACL has been accordingly modified, and includes several Deny and Allow permissions for various non-default administrative/IT groups.

Further, there are a total of 13 default administrative groups and 4 non-default administrative groups protected by AdminSDHolder, and they contain a total of 23 domain user accounts, including the default Administrator account.




Domain Root ACL

The ACL protecting the domain root object has also been modified, as is usually the case in most Active Directory deployments, and several administrative delegations have been made in this ACL.

Thus, there are many additional security permissions in this ACL, some controlling access on the domain root object itself, and other inherited permissions controlling and impacting access domain-wide.




Summary

In today's lesson, we took a closer look at the contents of our lab VM Active Directory domain so that we could become familiar with its contents. We now have a better understanding of its OU structure, its contents, administrative delegations and the existence of various custom permissions across the domain, including notably on the domain root, the Global OU, the Executives OU, the IT OU and on the AdminSDHolder object.

Further, and more importantly, as it pertains to privileged access, we know also know that there are a total of 21 domain user accounts (which includes 7 legacy service accounts) that are considered to be privileged in nature, as they are all directly or indirectly members of all default and other administrative groups that are being protected by AdminSDHolder.

However, is the real number of individuals who possess privileged access in this domain 21, or is it greater?!

Tomorrow onwards, we'll start deep-diving into various aspects of privileged access, and during these exercises, we will learn how to correctly identify and lockdown privileged access in Active Directory, and how to bullet-proof Active Directory.

That's all for now.

Best wishes,
Sanjay

Day 3 - Active Directory Security (Privileged Access) Lab Virtual Machine

Folks,

Hello. I hope this finds you doing well. This post is Day-3 of Active Directory Security for Cyber Security Experts.


Today, I'm making available a special Active Directory Security lab virtual machine that everyone can download for free that we built to help organizations and experts worldwide learn advanced Active Directory Security and Privileged Access.



An Active Directory Security Lab VM

Over the next thirty to sixty days, I'll be teaching the world how to correctly audit privileged access in Active Directory (AD), and to help everyone learn, follow and try it out for themselves, I had a special AD Security VM custom-built for everyone.

This is a free, instantly downloadable, custom-built VM running Windows Server 2019, complete with -

1. Over 1000 security principals, including domain user accounts, computer accounts and security groups
2. Over 3000 objects including GPOs, service connection points, print queues and managed service accounts
3. Over 30 custom real-world administrative delegations provisioned across over 200 organizational units (OUs)
4. Over 150,000 Active Directory security permissions spanning over 3000 Active Directory access control lists (ACLs)
5. Custom permissions in the AdminSDHolder ACL as well as on the domain root object, governing Mimikatz DCSync

Active Directory Security Scenarios

Today organizations worldwide need to know how to adequately secure and defend their foundational Active Directory deployments from compromise, especially how to deal with specific advanced Active Directory Security scenarios.

This custom-built Active Directory Security lab VM contains specifically implemented examples of many such advanced Active Directory Security scenarios -

1. How to correctly audit privileged access (the "Keys to the Kingdom") in Active Directory
2. How to correctly assess, verify and lockdown privileged access in Active Directory
3. How to attain and maintain Least Privileged Access (LPA) in Active Directory
4. How to perform Privileged Account Discovery (PAD) in Active Directory
5. How to correctly assess various Active Directory Security solutions


6. How to uncover stealthy admins in Active Directory
7. How to identify sneaky persistence in Active Directory
8. How to prevent the spread of ransomware via Active Directory
9. How to identify (1000s of) privilege escalation Paths in Active Directory
10. How to eliminate serious risks posed by Bloodhound, Mimikatz DC Sync etc.

Over the next few days, I will walk through crystal-clear examples of each one of these scenarios in this lab VM and show how to identify these scenarios in this lab VM, helping everyone learn how to address these scenarios in real-world ADs.




Fulfilling Active Directory Focused Privileged 
Access Management (PAM) Audit Needs

Organizations worldwide also need to correctly fulfill Privileged Access Management (PAM) focused privileged access audit requirements involving Active Directory, so I'll also show you how to easily and correctly fulfill such requirements.

Specifically, for the benefit of IT, cyber security and compliance audit professionals, I'll share -

1. How to correctly audit who has what privileged access in and across the entire Active Directory (i.e. domain-wide)
2. How to correctly audit who has what privileged access on a specific Active Directory object (e.g. the CEO's/CFO's domain user account, the Domain Admins security group, the domain root, a specific OU, AdminSDHolder etc.) 

Today, unfortunately, most organizations and auditors do not know how to correctly do so, so this should be equally helpful.




Real-World Active Directory Contents

This AD Security lab VM contains a Windows Server 2019 powered, Active Directory forest, corp.local, for a fictional multi-national corporation headquartered in USA with worldwide operations across Americas, Europe, the Middle East and Asia.

It has an elaborate, real-world like organizational unit (OU) hierarchy that includes well over 200 OUs, across which realistic, custom administrative delegations have been provisioned for various IT security groups such as Help Desk.





Real-World Privileged Access / Administrative Delegations

This AD Security lab VM has also been custom-configured with over two dozen real-world administrative delegations that have been implemented to over two dozen domain security groups across this fictional domain, just like in the real world.

In particular, privileged/administrative access has been carefully delegated/provisioned in this Active Directory for domain user account (identity) management, security group (access) management, computer (host) management, group policy management etc. just like it is done at most organizations in the real-world, both directly, and via group nesting.

Administrative tasks that have been delegated include account creations (provisioning), object deletions, password resets, account expirations, group membership changes, access control (ACL) modifications, group policy (GPO) linking, etc. etc.





Download Point

This custom-built Active Directory Security is free for everyone to use, and it can be instantly downloaded from HERE.

Download

Its file size is 7,729,720,905 bytes (7.21 GB) and its MD-5 Hash is 390c9597a2568cd0f5f64b48b9c81f20. 


Step-by-step directions on how to download and get started with this VM in less than five minutes are provided below.





Getting Started

It takes less than five (5) minutes to get started, and here are step-by-step instructions on how to do so -

1. Download this free Active Directory Security Virtual Machine from here.
2. Download and install the free version of VMWare Workstation Player from here.
3. Unzip the VM to extract the "AD Security" folder
4. Create a "Virtual Machines" folder in "My Documents"
5. Move the unzipped "AD Security" folder into the "Virtual Machines" folder


6. Launch VM Workstation Player and select "Open a Virtual Machine"
7. Point it to the "AD Security.vmx" file in the "My Documents\Virtual Machines\AD Security" folder
8. Then select the "AD Security VM" and click the play button to start it.
9. At the logon screen, login as "CORP\Administrator"  (The password is provided below.)
10. Open a command-prompt, and enter "slmgr /rearm" to rearm the Windows license, then restart the VM.

That's it. Login as Administrator, then launch the "Start here" text file located on the desktop (in the VM) to become acquainted with the contents of this VM, subsequent to which you can launch ADUC to begin exploring AD contents.

• Note: In step 8 above, you may (or may not) need to change the working directory for the VM. Should you need to do so, click on "Edit Virtual Machine Settings," then select the "Options" tab, and under "General" settings, locate the "Working Directory" text-box in the right-hand side, and modify it.



• Please do NOT change any contents of this VM yet, especially any security permissions or domain security group memberships as I will be walking you through numerous specific examples, and if the permissions or group memberships have been changed, your results will not be the same.

Password

You will need the password for the Administrator account to login to this virtual machine.

The case-sensitive password for the Administrator account is:     ParamountDefenses!


If you're having problems logging in, feel
free to send me a message on LinkedIn.

Summary

Today, Active Directory is the foundation of IT, cyber security and privileged access at 85% of organizations worldwide.

Those who know how to correctly analyze privileged access inside Active Directory possess substantial power because almost everything in Active Directory Security ultimately boils down to privileged access on Active Directory objects.


Over the next month, I'll be helping millions of IT and Cyber Security professionals worldwide gain this valuable skill, and the remaining lessons over the next 30 to 60 days will all refer to examples in this custom-built AD Security lab VM.

This AD Security Lab VM was custom built to illustrate and demonstrate the scenarios mentioned above and should be very helpful for anyone who may have a desire to gain advanced Active Directory Security and Privileged Access skills.

Best wishes,
Sanjay.


PS: July 22, 2020 Update - A detailed overview of the contents of this domain can be found here. PS2: March 08, 2021 Update - A new version of the VM has now been made available. The download link above and the file size and MD-5 hash details above are for the new version. For reference, the file size of the original (2020) version was 7,747,920,663 bytes (7.21 GB) and its MD-5 Hash was 80be4b771485303f069a63f8eb7b4c9e.