Active Directory and Kerberos

Question 1

Windows Domain

Answer 1

Group of users and computers under the administration of a given business

Question 2

Active Directory

Answer 2

Single repository to centralize the administration of common components of a network
Provides centralized identity management
Allows you to configure and apply security policies to users and computers as needed

Question 3

Domain Controller (DC)

Answer 3

Server that runs AD services

Question 4

AD DS

Answer 4

Active Directory Domain Service
Acts as a catalog that holds the info of all the “objects” that exist on your network

Question 5

Security Principal

Answer 5

Objects (mostly users) that can be authenticated by the domain and assigned privileges over resources or act upon those resources

Question 6

OU

Answer 6

Organizational Unit
Container objects that allow you to classify users and machines
Mainly used to define sets of users with similar policing requirements

Question 7

GPO

Answer 7

Group Policy Object
Collection of settings that can be applied to OUs
Can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities

Question 8

GPOs are distributed to the network via a network share called ____

Answer 8

SYSVOL

Question 9

Tree

Answer 9

Partitioned structure with a root domain and branching subdomains that can be managed independently
Gives us better control over who can access what in the domain
Policies can be configured independently for each domain in the tree

Question 10

Forest

Answer 10

The union of several trees with different namespaces into the same network

Question 11

Domains arranged in trees and forests are joined together by ___

Answer 11

Trust relationships
These allow you to authorize a user from Domain A to access resources from Domain B
Can have one way or two way trust relationships

Question 12

Kerberos

Answer 12

The default authentication service for Microsoft Windows domains. It is intended to be more “secure” than NTLM by using third party ticket authorization as well as stronger encryption.

Question 13

Ticket Granting Ticket (TGT)

Answer 13

Authentication ticket used to request service tickets from the Ticket Granting Service for specific resources from the domain.

Question 14

Key Distribution Center (KDC)

Answer 14

Service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.

Question 15

Kerberoasting- what is it, how to mitigate

Answer 15

Allows a user to request a service ticket for any service with a registered SPN then use that ticket to crack the service password.
Enforce strong passwords for service accounts, and don’t allow them domain admin

Question 16

AS-REP Roasting- what is it, how to mitigate

Answer 16

AS-REP Roasting dumps the krbasrep5 hashes of user accounts that have Kerberos pre-authentication disabled.
Enforce strong passwords for user accounts, and enforce Pre-Authentication

Question 17

What is the best mitigation to protect a Domain Admin account from a Pass the Ticket attack?

Answer 17

Don’t allow Domain Admin accounts onto any system except Domain Controller. Then their ticket can’t be found.

Question 18

KRBTGT

Answer 18

A KRBTGT is the service account for the KDC this is the Key Distribution Center that issues all of the tickets to the clients.
If you impersonate this account and create a golden ticket from the KRBTGT you give yourself the ability to create a service ticket for anything you want.

Question 19

mimikatz

Answer 19

Both an exploit on Microsoft Windows that extracts passwords stored in memory and software that performs that exploit. Used in pass the hash attacks