-
Notifications
You must be signed in to change notification settings - Fork 0
Ops 301 Class 03
Active Directory is an identity and directory management service offered by Microsoft for Windows domain networks. First introduced in Windows 2000, it is typically included in Windows Server operating systems, it's employed by various Microsoft solutions, including SharePoint and Exchange, and also frequently leveraged by many third-party services.
There's a good amount of services found within the Active Directory service itself, these include;
- Active Directory Domain Services (AD DS) – the core Active Directory service used to manage users and resources.
- Active Directory Lightweight Directory Services (AD LDS) – a low-overhead version of AD DS for directory-enabled applications.
- Active Directory Certificate Services (AD CS) – issues and manages digital security certificates.
- Active Directory Federation Services (AD FS) – for sharing identity and access management information across organizations and enterprises.
- Active Directory Rights Management Services (AD RMS) – for information rights management (controlling access permissions to documents, workbooks, presentations, etc.)
Fundamental Active Directory features and capabilities include:
- A schema that defines the classes of objects and attributes contained in the directory.
- A global catalog that contains detailed information about every object in the directory.
- A query and index mechanism that allows users, administrators, and applications to efficiently find directory information.
- A replication service that disseminates directory data across the network.
- The Active Directory schema supports various types of objects like User, Group, Contact, Computer, Shared Folder, Printer, and Organizational Unit, along with a set of descriptive attributes for each object. For example, User Object attributes include information like the user’s name, address, and telephone number.
Active Directory makes use of other security and networking protocols including LDAP (Lightweight Directory Access Protocol), DNS (Domain Name System), and Microsoft’s version of the Kerberos authentication protocol.
Active Directory Domain Services is the primary Active Directory service. It is used to authenticate users and to control access to network resources. A server running AD DS is called a domain controller. Most Windows domain networks have two or more domain controllers; a primary domain controller and one or more backup domain controllers for resiliency. During login, users authenticate to a domain controller and are granted access to particular resources based on administratively defined policies.
Active Directory stores information about network users (names, phone numbers, passwords, etc.) and resources (servers, storage volumes, printers, etc.) in a hierarchical structure consisting of domains, trees, and forests.
- A domain is a collection of objects (e.g. users, devices) that share the same Active Directory database. A domain is identified by a DNS name like company.com.
- A tree is a collection of one or more domains with a contiguous namespace (they have a common DNS root name like marketing.company.com, engineering.company.com, and sales.company.com).
- A forest is a collection of one or more trees that share a common schema, global catalog, and directory configuration—but aren’t part of a contiguous namespace. The forest typically serves as the security boundary for an enterprise network.
- Objects within a domain can be grouped into organizational units (OUs) to simplify administration and policy management. Administrators can create arbitrary organizational units to mirror functional, geographical, or business structures, and then apply group policies to OUs to simplify administration. OUs also make it easier to delegate control over resources to various administrators.
Cited from Cyberark
This is relevant to what we are learning about this week because our ability to be effective as security analysts in corporate environments has so much to do with our ability to understand how Active Directory works, it's strengths and vulnerabilities, and how to go about auditing it methodically.