本文相关房间连接https://tryhackme.com/r/room/winadbasics
introduction 介绍
Microsoft’s Active Directory is the backbone of the corporate world. It simplifies the management of devices and users within a corporate environment. In this room, we’ll take a deep dive into the essential components of Active Directory.
微软的活动目录是企业界的支柱。它简化了企业环境中设备和用户的管理。在本会议室中,我们将深入了解Active Directory的基本组件。
Room Objectives 会议室目标
In this room, we will learn about Active Directory and will become familiar with the following topics
在本会议室中,我们将了解Active Directory并熟悉以下主题
- What Active Directory is 什么是Active Directory
- What an Active Directory Domain is
什么是Active Directory域 - What components go into an Active Directory Domain
Active Directory域中包含哪些组件 - Forests and Domain Trust 森林和域信任
- And much more! 还有更多!
Room Prerequisites 房间先决条件
General familiarity with Windows. Check the Windows Fundamentals module for more information on this.
熟悉Windows。查看Windows Fundamentals模块了解更多信息
Windows Domains |windows域
Picture yourself administering a small business network with only five computers and five employees. In such a tiny network, you will probably be able to configure each computer separately without a problem. You will manually log into each computer, create users for whoever will use them, and make specific configurations for each employee’s accounts. If a user’s computer stops working, you will probably go to their place and fix the computer on-site.
想象一下,您管理着一个只有五台计算机和五名员工的小型企业网络。在这样一个微小的网络中,您可能可以毫无问题地单独配置每台计算机。您将手动登录到每台计算机,为将要使用它们的用户创建用户,并为每个员工的帐户进行特定配置。如果用户的计算机停止工作,你可能会去他们的地方,并修复现场的计算机。
While this sounds like a very relaxed lifestyle, let’s suppose your business suddenly grows and now has 157 computers and 320 different users located across four different offices. Would you still be able to manage each computer as a separate entity, manually configure policies for each of the users across the network and provide on-site support for everyone? The answer is most likely no.
虽然这听起来像是一种非常轻松的生活方式,但让我们假设您的业务突然增长,现在拥有157台计算机和320个不同的用户,分布在四个不同的办公室。您是否仍然能够将每台计算机作为一个单独的实体进行管理,为网络中的每个用户手动配置策略,并为每个人提供现场支持?答案很可能是否定的。
To overcome these limitations, we can use a Windows domain. Simply put, a Windows domain is a group of users and computers under the administration of a given business. The main idea behind a domain is to centralise the administration of common components of a Windows computer network in a single repository called Active Directory (AD). The server that runs the Active Directory services is known as a Domain Controller (DC).
为了克服这些限制,我们可以使用Windows域。简单地说,Windows域是在给定企业管理下的一组用户和计算机。域背后的主要思想是将Windows计算机网络的公共组件集中管理在称为Active Directory(AD)的单个存储库中。运行Active Directory服务的服务器称为域控制器(DC)。
The main advantages of having a configured Windows domain are:
配置Windows域的主要优点是:
Centralised identity management: All users across the network can be configured from Active Directory with minimum effort.
集中式身份管理:网络上的所有用户都可以通过Active Directory进行配置,只需付出最少的努力。
Managing security policies: You can configure security policies directly from Active Directory and apply them to users and computers across the network as needed.
管理安全策略:您可以直接从Active Directory配置安全策略,并根据需要将其应用于网络中的用户和计算机。
A Real-World Example 一个现实世界的例子
If this sounds a bit confusing, chances are that you have already interacted with a Windows domain at some point in your school, university or work.
如果这听起来有点令人困惑,那么很有可能您已经在学校,大学或工作中的某个时候与Windows域进行了交互。
In school/university networks, you will often be provided with a username and password that you can use on any of the computers available on campus. Your credentials are valid for all machines because whenever you input them on a machine, it will forward the authentication process back to the Active Directory, where your credentials will be checked. Thanks to Active Directory, your credentials don’t need to exist in each machine and are available throughout the network.
在学校/大学网络中,通常会为您提供一个用户名和密码,您可以在校园内的任何计算机上使用。您的凭据对所有计算机都有效,因为每当您在计算机上输入凭据时,它都会将身份验证过程转发回Active Directory,在那里将检查您的凭据。由于Active Directory,您的凭据不需要存在于每台计算机中,而是在整个网络中可用。
Active Directory is also the component that allows your school/university to restrict you from accessing the control panel on your school/university machines. Policies will usually be deployed throughout the network so that you don’t have administrative privileges over those computers.
Active Directory也是允许学校/大学限制您访问学校/大学机器上的控制面板的组件。策略通常会部署在整个网络中,这样您就没有对这些计算机的管理权限。
Welcome to THM Inc.欢迎来到THMInc.
During this task, we’ll assume the role of the new IT admin at THM Inc. As our first task, we have been asked to review the current domain “THM.local” and do some additional configurations. You will have administrative credentials over a pre-configured Domain Controller (DC) to do the tasks.
在此任务期间,我们将承担THM公司新IT管理员的角色。作为我们的第一个任务,我们被要求检查当前域“THM.local”并做一些额外的配置。您将拥有通过预配置的域控制器(DC)执行任务的管理凭据。
Be sure to click the Start Machine button below now, as you’ll use the same machine for all tasks. This should open a machine in your browser.
请务必单击下面的“启动计算机”按钮,因为您将使用同一台计算机执行所有任务。这将在浏览器中打开一台机器。
Should you prefer to connect to it via RDP, you can use the following credentials:
如果您更喜欢通过RDP连接到它,您可以使用以下凭据:
Note: When connecting via RDP, use THM\Administrator as the username to specify you want to log in using the user Administrator on the THM domain.
注意:通过RDP连接时,请使用THM\Administrator作为用户名,以指定您希望使用THM域上的用户Administrator登录。
Since we will be connecting to the target machine via RDP, this is also a good time to start the AttackBox (unless you are using your own machine).
由于我们将通过RDP连接到目标计算机,因此这也是启动AttackBox的好时机(除非您使用自己的计算机)
question
直接搜
Active Directory 活动目录
The core of any Windows Domain is the Active Directory Domain Service (AD DS). This service acts as a catalogue that holds the information of all of the “objects” that exist on your network. Amongst the many objects supported by AD, we have users, groups, machines, printers, shares and many others. Let’s look at some of them:
任何 Windows 域的核心都是Active Directory 域服务 ( AD DS) 。该服务充当目录,保存网络上存在的所有“对象”的信息。在AD支持的众多对象中,有用户、组、机器、打印机、共享等等。让我们看看其中的一些:
Users 用户
Users are one of the most common object types in Active Directory. Users are one of the objects known as security principals, meaning that they can be authenticated by the domain and can be assigned privileges over resources like files or printers. You could say that a security principal is an object that can act upon resources in the network.
用户是 Active Directory 中最常见的对象类型之一。用户是被称为安全主体的对象之一,这意味着他们可以通过域进行身份验证,并且可以被分配对文件或打印机等资源的权限。您可以说安全主体是一个可以作用于网络中的资源的对象。
Users can be used to represent two types of entities:
用户可以用来表示两种类型的实体:
- People: users will generally represent persons in your organisation that need to access the network, like employees.
人员:用户通常代表组织中需要访问网络的人员,例如员工。 - Services: you can also define users to be used by services like IIS or MSSQL. Every single service requires a user to run, but service users are different from regular users as they will only have the privileges needed to run their specific service.
服务:您还可以定义供 IIS 或 MSSQL 等服务使用的用户。每个服务都需要用户来运行,但服务用户与普通用户不同,因为他们只拥有运行特定服务所需的权限。
Machines 机器
Machines are another type of object within Active Directory; for every computer that joins the Active Directory domain, a machine object will be created. Machines are also considered “security principals” and are assigned an account just as any regular user. This account has somewhat limited rights within the domain itself.
机器是 Active Directory 中的另一种对象;对于加入 Active Directory 域的每台计算机,都会创建一个计算机对象。机器也被视为“安全主体”,并像任何普通用户一样被分配一个帐户。该帐户在域本身内的权限有些有限。
The machine accounts themselves are local administrators on the assigned computer, they are generally not supposed to be accessed by anyone except the computer itself, but as with any other account, if you have the password, you can use it to log in.
计算机帐户本身是指定计算机上的本地管理员,除了计算机本身之外,通常不应由任何人访问它们,但与任何其他帐户一样,如果您有密码,则可以使用它来登录。
Note: Machine Account passwords are automatically rotated out and are generally comprised of 120 random characters.
注意: 机器帐户密码会自动轮换,通常由 120 个随机字符组成
Identifying machine accounts is relatively easy. They follow a specific naming scheme. The machine account name is the computer’s name followed by a dollar sign. For example, a machine named DC01 will have a machine account called DC01$.
识别机器帐户相对容易。它们遵循特定的命名方案。计算机帐户名称是计算机名称后跟美元符号。例如,名为DC01的计算机将有一个名为DC01 $ 的计算机帐户
Security Groups 安全组
If you are familiar with Windows, you probably know that you can define user groups to assign access rights to files or other resources to entire groups instead of single users. This allows for better manageability as you can add users to an existing group, and they will automatically inherit all of the group’s privileges. Security groups are also considered security principals and, therefore, can have privileges over resources on the network.
如果您熟悉 Windows,您可能知道可以定义用户组,将文件或其他资源的访问权限分配给整个组而不是单个用户。这可以实现更好的可管理性,因为您可以将用户添加到现有组,并且他们将自动继承该组的所有权限。安全组也被视为安全主体,因此可以对网络上的资源拥有特权。
Groups can have both users and machines as members. If needed, groups can include other groups as well.
组可以同时包含用户和计算机作为成员。如果需要,组也可以包括其他组。
Several groups are created by default in a domain that can be used to grant specific privileges to users. As an example, here are some of the most important groups in a domain:
默认情况下,域中会创建多个组,可用于向用户授予特定权限。例如,以下是域中一些最重要的组:
| Security Group 安全组 | Description 描述 |
|---|---|
| Domain Admins 域管理员 | Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs. 该组的用户拥有整个域的管理权限。默认情况下,他们可以管理域中的任何计算机,包括 DC |
| Server Operators 服务器运营商 | Users in this group can administer Domain Controllers. They cannot change any administrative group memberships. 该组中的用户可以管理域控制器。他们无法更改任何管理组成员身份 |
| Backup Operators 备份操作员 | Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers. 该组中的用户可以访问任何文件,但忽略其权限。它们用于在计算机上执行数据备份 |
| Account Operators 账户运营商 | Users in this group can create or modify other accounts in the domain. 该组中的用户可以创建或修改域中的其他帐户。 |
| Domain Users 域用户 | Includes all existing user accounts in the domain. 包括域中所有现有的用户帐户 |
| Domain Computers 域计算机 | Includes all existing computers in the domain.包括域中的所有现有计算机 |
| Domain Controllers 域控制器 | Domain Controllers 域控制器 |
You can obtain the complete list of default security groups from the Microsoft documentation.
您可以从Microsoft 文档中获取默认安全组的完整列表
Active Directory Users and Computers |Active Directory 用户和计算机
To configure users, groups or machines in Active Directory, we need to log in to the Domain Controller and run “Active Directory Users and Computers” from the start menu:
要在 Active Directory 中配置用户、组或计算机,我们需要登录域控制器并从开始菜单运行“Active Directory 用户和计算机”:
This will open up a window where you can see the hierarchy of users, computers and groups that exist in the domain. These objects are organised in Organizational Units (OUs) which are container objects that allow you to classify users and machines. OUs are mainly used to define sets of users with similar policing requirements. The people in the Sales department of your organisation are likely to have a different set of policies applied than the people in IT, for example. Keep in mind that a user can only be a part of a single OU at a time.
这将打开一个窗口,您可以在其中查看域中存在的用户、计算机和组的层次结构。这些对象按组织单位 (OU)进行组织,组织单位是允许您对用户和计算机进行分类的容器对象。 OU 主要用于定义具有相似监管要求的用户组。例如,组织销售部门的人员可能会应用与 IT 人员不同的策略集。请记住,用户一次只能是单个OU的一部分。
Checking our machine, we can see that there is already an OU called THM with four child OUs for the IT, Management, Marketing and Sales departments. It is very typical to see the OUs mimic the business’ structure, as it allows for efficiently deploying baseline policies that apply to entire departments. Remember that while this would be the expected model most of the time, you can define OUs arbitrarily. Feel free to right-click the THM OU and create a new OU under it called Students just for the fun of it.
检查我们的机器,我们可以看到已经有一个名为THM的OU ,其中有四个子 OU,分别用于 IT、管理、营销和销售部门。组织单位模仿业务结构是很常见的,因为它允许有效地部署适用于整个部门的基线策略。请记住,虽然这在大多数情况下是预期的模型,但您可以任意定义 OU。请随意右键单击THM OU并在其下创建一个名为Students的新OU ,只是为了好玩
If you open any OUs, you can see the users they contain and perform simple tasks like creating, deleting or modifying them as needed. You can also reset passwords if needed (pretty useful for the helpdesk):
如果打开任何 OU,您可以看到它们包含的用户并执行简单的任务,例如根据需要创建、删除或修改它们。如果需要,您还可以重置密码(对于帮助台非常有用):
You probably noticed already that there are other default containers apart from the THM OU. These containers are created by Windows automatically and contain the following:
您可能已经注意到,除了 THM OU之外还有其他默认容器。这些容器由 Windows 自动创建并包含以下内容:
- Builtin: Contains default groups available to any Windows host.
内置:包含可供任何 Windows 主机使用的默认组 - Computers: Any machine joining the network will be put here by default. You can move them if needed
计算机:默认情况下,任何加入网络的计算机都会放在这里。如果需要,您可以移动它们。 - Domain Controllers: Default OU that contains the DCs in your network.
域控制器:包含网络中 DC 的默认OU - Users: Default users and groups that apply to a domain-wide context.
用户:适用于域范围上下文的默认用户和组 - Managed Service Accounts: Holds accounts used by services in your Windows domain.
托管服务帐户:保存 Windows 域中的服务使用的帐户
Security Groups vs OUs 安全组与 OU
You are probably wondering why we have both groups and OUs. While both are used to classify users and computers, their purposes are entirely different:
您可能想知道为什么我们同时有组和 OU。虽然两者都用于对用户和计算机进行分类,但它们的用途完全不同:
- OUs are handy for applying policies to users and computers, which include specific configurations that pertain to sets of users depending on their particular role in the enterprise. Remember, a user can only be a member of a single OU at a time, as it wouldn’t make sense to try to apply two different sets of policies to a single user.
OU 对于将策略应用于用户和计算机非常方便,其中包括与用户组相关的特定配置,具体取决于他们在企业中的特定角色。请记住,用户一次只能是单个 OU 的成员,因为尝试将两组不同的策略应用于单个用户是没有意义的。 - Security Groups, on the other hand, are used to grant permissions over resources. For example, you will use groups if you want to allow some users to access a shared folder or network printer. A user can be a part of many groups, which is needed to grant access to multiple resources.
另一方面,安全组用于授予对资源的权限。例如,如果要允许某些用户访问共享文件夹或网络打印机,则可以使用组。一个用户可以是多个组的一部分,这是授予对多个资源的访问权限所必需的。
question
Managing Users in AD 在 AD 中用户
Your first task as the new domain administrator is to check the existing AD OUs and users, as some recent changes have happened to the business. You have been given the following organisational chart and are expected to make changes to the AD to match it:
作为新域管理员,您的第一项任务是检查现有的 AD OU 和用户,因为业务最近发生了一些变化。您已获得以下组织结构图,并应对 AD 进行更改以匹配它:
Deleting extra OUs and users 删除额外的 OU 和用户
The first thing you should notice is that there is an additional department OU in your current AD configuration that doesn’t appear in the chart. We’ve been told it was closed due to budget cuts and should be removed from the domain. If you try to right-click and delete the OU, you will get the following error:
您应该注意的第一件事是,您当前的 AD 配置中还有一个额外的部门 OU 未显示在图表中。我们被告知,由于预算削减,它已关闭,应该从域中删除。如果您尝试右键单击并删除 OU,您将收到以下错误:
By default, OUs are protected against accidental deletion. To delete the OU, we need to enable the Advanced Features in the View menu:
默认情况下,OU 受到保护,防止意外删除。要删除 OU,我们需要在 View 菜单中启用 Advanced Features:
This will show you some additional containers and enable you to disable the accidental deletion protection. To do so, right-click the OU and go to Properties. You will find a checkbox in the Object tab to disable the protection:
这将向您显示一些额外的容器,并使您能够禁用意外删除保护。为此,请右键单击 OU 并转到 Properties (属性)。您将在 Object (对象) 选项卡中找到一个复选框以禁用保护:
Be sure to uncheck the box and try deleting the OU again. You will be prompted to confirm that you want to delete the OU, and as a result, any users, groups or OUs under it will also be deleted.
请务必取消选中该框,然后再次尝试删除 OU。系统将提示您确认是否要删除 OU,因此,其下的任何用户、组或 OU 也将被删除。
After deleting the extra OU, you should notice that for some of the departments, the users in the AD don’t match the ones in our organisational chart. Create and delete users as needed to match them.
删除额外的 OU 后,您应该注意到,对于某些部门,AD 中的用户与我们组织结构图中的用户不匹配。根据需要创建和删除用户以匹配他们
Delegation 代表团
One of the nice things you can do in AD is to give specific users some control over some OUs. This process is known as delegation and allows you to grant users specific privileges to perform advanced tasks on OUs without needing a Domain Administrator to step in.
在 AD 中可以做的一件好事是让特定用户对某些 OU 有一定的控制权。此过程称为委派,允许您授予用户特定权限以在 OU 上执行高级任务,而无需域管理员介入。
One of the most common use cases for this is granting IT support the privileges to reset other low-privilege users’ passwords. According to our organisational chart, Phillip is in charge of IT support, so we’d probably want to delegate the control of resetting passwords over the Sales, Marketing and Management OUs to him.
最常见的用例之一是授予 IT 支持重置其他低权限用户密码的权限。根据我们的组织结构图,Phillip 负责 IT 支持,因此我们可能希望将重置 Sales、Marketing 和 Management OU 密码的控制权委托给他。
For this example, we will delegate control over the Sales OU to Phillip. To delegate control over an OU, you can right-click it and select Delegate Control:
在此示例中,我们将把对 Sales OU 的控制权委托给 Phillip。要委派对 OU 的控制权,您可以右键单击它并选择 Delegate Control (委派控制权):
This should open a new window where you will first be asked for the users to whom you want to delegate control:
这应该会打开一个新窗口,其中首先会询问你想要委派控制权的用户:
Note: To avoid mistyping the user’s name, write “phillip” and click the Check Names button. Windows will autocomplete the user for you.
注意:为避免键入错误的用户名称,请输入 “phillip” 并单击 Check Names 按钮。Windows 将为您自动完成用户。
Click OK, and on the next step, select the following option:
单击 OK,然后在下一步中选择以下选项:
Click next a couple of times, and now Phillip should be able to reset passwords for any user in the sales department. While you’d probably want to repeat these steps to delegate the password resets of the Marketing and Management departments, we’ll leave it here for this task. You are free to continue to configure the rest of the OUs if you so desire.
单击 next 几次,现在 Phillip 应该能够重置销售部门中任何用户的密码。虽然您可能希望重复这些步骤以委派营销和管理部门的密码重置,但我们将将其留在这里以执行此任务。如果您愿意,您可以自由地继续配置其余的 OU。
Now let’s use Phillip’s account to try and reset Sophie’s password. Here are Phillip’s credentials for you to log in via RDP:
现在,让我们使用 Phillip 的帐户尝试重置 Sophie 的密码。以下是 Phillip 的凭据,供您通过 RDP 登录:
Note: When connecting via RDP, use THM\phillip as the username to specify you want to log in using the user phillip on the THM domain.
注意:通过 RDP 连接时,使用 THM\phillip 作为用户名,以指定要使用 THM 域上的用户 phillip 登录。
While you may be tempted to go to Active Directory Users and Computers to try and test Phillip’s new powers, he doesn’t really have the privileges to open it, so you’ll have to use other methods to do password resets. In this case, we will be using Powershell to do so:
虽然您可能很想去 Active Directory 用户和计算机尝试测试 Phillip 的新能力,但他实际上没有打开它的权限,因此您必须使用其他方法来进行密码重置。在这种情况下,我们将使用 Powershell 来执行此操作:
PS C:\Users\phillip> Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
New Password: *********
VERBOSE: Performing the operation "Set-ADAccountPassword" on target "CN=Sophie,OU=Sales,OU=THM,DC=thm,DC=local".
Since we wouldn’t want Sophie to keep on using a password we know, we can also force a password reset at the next logon with the following command:
由于我们不希望 Sophie 继续使用我们知道的密码,因此我们还可以使用以下命令在下次登录时强制重置密码:
PS C:\Users\phillip> Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose
VERBOSE: Performing the operation "Set" on target "CN=Sophie,OU=Sales,OU=THM,DC=thm,DC=local".
Note: When connecting via RDP, use THM\sophie as the username to specify you want to log in using the user sophie on the THM domain.
注意:通过 RDP 连接时,请使用 THM\sophie 作为用户名,以指定要使用 THM 域上的用户 sophie 登录。
question
answer
根据之前的操作按步骤来后
先用自带的rdp连接
进入phillip后输入给的命令修改密码,和下次登陆时强制重置密码
即可在登录的用户sophie中获得flag了
Managing Computer in AD 在AD中管理计算机
By default, all the machines that join a domain (except for the DCs) will be put in the container called “Computers”. If we check our DC, we will see that some devices are already there:
默认情况下,加入域的所有计算机(DC 除外)都将放入名为 “Computers” 的容器中。如果我们检查我们的 DC,我们将看到一些设备已经在那里:
We can see some servers, some laptops and some PCs corresponding to the users in our network. Having all of our devices there is not the best idea since it’s very likely that you want different policies for your servers and the machines that regular users use on a daily basis.
我们可以看到与我们网络中的用户相对应的一些服务器、一些笔记本电脑和一些 PC。拥有我们所有的设备并不是最好的主意,因为您很可能希望为您的服务器和普通用户每天使用的机器使用不同的策略。
While there is no golden rule on how to organise your machines, an excellent starting point is segregating devices according to their use. In general, you’d expect to see devices divided into at least the three following categories:
虽然没有关于如何组织机器的黄金法则,但一个很好的起点是根据设备的用途来隔离设备。一般来说,您预计设备至少分为以下三个类别:
1. Workstations 工作站
Workstations are one of the most common devices within an Active Directory domain. Each user in the domain will likely be logging into a workstation. This is the device they will use to do their work or normal browsing activities. These devices should never have a privileged user signed into them.
工作站是 Active Directory 域中最常见的设备之一。域中的每个用户都可能登录到工作站。这是他们将用于完成工作或正常浏览活动的设备。这些设备绝不应有特权用户登录。
2. Servers 服务器
Workstations are one of the most common devices within an Active Directory domain. Each user in the domain will likely be logging into a workstation. This is the device they will use to do their work or normal browsing activities. These devices should never have a privileged user signed into them.
工作站是 Active Directory 域中最常见的设备之一。域中的每个用户都可能登录到工作站。这是他们将用于完成工作或正常浏览活动的设备。这些设备绝不应有特权用户登录
3. Domain Controllers 域控制器
Domain Controllers are the third most common device within an Active Directory domain. Domain Controllers allow you to manage the Active Directory Domain. These devices are often deemed the most sensitive devices within the network as they contain hashed passwords for all user accounts within the environment.
域控制器是 Active Directory 域中第三大最常见的设备。域控制器允许您管理 Active Directory 域。这些设备通常被视为网络中最敏感的设备,因为它们包含环境中所有用户帐户的哈希密码。
Since we are tidying up our AD, let’s create two separate OUs for Workstations and Servers (Domain Controllers are already in an OU created by Windows). We will be creating them directly under the thm.local domain container. In the end, you should have the following OU structure:
由于我们正在整理 AD,让我们为工作站和服务器创建两个单独的 OU(域控制器已经位于 Windows 创建的 OU 中)。我们将直接在 thm.local 域容器下创建它们。最后,您应该具有以下 OU 结构:
Now, move the personal computers and laptops to the Workstations OU and the servers to the Servers OU from the Computers container. Doing so will allow us to configure policies for each OU later.
现在,将个人计算机和笔记本电脑从 Computers 容器移动到 Workstations OU,将服务器移动到 Servers OU。这样做将允许我们稍后为每个 OU 配置策略。