Lab 10 | Using Account Management Tools

Lab 10 | Using Account Management Tools

--------------------------------------------------------------------------------------------------------------------------

Beginning the lab we used process explorer which is in practice a more advanced version of task manager that offers more information & control over the process that is currently active on the machine, we activated the 'user' column which allowed us to see which user authority was running each process. This interface also offered a more accurate CPU reading which the default task manager sometimes can fail to do.

It is important to understand what is business as usual and what is an unneeded or possibly malicious process. Malware will often attempt to appear as non-conspicuous as possible to avoid user detection.

-------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------

Built-in user groups are provided within AD which covers a lot of bases with it comes to generic group responsibilities within a corporate environment, although the company I work at does not actually utilize any of these default groups they may be applicable in a more large-scale corporate situation.

--------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------
Our goal of this lab is to implement some of Microsofts recommended best practices for administrative accounts and learn the weaknesses of not implementing such measures into your own system.

Below we are viewing the SID of the Administrator account of WIN2016-DC, from this information we can discern what type of account it is. Regardless of this, it is still advised to obscure that admin account in other ways. This does not make it impossible to discern the account type but simply acts as another layer which aids in making your system harder to compromise.
--------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------

The Administrator account is a Member of the following groups:

Administrators
Domain Admins
Domain Users
Enterprise Admins
Group Policy Creator Owners
Schema Admins

This offers various admin permissions, this indicates to me that administrators may have their own level of permissions, allowing domain admins to create admins that can only execute admin actions within the areas they are assigned to due to user groups.

We next changed the name of the administrator account to something less obvious and removed the default administrator description, this acts as a layer of obscurity that stands between malicious actors and the discovery of the admin account.

Following this we have utilized the ability to create Organizational Units to aid in segmenting up our users, this allows us to place permissions to certain groups of users, which allows us to set further security constraints on what users are capable of doing and importantly what they are capable of accessing within active directory.

The lab also recommends creating a decoy admin account, this acts as yet another layer of obscurity to the system, it would be possible for a malicious actor to spend time trying to compromise this account to only discover that it does not have access to the permissions they desired in the first place once they have put time into gaining access to the account.

SID's can still be used to identify the administrator account although this may be an option the malicious actor is not aware of or at the least slow them down which raised the chance of the attack being discovered before data is compromised.

In utilizing more of AD's ability we are able to delegate control of subsections of AD to certain users or user groups.

--------------------------------------------------------------------------------------------------------------------------

Audit policies exist as a tool that allows us to define account limits for a given set of users of one more multiple resources. Audit policies can be used to monitor;

Logon events
Account management
Service Access
Object Access
Policy Change
Privilege use
Process tacking
System events

Another feature of group policy showcased in this lab was the ability to utilize group policy modelling to check that our group policies have been applied in the manner that we intended.

--------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------
Setting a policy on user passwords is an integral part of a secure network, this includes a minimum length, the minimum amount of days before the password must be changed, maximum amounts of attempts (protects against brute force) and additional complexity requirements.

This creates a strong layer that is often exploited if left unaddressed, in my own experience users will use weak passwords if they are given the ability to just for their own convenience and because they will think that there is a low chance that they will be targetted. Dependant on the sensitivity of the data behind specific user accounts there may be increasing requirements for the level of complexity for user passwords, I myself would consider banning a list of basic dictionary words that people commonly use.
--------------------------------------------------------------------------------------------------------------------------

Lab Questions

Ex 5 | 7

In the "Administrators Properties" dialogue, click the Apply button - does it work?

It does not work due to the level of delegation we set to sam not allowing him to place himself into an administrator group, which would be giving him more permission over the current PC than allowed by the original configuration.

Ex 5 | 11

Can you access any of the snap-ins?

I found that I only had the ability to access the 'performance' tab, all other tabs were blocked due to the permission level that sam was granted which does not allow him to access another computer in this manner.

Critical Thinking & Analysis

This showed us some functionality & features of utilizing AD Users and Groups to your networks advantage including some of Microsoft's recommended settings that aid in network security. These settings help obfuscate the network environment with further increases the work required for a malicious entity to compromise the system.

Audit policy was also brought to light which keeps a record of defined actions within your AD system, this is useful for keeping track of who makes which changes in AD, this allows for accurate accountability if you have more than one person working within your AD. This also provides evidence in the event of a security breach (hacker gaining access to an admin account).

Password Policy enforcement exists as an effective measure to ensure that your users are operating with a secure password, this greatly reduces the effectiveness of attacks on account passwords.

With Active Directory's extensive ability to apply security constraints to users and files we can implement a methodology of least privilege so that users only have effective access to what they require for their job within the network. While our network is configured with this methodology we reduce the attack vectors into the network via having fewer accounts that are capable of accessing large amounts of sensitive data.

Search This Blog

SEC602 Labs