| Abstract | Microsoft Active Directory je programsko rješenje za upravljanje resursima u organizacijskim okolinama. Temelji elementi AD sustava su njegovi korisnici, računala odnosno poslužitelji te glavni poslužitelj zvan Domain Controller. Unutar Active Directoryja administratorima je omogućena hijerarhijska organizacija pojedinih objekata, kao i granularno upravljanje i primjenjivanje politika nad navedenim objektima koristeći grupne politike (engl. Group Policy Object). Glavni strukturalni dijelovi AD sustava su pojedine organizacijske jedinice, domene i stabla odnosno šume, koji čine organiziranu cjelinu. Autentifikacija se unutar AD okruženja vrši koristeći dva protokola: stariji NTLM i moderniji Kerberos. Autorizacija se ne oslanja na mrežne protokole, već na ugrađene mehanizme pristupnih lista. Zbog svojih implementacijskih mana i lokalne prirode Active Directory on-premises rješenja, napade na ove protokole poput Pass-the-Ticket i Pass-the-Hash je nemoguće mitigirati te se napadači uz relativno malo znanja mogu ukorijeniti duboko u mreži. U nastavku rada moguće je saznati daljnje korake kako se zaštititi od ovih vrsta napada. |
| Abstract (english) | Microsoft Active Directory is a software solution used to manage resources in an organizational environment. The foundational elements of an AD system are its users, computers or servers, and the main server dubbed the Domain Controller. Within Active Directory, administrators are given the leverage to organize their objects in a hierarchical manner, as well as to granularly control and enforce policies on the objects’ behaviour using group policies (Group Policy Objects, GPO). The main structural components of an AD environment are the organizational units, domains, trees and forests which form an organized unit. Alongside the on-premises version of Active Directory, there exists a modern, cloud-based version of AD dubbed Azure Active Directory. Authentication in AD is handled by two protocols: the older NTLM and the more modern Kerberos. Authorization within an AD environment is not handled by the mentioned network protocols, but rather a model of Access Control Lists is used. Due to their implementation flaws and the nature of AD on-premises solution, attacks to these protocols are impossible to mitigate and it is possible for an attacker with little knowledge to persist deep within the network. One of the most famous toolkits for performing AD attacks and, more specifically, attacking the authentication protocols within is Mimikatz, a tool used to extract hashes and tickets from memory and abuse them later. The main principle for defending from these types of attacks is the Principle of Least Privilege model, since it is the defenders’ goal to make the attacker’s path to sensitive information and highly-privileged accounts as difficult as possible. Alongside this, it is necessary to have an up-to-date asset inventory, use firewalls and intrusion prevention systems, as well as per-computer Endpoint Detection and Response (EDR) agents. By combining the aforementioned methodologies and toolsets it is possible to significantly reduce the attack surface, however it is impossible to mitigate it completely. |
