Module 5

This module is about protecting domain controllers against attacks.

At the end of these exercises you will be able to identify and deploy important security settings
on your domain controllers.

DISCLAIMER
These labs contain third-party tools. Please be aware of the following guidelines:

• These tools are for research purposes only. Microsoft does not own these tools nor
can it guarantee their behavior.
• These tools should only be run in a test lab environment.
• They are tools that are used by both hackers and penetration testers, and need to
be treated with caution and with clear policies and permissions.
• The trainer is authorized to describe in details how the tools work and to show
recorded videos of the tools to the attendees.
• The trainer is giving guidance to the attendees on how to better defend Active
Directory against those tools. This includes demonstration of the tools in the
workshop’s labs.
• The lab machines used in the offering have those tools pre-installed. Those
machines are not connected to any network else then the lab network. Those
machines are not connected to the Internet.
• The attendees cannot keep a copy of the lab machines. Through your agreement to
attend the training, Microsoft disclaims any liability for the misuse of these tools,
either accidentally or intentionally. Use of these tools in this environment is for
training purposes only.

Now, if you agree, you can click Next.

Last update - 2019-03-08

A. Remotely stealing all secrets (but with good intentions)

Scenario
As the domain administrator of Contoso, you have full control over EVERYTHING in AD. Yet,
you cannot read the accounts' secrets. The infamous identity and security team asked you to
make sure users are not using weak passwords. Well, you know they cannot set new one thanks
to your Azure AD Password Protection deployment. But there is no API to access the secrets
directly to check what is currently used and what was set before that deployment. Or is there?
You will use the DSRRPC API to remotely read all users' secrets and do some analysis… You
have installed the DSInternals toolset for this.

1. Log on to CONTOSO - SRV01.

Use the following credentials:

Username CONTOSO\Administrator
Password Pa$$w0rd

2. Right-click on the start button and click Run. In the Run window, type powershell and
click OK.
3. In the PowerShell console, run the following commands:

PowerShell
Import-Module DSInternals ;
Get-ADReplAccount -All -Server DC01 -NamingContext "DC=contoso,DC=com"
| `
Test-PasswordQuality -WeakPasswords "p" -IncludeDisabledAccounts

This will look for users that have the password "p" and for other common things such as users
having the same hash (same password) and other security oriented settings.

4. Review the discovered passwords:

5. Discuss the results with your instructor.

If you are about to take a break make sure you save your labs before!

B. Limit remote management of domain controllers

Scenario
You are the domain administrator of Contoso. The identity and security team wants to make sure
only members of the domain admins connected on administrative servers can use the RDP
protocol to access domain controllers. In other words, unless you are connected to a set of
specific machines, you cannot use RDP to connect to domain controllers. You will use IPSec to
implement this restriction.

1. Log on to CONTOSO - DC01.

Use the following credentials:

Username CONTOSO\Administrator
Password Pa$$w0rd

2. Right-click on the start button and click Run. In the Run window, type dsac.exe and
click OK.

3. Enable the tree view clicking on the following icon:

Expand contoso (local), right-click on _Admins, click New, and then click Group.
4. In the Create Group window, enter the name RDP DC Exception, then scroll down and
in the Members section click Add…. Then click on the Object Types button, check
Computers and click OK. Then type SRV01 and click the Check Names button. Click
OK twice.
5. Right-click on the start button and click Run. In the Run window, type gpmc.msc and
click OK.
6. Expand Forest: contoso.com/Domains/contoso.com. Right-click on the Domain
Controllers OU and click Create a GPO in this domain, and Link it here…. In the
New GPO window, type the name RDP Firewall Restriction then click OK. Then
click OK and OK again to close the Group properties window.
7. Expand the Forest: contoso.com/Domains/contoso.com/Group Policy Objects
container. Right-click on RDP Firewall Restriction and click Edit.
8. Expand Computer Configuration/Policies/Windows Settings/Security
Settings/Windows Firewall with Advanced Security/Windows Firewall with
Advanced Security.
9. Right-click on Inbound Rules and click New Rules…. On the Rule Type window, select
the option Port and click Next. Leave the TCP option and in the Specific local ports
field, type 3389 and then click Next. Select Block the connection and click Next. Leave
all profiles checked and click Next. In the Name field, type Block RDP for everyone and
click Finish.
10. Right-click on Inbound Rules and click New Rule…. In the Rule Type window, select
the option Port and click Next. Leave the TCP option and in the Specific local ports
field, type 3389 and then click Next. Select Allow the connection if it is secure and
click Customize. In the Customize Allow if Secure Settings window, select the option
Allow the connection to use null encapsulation, check Override block rules and click
OK. Back in the Action window, click Next. In the Authorized users section, check Only
allow connections from these users and click Add. Type Domain Admins, click Check
Names and OK. Back in the Users window, click Next. In the Authorized computers
section, click Add. Type RDP DC Exception, click Check Names and OK. Back in the
Action window, click Next. Leave all profiles checked and click Next. In the Name field,
type Exception of specific servers and domain admins and click Finish.
11. Right-click on Connection Security Rules and click New Rule…. In the Rule Type
window, select the option Custom and click Next. In the Endpoint*s window, leave the
default settings and click Next. In the *Requirements window, select the second option
Require authentication for inbound and request authentication for outbound
connections and click Next. In the Authentication Method window, select the second
option Computer and user (Kerberos V5) and click Next. In the Protocol and Ports
window, in the Protocol type list, pick TCP, in the Endpoint 1 port, pick Specific ports
and enter the port 3389 then click Next. Leave all profiles checked and click Next. In the
Name field, type Secure RDP and click Finish. Close the Group Management Editor
console.
12. Right-click on the start button and click Run. In the Run window, type cmd /k gpupdate
/force and click OK.
13. Log on to CONTOSO - SRV01.

Use the following credentials:

Username CONTOSO\Administrator
Password Pa$$w0rd

14. Right-click on the start button and click Run. In the Run window, type mstsc and click
OK.
15. In the Remote Desktop Connection window, type DC01 and click Connect. This should
try to initiate the connection but can't now that it is restricted.
 Click OK and close the Remote Desktop Connection window.
16. Right-click on the start button and click Run. In the Run window, type wf.msc and click
OK.
17. In the Windows Firewall with Advanced Security console, right-click on Connection
Security Rules and click New rule. In the Rule Type window, select the option Custom
and click Next. In the Endpoints window, leave the default settings and click Next. In the
Requirements window, leave the first option Request authentication for inbound and
outbound connections and click Next. In the Authentication Method window, select the
second option Computer and user (Kerberos V5) and click Next. In the Protocol and
Ports window, in the Protocol type list, pick TCP, leave the Endpoint 1 part empty and
in the Endpoint 2 port, pick Specific ports and enter the port 3389 (this is different from
the rule we create for the DC, here we use endpoint 2) then click Next. Leave all profiles
checked and click Next. In the Name field, type Secure RDP to DCs and click Finish.
Close the Group Management Editor console.
18. Right-click on the start button and click Run. In the Run window, type mstsc and click
OK.

19. In the Remote Desktop Connection window, type DC01 and click Connect. And this…

…does not work Click OK and close the Remote Desktop Connection window.
You added SRV01 to the exception group, but you have not restarted! So, let's do that.

18. Restart SRV01.

19. Log on to CONTOSO - SRV01.

Use the following credentials:

Username CONTOSO\Administrator
Password Pa$$w0rd

20. Right-click on the start button and click Run. In the Run window, type mstsc and click
OK.
21. In the Remote Desktop Connection window, type DC01 and click Connect. You will be
prompted for credentials. Which means it works! No need to enter credentials by the way.
You've just deployed an IPSec isolation policy for RDP. Pretty cool, eh? And simple!

If you want to do that in production for some of your critical servers, be very careful! For
example, if you RDP to a DC to configure the RDP restriction, you might just cut your access!
So scope the policy in such a way you can disable it if you made a mistake.

21. OPTIONAL: Right-click on the start button and click Run. In the Run window, type
wf.msc and click OK. In the Windows Firewall with Advanced Security console, browse
Monitoring/Security Associations and click on Main Mode. You can see the IPSec
security associations currently active on your machine. You can double-click on it to
have the details.
 22. Close all windows and sign out of SRV01.
23. Switch back to CONTOSO - DC01. Close all windows and sign out of DC01.

If you are about to take a break, make sure you save your labs before!

C. List all AD users anonymously

Scenario
You are Peter, the infamous administrator of the CONTOSOMONEY2000 application. You do
not have a domain account but you would like to list all enabled user in the domain. This can
come handy once you've gotten fired and want to perform some slick social engineering. So let's
see what we can do…

1. Log on to CONTOSO - SRV01.

Use the following credentials:

 Username SRV01\Peter
Password Money2000!

2. Open File Explorer and browse to C:\Tools\Scans. Right-click on SuperScan4.1.exe and

click Run as administrator. In the User Account Control pop-up, click Yes.
3. Click the Windows Enumeration tab and uncheck all types but: NULL Session and
Users. In the Hostname/IP/URL field, type 10.0.0.10 and click Enumerate. You
should see the list of users and groups from their default containers.

Note that you do not see all users here because of the limitations of the SuperScan tool which
targets the Users containers only. Other tools don't have this limitation.

You are the domain administrator of Contoso. You heard Peter bragging about his scanning tools
and you want to make sure anonymous enumerations of groups and users are not possible in
Contoso.

4. Log on to CONTOSO - DC01.

Use the following credentials:

Username CONTOSO\Administrator
Password Pa$$w0rd

5. Right-click on the start button and click Run. In the Run window, type dsa.msc.
6. In the Active Directory Users and Computers console, click the View menu and make
sure Advanced Features is enabled. Then expand
contoso.com/ForeignSecurityPrincipals and double-click on S-1-5-7.
7. In the S-1-5-7 Properties window, click the Member Of tab and remove all current
membership and click OK.

Peter was able to remotely list users anonymously because the ANONYMOUS LOGON security
principal was in the Pre-Windows 2000 Compatible Access group.

Now let's see what Peter can do…

8. If necessary, log back on to CONTOSO - SRV01 using Peter's credentials (the session
should still be on).
9. On the SuperScan 4.1 window, click Enumerate. You should see that it returns
nothing…

If you are about to take a break, make sure you save your labs before!
D. Clear-text passwords
Scenario
You are Norma, the newest addition to the identity and security team of Contoso. A recent audit
revealed that some applications are sending clear-text passwords to authenticate over LDAP.
They all use a load balancer for which a DNS record was created back in the days:
ldap.contoso.com. It's not good. But you told your AD team and they don't seem to be too
concerned about it because they trust the network. The application servers are in a trusted and
secured physical location. It is hard to intercept these clear-text credentials unless you are able to
physically access the switches and capture the network there. It's time to gear up and show the
risks!

1. Log on to CONTOSO - WIN10.

Use the following credentials:

Username CONTOSO\NormaLuser
Password Pa$$w0rd

2. Right-click on the start button and click Windows PowerShell.

3. You have the permission to retrieve your local administrator password, so let's retrieve it
now as we will need it later. In the PowerShell console, type Get-ADComputer -
Identity WIN10 -Properties ms-Mcs-AdmPwd.

Enter the value of ms-Mcs-AdmPwd here:

Make sure you typed the value of the ms-Mcs-AdmPwd before continuing.

4. Right-click on the start button and click Windows PowerShell (Admin) (the admin one).
When prompted, enter the following credentials:

Username WIN10\LocalAdmin
Password <LAPS>

5. In the PowerShell console running as admin, run D:\NM34_x64.exe. Then in the

Microsoft Network Monitor window, click Yes. When the wizard starts, click Next.
Select I accept the terms in the License Agreement and click Next. Click Complete
and then click Install. When the installation is over, click Finish and another installation
will start (the parser installation), it will end silently.
6. Still in the PowerShell console running as Admin, run netsh int portproxy add v4tov4
listenport=389 connectaddress=10.0.0.10 connectport=389. Then run netsh advfirewall
 firewall add rule name="Open 389 redirection" dir=in action=allow protocol=TCP
localport=389.

netsh int portproxy is opening a local port (here TCP 389) on your machine and
sending the traffic it receives somewhere else (here back to the domain controller:
10.0.0.10).

7. In the PowerShell console not running as Admin, run nslookup ldap.contoso.com. This
returns the IP address of the domain controller.
8. In the same console, type and run C:\Tools\DNS\Steal-LDAPRecord.ps1. The output will
just be a bunch of numbers. Then run nslookup ldap.contoso.com. This returns the IP
address of WIN10.

This DNS record take over is possible only because the zone is enabled for both secure and
unsecure dynamic update. Big mistake here…

10. In the PowerShell console running as Admin, run & 'C:\Program Files\Microsoft
Network Monitor 3\netmon.exe'. This launches Netmon. In the Microsoft Update
Opt-In window, click No. Then click New capture. Click Capture Settings. In the
Current capture filter field, type tcp.port==389, then click on Apply and then Close.
Then click Start.
Here is a summary of the clicks:
 11. Let it run for 5 minutes. In the meantime, you can talk about DNS security with your
instructor. As soon as you see this:

You can click Stop on the top to stop the capture.

12. In the Frame summary section, select the LDAP Message:Bind Request, MessageID: 1.
Then in the Frame details section, browse LDAP Message:Bind Request, MessageID:
1/Bindrequest: Version 3,… you will see the password in the clear.
And because we are redirecting the traffic back to the DC, the application is not broken and did
not figure out we got the password. Sneaky…

13. Back in the PowerShell console running as Admin, run C:\Tools\DNS\Giveback-

LDAPRecord.ps1. Then run netsh int portproxy delete v4tov4 listenport=389.
14. Close all windows and sign out of WIN10.
If you are about to take a break, make sure you save your labs before!

E. Using security baselines

Scenario
As the domain administrator of Contoso, you want to make sure your domain controllers security
settings are the best to protect you against attacks. You need to identify where the current
domain controller’s policy can be improved.

1. Log on to CONTOSO - DC01.

Use the following credentials:

Username CONTOSO\Administrator
Password Pa$$w0rd

2. Right-click on the start button and click Run. In the Run window, type gpmc.msc and
click OK.

3. In the Group Policy Management console, browse Forest:

contoso.com/Domains/contoso.com/Group Policy Objects. Right-click on the Default
Domain Controller Policy and click Back-up… (make sure you selected the Default
Domain Controller Policy and not the Default Domain Policy). Click Browse… and
select the C:\Tools folder. Then click Make New Folder and name it GPO. Make sure
the Folder field shows GPO and click OK.

Then click Back up and once the backup is over, click OK.
 4. Open File Explorer and browse to D:\. Double-click on the executable PolicyAnalyzer.
5. Check the Local policy box and click Add…. In the Policy File Importer click File then
Add files from GPO(s). Browse to C:\Tools\GPO and click Select Folder. Then click
Import. Save the policy rule file under C:\Tools\GPO, call it Default DC Policy and
click Save.
6. Back in the Policy Analyzer window, click on the Policy Rule sets in path
C:\Users\Administrator.CONTOSO\Documents\PolicyAnalyzer (there is no button,
just click on the grey field where the path is written). Change the path to C:\Tools\GPO
and click Select Folder.
7. Click Add…. In the Policy File Importer click File then Add files from GPO(s). Browse
to D:\Baselines2016\GPOs\{37BBB33A-A159-427D-AD58-67B1BE126AD6} and click
Select Folder. Then click Import. Save the policy rule file under C:\Tools\GPO, call it
Baseline and click Save.
8. Back in the Policy Analyzer window, click the Default DC Policy on the list (both must
be checked now) and click View/Compare.
9. In the Policy Viewer window, click View then Show only Differences.
10. In the list, look for the Policy Setting called LDAPServerIntegrity. Look at the different
settings and discuss them with your instructor.

11. Close all windows and sign out of DC01.

This was the last exercise for this module.

Thank you for securing your domain controllers!

See you in the next module!