Skip to content

Windows Domains

A Windows domain is a group of users and computers under the administration of a given business. The main idea behind a domain is to centralize the administration of common components of a Windows computer network in a single repository called Active Directory (AD).

The server that runs the Active Directory services is known as a Domain Controller (DC).

Active Directory

The core of any Windows Domain is the Active Directory Domain Service (AD DS). This service acts as a catalogue that holds the information of all of the "objects" that exist on your network. Amongst the many objects supported by AD, we have users, groups, machines, printers, shares and many others.

Users

Users can be used to represent two types of entities: - People: Users can be used to represent two types of entities: - Services: Used by services like IIS or MSSQL. Every single service requires a user to run, but service users are different from regular users as they will only have the privileges needed to run their specific service.

Machines

The machine account name is the computer's name followed by a dollar sign. For example, a machine named DC01 will have a machine account called DC01$.

Security Groups

Groups can have both users and machines as members. If needed, groups can include other groups as well.

Some of the most important groups in a domain are:

Security Group Description
Domain Admins Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs.
Server Operators Users in this group can administer Domain Controllers. They cannot change any administrative group memberships.
Backup Operators Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.
Account Operators Users in this group can create or modify other accounts in the domain.
Domain Users Includes all existing user accounts in the domain.
Domain Computers Includes all existing computers in the domain.
Domain Controllers Includes all existing DCs on the domain.

Security Groups vs Organizational Units

  • OUs are handy for applying policies to users and computers, which include specific configurations that pertain to sets of users depending on their particular role in the enterprise. Remember, a user can only be a member of a single OU at a time, as it wouldn't make sense to try to apply two different sets of policies to a single user.
  • Security Groups are used to grant permissions over resources. For example, you will use groups if you want to allow some users to access a shared folder or network printer. A user can be a part of many groups, which is needed to grant access to multiple resources.

Managing Computers in AD

In general, you'd expect to see devices divided into at least the three following categories: - Workstations: Each user in the domain will likely be logging into a workstation. This is the device they will use to do their work or normal browsing activities. These devices should never have a privileged user signed into them. - Servers: Servers are the second most common device within an Active Directory domain. Servers are generally used to provide services to users or other servers. - Domain Controllers: Domain Controllers allow you to manage the Active Directory Domain. These devices are often deemed the most sensitive devices within the network as they contain hashed passwords for all user accounts within the environment.

Authentication Methods

When using Windows domains, all credentials are stored in the Domain Controllers. Whenever a user tries to authenticate to a service using domain credentials, the service will need to ask the Domain Controller to verify if they are correct.

Two protocols can be used for network authentication in windows domains: - Kerberos: Used by any recent version of Windows. This is the default protocol in any recent domain. - NetNTLM: Legacy authentication protocol kept for compatibility purposes.

Kerberos Authentication

Kerberos authentication is the default authentication protocol for any recent version of Windows. Users who log into a service using

Kerberos will be assigned tickets. Think of tickets as proof of a previous authentication. Users with tickets can present them to a service to demonstrate they have already authenticated into the network before and are therefore enabled to use it.

When Kerberos is used for authentication, the following process happens:

  1. The user sends their username and a timestamp encrypted using a key derived from their password to the Key Distribution Center (KDC), a service usually installed on the Domain Controller in charge of creating Kerberos tickets on the network.

The KDC will create and send back a Ticket Granting Ticket (TGT), which will allow the user to request additional tickets to access specific services. Along with the TGT, a Session Key is given to the user, which they will need to generate the following requests.

  1. When a user wants to connect to a service on the network like a share, website or database, they will use their TGT to ask the KDC for a Ticket Granting Service (TGS). TGS are tickets that allow connection only to the specific service they were created for. The user will send their username and a timestamp encrypted using the Session Key, along with the TGT and a Service Principal Name (SPN), which indicates the service and server name we intend to access.

The KDC will send us a TGS along with a Service Session Key, which we will need to authenticate to the service we want to access. The TGS is encrypted using a key derived from the Service Owner Hash. The Service Owner is the user or machine account that the service runs under. The TGS contains a copy of the Service Session Key on its encrypted contents so that the Service Owner can access it by decrypting the TGS.

  1. The TGS can then be sent to the desired service to authenticate and establish a connection. The service will use its configured account's password hash to decrypt the TGS and validate the Service Session Key.

NetNTLM Authentication

  1. The client sends an authentication request to the server they want to access.
  2. The server generates a random number and sends it as a challenge to the client.
  3. The client combines their NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.
  4. The server forwards the challenge and the response to the Domain Controller for verification.
  5. The domain controller uses the challenge to recalculate the response and compares it to the original response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server.
  6. The server forwards the authentication result to the client.

Trees, Forests and Trusts

Trees

Active Directory supports integrating multiple domains so that you can partition your network into units that can be managed independently. If you have two domains that share the same namespace, those domains can be joined into a Tree.

Additionally, a new security group needs to be introduced when talking about trees and forests. The Enterprise Admins group will grant a user administrative privileges over all of an enterprise's domains. Each domain would still have its Domain Admins with administrator privileges over their single domains and the Enterprise Admins who can control everything in the enterprise.

Forests

The domains you manage can also be configured in different namespaces. Suppose your company continues growing and eventually acquires another company called. When both companies merge, you will probably have different domain trees for each company, each managed by its own IT department. The union of several trees with different namespaces into the same network is known as a forest.

Trusts Relationships

Domains arranged in trees and forests are joined together by trust relationships.

The simplest trust relationship that can be established is a one-way trust relationship. In a one-way trust, if Domain AAA trusts Domain BBB, this means that a user on BBB can be authorized to access resources on AAA.

Two-way trust relationships can also be made to allow both domains to mutually authorize users from the other. By default, joining several domains under a tree or a forest will form a two-way trust relationship.