Security Risks of Enumerating Active Directory - Term Paper Example

Security Risks of Enumerating Active Directory Date: December 25, 2014 Table of Contents Table of Contents 2 Introduction 3 Active directory and enumeration of the active directory in windows server 3 AD enumeration tool used by network security admin 5 Tools used by unauthorized personnel 7 Examples of known software tools and attack methods 9 Comparison of Windows server 2012 and Windows server 2003 according to security Issues 10 References 12 Introduction Microsoft windows server active directory is a network directory service used in domain networks of windows, and also included in the other popular windows server like windows 2003, windows 2012 as a bunch of processes. It is used for security in domain networks, like when a user enters in the system through username and password, then Active directory checks whether the user is authenticated or not. This active directory makes all the management to automatically perform the tasks, like ensuring the login member is an admin or a simple user, and what kind of privileges the user have on the login account, and which tasks can be performed with this login account. It allows the users to use specific resources according to their account privileges. It provides a specific point for handling the errors and redundancy (Rouse, 2008; Stallings & Brwon, 2012). Along with these security features it provides, it this paper, it is discussed that what tools are used for improving and destroying security. Like sometime hackers can access the windows directory and all the information to the admin which was created by a central administration using LDAP (Melber, 2012). Active directory and enumeration of the active directory in windows server It is actually a directory service by Microsoft in windows server, which saves the information about the network resources and data from those applications that are directory enabled applications. In this service, all the users, devices, and applications are described in a hierarchical structure, where there is a forest. With this hierarchical structure, there are some advantages like, forest in the structure behaves like the border of the organization for security purpose, and also explains the privileges that are provided to the different administrators. The administrator can add more user to the group or can remove anyone from the group. It provides authentication and authorization services. In active directory, there is a forest, which is actually a boundary of an admin in a specific group. For example, if an admin handles a group whose name is “group1” and other admin handles another group with the name of “group2”, then the group1 is the forest for the first one admin, and the another forest for the second admin is that handles group 2. Both these admin cannot access the other admin group until both allow for the access to each other. In addition, both admin cannot access the other group data, either they reside in the same local area network or in a separate area network. If there are several departments in a single organization and in a single building, and the central admin wants to create some different admin that does not have the access to the information of other unit or group, then central admin needs to create the forest for better security, and due to this, the fear of mixing the data is much decreased. In active directory, there is also a domain service, where the domain is management boundary, just as the forest is the security boundary. The Forest contains the domain or management boundaries. Some organizations create several forests in the organization, and they also have single domain in the forest, and the first domain in the forest is known as forest root domain. This first forest root domain actually defines the namespace for the forest, and this namespace created by forest root domain is a default. If anyone wants to create a child domain of their domain, then he can, but this child domain will also contain the name of its forest root domain or the name of the parent domain (MDMarra, 2012). In active directory, the admin can enumerate the user and groups by different techniques. For this purpose, the admin has to find the lightweight directory service (LDS) in the active directory (AD) along with the filter to limit the type of object selected and then specific techniques for enumerating the user and groups in an active directory. There are different methods and techniques that can be used for enumerating users and groups in the forest or in the domain (Microsoft5, 2014). Moreover, the admin can also enumerate the domain, properties of the users and the group members. All the things that can be enumerated in active directory are, either a user, user properties, members, or groups, and the users are known as the object of active directory on windows server. AD enumeration tool used by network security admin There are several tools that are used by the network security admin for managing the server, and some of these tools and how they work are given in the below. In enumeration, the checking to be done is whether the device is connected free from the vulnerability or not, and the admin can also check whether the device is working on a specific host or not. Given below are some of the major tools that can be for enumeration of active directory on the server: Nmap Tool This tool can be used for enumeration of active directory on the server. The functions performed by the Nmap tool are that it can scan ports, version number and listing service. For complete authentication, and verification of the ports, the Nmap can be used for finding any solution from the root of the problem. It can also be used in windows server, but in reality, it is developed for organization that are working in the environment of UNIX. Domain Controller Diagnostics Tool Domain controller diagnostics is a command line tool used for analyzing the status of a single domain or used for the number of domains, which are used in a single forest or in different local area network. If there is any problem found with this tool, then it is reported to the administrator to solve the problem as soon as possible. There are a number of tests from which the domains are passed in order to check the health of the domain, and all these tests can be performed with the help of windows controller diagnostics tool. Before using the domain diagnostic controller tool, the admin must have to fulfil the requirements of this tool. The first requirement of domain diagnostics tool is that it only runs on the Microsoft windows XP and also on the windows server 2003. The test in this tool domain diagnostic controller validates the DNS health of windows server 2000 and also on those versions, which are introduced after service pack 3 windows version or family of windows server 2003, when it is executed from the windows XP console or windows server 2003 servers or windows server2003 controller. All the features of the domain diagnostics controller can be applied from the users of the domain diagnostic controllers, or from the domain controller administrators, or from the domain name system administrators. When any of these users either they are an admin or the user of domain controller, runs the test with a domain diagnostic tool, it shows the detailed description of the test (Microsoft1, 2010). Active directory Preparation Tool A command line tool that prepares the active directory is known as an active directory preparation tool. This preparation tool of Microsoft windows 2000 forest is used for the installation of windows server 2003. There are users or stakeholders, who uses this active directory preparation tool, which are only authorized to apply the features of the active directory preparation tool, are the integrators of the systems, application developers, help desk professionals and IT professionals, who support active directory, for example active directory administrators, domain name system administrators (DNS), active directory schema administrators and domain controller administrators. There are several conflicts that can exit in the exchange server schema objects for detecting these conflicts and inform them to the users, who are responsible to handle this tool, so that the difficulties and conflicts can be removed as soon as possible. And there is also a functionality exit for the detecting conflicts in other schema objects (Microsoft2, 2014). Tools used by unauthorized personnel The hackers used several tools for hacking windows server along with different methods for accessing the information from a forest which can contain one or more domain. Some tools and methods are given in the following section with details of how the attackers can attack on windows directory to access the information: GFI LANguard GFI LANguard is a free tool available on the internet, it is scanner tool in the area of the network and used to find numerous shares on the windows server, and most of these have full privileges or control on the group’s shares. And then by clicking on the shares, the attackers can easily know about the privileges of that specific account, which they have hacked, and also the type of information they can access from this action. After entering in the information, they further check that what information is more important that can be helpful, so instead of reading long texts, they can also use some other tools that can search the text like a File Locator Pro. By installing this text, search tool, the attackers can attack like a brute force attack, where they try some specific words like username, password, email or other information or keywords, which can helpful for accessing the most valuable information from the server. In this way, hackers can access the different types of document files of any user that can be informative for further attack on other users' systems (Beaver, 2009). Pentest Pentest tool is used for the Microsoft windows server hacking. This tool can access the information of the administrator, and along with the information, it also take information about the privileges and access areas of the administrator. This test passes from few steps, which are scanning, exploitation, and maintaining access. In the scanning step, some of the basic information about the computer is collected, like which computers are connected to this computer, what computer have for its security, which types and level of softwares are there for security, what are the vulnerabilities of the computer, or vulnerabilities of the software’s which are installed in computer, and if all the computer are located in similar subnet. For the scanning purpose, the hackers can run the command from Nmap tool for scanning the network. Now in the next step of exploitation, the hackers can use the Metasploit for exploiting the windows server. After exploiting all the vulnerabilities from windows server, the next important step for hackers is that they access the information about the administrators. In this way, the hackers can get or other unauthorized persons can collect information about the network domains, forest, members, and member’s properties (ldap389, 2013). Examples of known software tools and attack methods Given below are some of the examples of known tools and attack methods: Netcat Netcat is a hacking tool that can be used for hacking windows server. Like other hacking tools, such as Nmap, Netcat is also a network analysis tool. Netcat can be used for the opening of TCP and UDP connections between two machines, regardless of the port on which the two machines reside. Netat can also be used for port scanning tool, and for port forwarding, proxying, web server, and it also provides an open backdoors for hackers (Occupytheweb, 2013). In order to start for accessing information from windows server, first of all open the Netcat. Then for creating connections between other machines, it provides the IP address, so that the Netcat can know about the machine, the hacker wants to attack. Now for creating connection between two machines that are physically too away and not in the network, a connection is to be created between remote systems. For connecting with a remote system, the hackers must use the port 80. Now for getting security information for the operating system, the fingerprinting is used by Netcat to connect with a banner. In this step, after building the connection between two machines, either they connected locally or remotely, the hackers can get information from the computer operating systems (Occupytheweb, 2013). For attacking on the system, the software’s details that the user installed on his/ her computer must be known to the hacker, like what level of security they are using, so that attackers can use methods and techniques according to that specific security level. Then Netcat is used for listening connection. For listening connection, the Netcat must be open on port 6996. And the next step is that the hacker creates a backdoor for easily escaping from the system. Netcat can also be used for copying file from the system on which the windows server is installed (Occupytheweb, 2013). Comparison of Windows server 2012 and Windows server 2003 according to security Issues Now a day’s, the support for windows 2003 server is finished, and the users which use the windows server 2003 are completely vulnerable according to the point of view of hackers. And now it is the time that users must have to migrate from windows server 2003 to windows server 2012. There are several enhancements introduced in windows server 2012 that have better functionality than windows server 2003. The refinements introduced in 2012 windows server from 2003 windows server are that the users are less vulnerable than the users, which are still using windows server 2003. Following are some important things that are introduced in windows server 2012 and have several advantages over the windows 2003 server. IIS 8 The features including in IIS8 in windows 2012 server are that it can be used for precoompilation, granular process and throttling, as well as for SNI support and a certificate for centralized management. DirectAccess With the new and powerful feature of Directaccess in windows server 2012, the use of directaccess has also become easy. In the direct access of windows server 2012, there is a default configuration for the secure socket layer (SSL), and also these are an IPsec as an option given in windows server 2012. Deduplication Nowadays, the storage requirements are increasing day by day, as the users compare it with the hard drive density. In the view of these requirements, Microsoft has introduced deduplication of NTFS volume on the windows server 2012. The advantage of this feature which is not available in windows 2003 server, is to save bandwidth (Pott, 2013). Hyper-V Replica The Hyper-v Replica is another feature viewed in windows 2003 servers which is not available in windows server 2003. It is actually storage technology that replicates all changes, which are done by different hosted windows server 2012. It also helps for taking better decision as well as provides different steps for creating the environment, which is virtualized for the replica. Between two hosted servers that are connected, it provides the hyper-v virtual machine. The configuration for the working of hyper-v replica is very simple and there is no need for special types of hardware and softwares (Microsoft3, 2013). SMB in Windows Server In windows server 2012, there are some new features included in SMB (server message block). These new features include the automatic rebalancing of scale out file, and hyper-v live migration over SMB. Bandwidth management of SMB is also included in windows server 2012. The benefit is that according to different load, the admin can manage the bandwidth. The bandwidth, for which SMB bandwidth functionality is added, have 3 types of traffic. And these three types of traffics are default traffic, live migration and virtual machine. These are the features which are new in windows server 2012. And there are some other features which also exist in previous versions of server 2003 and 2008, and are now updated in windows 2012 server. Like SMB 1.0 is an optional feature, which improved SMB event message, and improved performance of SMB direct (Microsoft4, 2014). References Beaver, K., 2009. How Windows servers get hacked. [Online] Available at: http://searchwindowsserver.techtarget.com/tip/How-Windows-servers-get-hacked [Accessed 30 12 2014]. ldap389, 2013. Pentesting an Active Directory infrastructure. [Online] Available at: http://www.ldap389.info/en/2012/12/10/pentesting-active-directory-hacking/ [Accessed 30 12 2014]. MDMarra, 2012. What is Active Directory Domain Services and how does it work?. [Online] Available at: http://serverfault.com/questions/402580/what-is-active-directory-domain-services-and-how-does-it-work [Accessed 30 December 2014]. Melber, D., 2012. Accessing Active Directory Information with LDP. [Online] Available at: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Accessing-Active-Directory-Information-LDP.html [Accessed 25 12 2014]. Microsoft1, 2010. Domain Controller Diagnostics Tool (dcdiag.exe). [Online] Available at: http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx [Accessed 30 12 2014]. Microsoft2, 2014. Active Directory Preparation Tool (adprep.exe). [Online] Available at: http://technet.microsoft.com/en-us/library/cc782481(v=ws.10).aspx [Accessed 30 12 2014]. Microsoft3, 2013. Hyper-V Replica Overview. [Online] Available at: http://technet.microsoft.com/en-us/library/jj134172.aspx [Accessed 31 12 2014]. Microsoft4, 2014. What's New in SMB in Windows Server. [Online] Available at: http://technet.microsoft.com/en-us/library/hh831474.aspx [Accessed 31 12 2014]. Microsoft5, 2014. Enumerating Users and Groups. [Online] Available at: http://msdn.microsoft.com/en-us/library/aa772126(v=vs.85).aspx [Accessed 30 12 2014]. Occupytheweb, 2013. Hack Like a Pro: How to Use Netcat, the Swiss Army Knife of Hacking Tools. [Online] Available at: http://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/ [Accessed 31 12 2014]. Pott, T., 2013. The 10 best … Windows Server 2012 features. [Online] Available at: http://www.theregister.co.uk/2013/01/10/10_best_server12/ [Accessed 31 12 2014]. Rouse, M., 2008. Active Directory. [Online] Available at: http://searchwindowsserver.techtarget.com/definition/Active-Directory [Accessed 25 12 2014]. Stallings, W. & Brwon, L., 2012. Computer Security: Principles and Practice. 2nd ed. New Jersey: Prentice Hall. Read More