Setting Up Users, Groups, and Policies

This is a summary of the tasks in this post:

  • Tidy up Active Directory Users and Computers
  • Add a Domain Administrator Account
  • Create A Service Account That Is Also A Domain Administrator
  • Create Two Low Level Domain Users
  • Create a Fileshare (to be abused later)
  • Setup the Service Principle Name (SPN) [SQLService] (Kerberoasting)
  • Add a Group Policy Object to Disable Protections on Client Machines

NOTE: Additional Users and Network settings will take place AFTER the client machines have been added to the Domain. These steps will be summarized in the next Section (07H).

Tidy up Active Directory Users and Computers

Shutdown the Windows 10 client machines and boot up the Domain Controller

  • Server Manager will start
  • Go to: Tools > Active Directory Users and Computers

If you drill down MARVEL.local you will see a number of Organizational Units (OUs). Click on Users; the only real user is the Administrator account we added. However, you can see other interesting accounts such as Domain Administrator and Enterprise Administrator. These are the types of accounts we will want to compromise. setuse

This looks very messy - so let’s create a new OU, called Groups, and move EVERYTHING except Administrator and Guest to Groups.

  • Right-Click MARVEL.local > New > Organizational Unit setuse1 setuse2

Shift-Select the accounts and move to Groups.

  • You will see a warning
  • Enable “Don’t show this warning” and click Yes. setuse3

Now this much tidier.

  • By the way, the little logo in Guest means the account is not active. setuse4

Add a Domain Administrator Account

By the way, double-click the Administrator account and you can see the data associated with the account including “Member Of".

Right-Click Administrator > Copy setuse5

Set a password. Enable “Password never expires”, a big no no. For this lab, we used Password12345! setuse6

Create A Service Account That Is Also A Domain Administrator

Let’s create another account - another big no no - which is a service account that is a domain administrator.

  • This will be used for our SQL server.
  • Right-Click Administrator > Copy setuse7

For this account, use: MYpassword123#

  • Why this password? It meets the requirements for most password rules ie. 14 characters, includes letters, a capital, numbers and a special character. But it is a very weak and crackable passwords. DO NOT use dictionary words.
  • For this account, double click the account, and in the Description type: The password is MYpassword123#
  • This is a BAD idea. Many administrators will do this not realizing any valid user can view these details. setuse8

Create Two Low Level Domain Users

Let’s create two additional low level users, as part of the domain users group.

  • Right-Click (white space) > New > User setuse9 setuse10

  • Password: Password1

  • Be sure to disable “User must change password”, and enable “Password never expires”. This sounds terrible; however, it is a common practice amongst domain administrators.

  • NOTE: User “fcastle” is a Domain user, whereas “frankcastle” is a Local user setuse11

Right-Click Frank Castle > Copy setuse12

Use Password: Password2 setuse13

This is the desired state: setuse14

Create a Fileshare (to be abused later)

This will open up SMB ports, which will increase the potential attack surface. Most Domain Controllers have a fileshare or SMB open.

  • Launch Server Manager, and click File and Storage Services setuse15

  • Click Shares setuse16

  • This will open another pane, and click TASKS > New Share… setuse17

  • Choose SMB Share - Quick setuse18

  • Next > Next > Share name: hackme

  • Notice it will also create a remote path to share as well. setuse19

  • Next (Allow share caching) > Next (Permissions) > Create

Setup the Service Principle Name (SPN) [SQLService]

This will provide a target for Kerberoasting to facilitate MYSQL attacks, associated with the SQL service.

  • Search “cmd” > Run as Administrator
  • Run this command:

setspn -a HYDRA-DC/SQLService.MARVEL.local:60111 MARVEL\SQLService setuse20

We should see “Updated object”. But we can also query the SPN too: setspn -T MARVEL.local -Q */* setuse21

Add a Group Policy Object to Disable Protections on Client Machines

This policy will apply to the ENTIRE domain.

  • Open the Start Menu and search for Group Policy setuse22

Expand your forest until you see your domain.

  • Right-Click your domain, and create a new GPO.
  • Although we could create a GPO for a particular group, we want to apply this to the entire domain. setuse23

Call it: Disable Windows Defender.

  • If you click on it, Hit “OK” for the pop-up. setuse24

Right-Click on your new group policy object and click Edit

  • Expand down into Computer Configuration > Policies > Administrative Templates > Windows Components setuse25

Scroll down to find Microsoft Defender Antivirus.

  • In older versions of Windows Server, this was located in Windows Defender Antivirus.
  • Double-Click “Turn off Microsoft Defender Antivirus” setuse26

Set it to Enabled > Apply > OK setuse27

Right-Click Disable Windows Defender > Enforced setuse28

You can see the GPO is now enforced: setuse29

Do not shut down the Domain Controller. The next step is to join the machines to the Domain.