cyber revision

Windows and Active Directory

The Windows security model, Active Directory, and the credential attacks that dominate enterprise compromise.

~4 min read

Why Windows matters

Most corporate desktops and a great many servers run Windows, managed centrally through Active Directory. Enterprise attacks therefore overwhelmingly involve AD, and a cluster of credential-theft techniques specific to it. You don't need deep Windows admin knowledge, but you must recognise these concepts and attacks.

The Windows security model

Windows controls access using security principals (users, groups, computers), each identified by a SID (Security Identifier). When you log in, you receive an access token carrying your SID and group memberships; objects (files, registry keys) carry an ACL (Access Control List) of entries granting or denying specific SIDs specific rights. Access is the token checked against the ACL, the same authenticate-then-authorise pattern, Windows-flavoured.

UAC (User Account Control) is the prompt that asks before an action runs with administrative rights, so admins operate with standard privileges until they explicitly elevate: least privilege for interactive use. Privileged accounts to know: the local Administrator, and in a domain, Domain Admins (control of the whole domain) and Enterprise Admins (control across the forest).

Active Directory

Active Directory (AD) is Microsoft's directory service for centrally managing users, computers and policy across an organisation. Core concepts:

  • Domain: an administrative boundary of users and computers sharing a database.
  • Domain Controller (DC): a server running AD that authenticates logins and holds the directory. Compromise a DC and you effectively own the domain.
  • Forest / tree: domains grouped with trust relationships; the forest is the top-level security boundary.
  • Group Policy (GPO): centrally pushed configuration and security settings to machines and users.
  • Kerberos: the primary authentication protocol in AD (the older, weaker NTLM lingers for compatibility and is itself a source of attacks).

The defensive theme is tiering: keep Domain Admin credentials off ordinary workstations, because every credential attack below depends on harvesting privileged credentials from machines an attacker can reach.

Kerberos in brief

Kerberos uses a ticket model so passwords aren't sent repeatedly. Simplified: you authenticate once to the DC (the Key Distribution Center) and receive a TGT (Ticket Granting Ticket); to use a service, you present the TGT and get a service ticket for it. The detail you need is why this gets attacked: those tickets and the hashes behind them are stealable and forgeable.

Credential attacks (the heart of AD compromise)

These names come up constantly; know what each is:

  • Pass-the-Hash: Windows can authenticate with the NTLM hash of a password, so an attacker who steals a hash from memory can authenticate as that user without ever cracking it. A stolen hash is as dangerous as the plaintext password in a Windows environment.
  • Pass-the-Ticket: stealing and reusing a Kerberos ticket to impersonate a user.
  • Kerberoasting: requesting service tickets for accounts running services, then cracking them offline to recover those service-account passwords (which are often weak and highly privileged).
  • Golden Ticket: having compromised the domain's krbtgt account hash, an attacker can forge arbitrary TGTs to impersonate anyone, including Domain Admins, with long validity; near-total, persistent domain control.
  • DCSync: abusing replication rights to ask a DC for password hashes as if you were another DC, extracting the krbtgt hash and every credential.

The tool most associated with these is Mimikatz, which extracts plaintext passwords, hashes and tickets from memory. LSASS (the process holding credentials in memory) is the target; protecting it (Credential Guard, LSASS protection) is a key modern defence.

Lateral movement and the kill chain in AD

A typical enterprise intrusion: phish a user → run as that user → dump local credentials from memory → use Pass-the-Hash/ticket to move to the next machine → repeat until a Domain Admin credential is found → DCSync or Golden Ticket → full control → deploy ransomware domain-wide. Every step is lateral movement powered by harvested credentials. This is exactly why segmentation, least privilege, credential tiering and MFA matter so much; they break this chain.

Windows hardening essentials

  • Patch (Windows Update / WSUS): many of the worst incidents exploited patched flaws (EternalBlue/SMBv1 → WannaCry).
  • Least privilege and tiering: users aren't local admins; Domain Admin credentials never touch workstations.
  • Disable legacy protocols: SMBv1, NTLM where possible.
  • Protect credentials in memory: Credential Guard, LSASS protection, LAPS (unique local admin passwords per machine).
  • MFA on remote access and privileged accounts.
  • Monitor AD: log and alert on Kerberoasting, DCSync, and anomalous ticket activity (the logging/alerting principle that is OWASP A09's enterprise equivalent).

Quick recall

  • Windows authorises via tokens (your SID + groups) against object ACLs; UAC enforces elevate-on-demand.
  • Active Directory centralises identity; Domain Controllers authenticate; compromise a DC ≈ own the domain. Kerberos is the main auth protocol; NTLM is the weaker legacy one.
  • Credential attacks: Pass-the-Hash (auth with a stolen hash, no cracking), Pass-the-Ticket, Kerberoasting (offline-crack service accounts), Golden Ticket (forge any TGT via krbtgt), DCSync (replicate out all hashes). Mimikatz + LSASS are the common thread.
  • Enterprise compromise = phish → dump creds → lateral movement → Domain Admin → ransomware. Break it with tiering, least privilege, segmentation, MFA.
PreviousNext