Windows Security & Active Directory Basics¶

Enterprises run on Windows and Active Directory (AD) — and attackers know it. AD is the most common target for lateral movement and privilege escalation.

Windows Accounts & Privileges¶

Local accounts vs domain accounts.
Administrator group = full control. Limit membership.
UAC (User Account Control) prompts for elevation — don't disable it.
Run daily work as a standard user, elevate only when needed.

Active Directory Essentials¶

AD is a centralized directory for authentication and authorization across a Windows domain.

Term	Meaning
Domain Controller (DC)	Server hosting AD; authenticates users
Domain	Administrative boundary
OU (Organizational Unit)	Container for grouping objects
GPO (Group Policy Object)	Centrally enforce settings/security
Kerberos	Default authentication protocol

Group Policy — Security at Scale¶

GPOs let you enforce, across thousands of machines:

Password and lockout policies
Disable legacy protocols (SMBv1, NTLMv1)
Application allow-listing (AppLocker / WDAC)
Audit logging configuration

Common AD Attack Concepts (Defensive Awareness)¶

Understanding these helps you detect and prevent them:

Pass-the-Hash — reusing a stolen NTLM hash without the password. Mitigate with Credential Guard, LAPS, and limiting admin logons.
Kerberoasting — requesting service tickets to crack service-account passwords offline. Mitigate with long, random service-account passwords and gMSAs.
Golden Ticket — forging Kerberos tickets after compromising the krbtgt account. Mitigate by protecting DCs and rotating krbtgt.
Lateral movement via admin shares and RDP. Mitigate with network segmentation and tiered admin models.

Tiered Administration Model¶

A best practice: separate admin accounts into tiers so a compromised workstation admin can't reach domain controllers:

Tier 0 — Domain Controllers, identity systems  (most protected)
Tier 1 — Servers, applications
Tier 2 — Workstations

Admins never use Tier 0 credentials on Tier 2 machines, breaking the lateral-movement path.

Endpoint Logging¶

Key Windows logs for defenders:

Security log — logons (Event ID 4624/4625), privilege use.
Sysmon — rich process/network/registry telemetry (install it everywhere).
Forward logs to a SIEM (Chapter 8) for correlation.

Active Directory Essentials¶

AD is a centralized directory for authentication and authorization across a Windows domain.

Term	Meaning
Domain Controller (DC)	Server hosting AD; authenticates users
Domain	Administrative boundary
OU (Organizational Unit)	Container for grouping objects
GPO (Group Policy Object)	Centrally enforce settings/security
Kerberos	Default authentication protocol

Common AD Attack Concepts (Defensive Awareness)¶

Understanding these helps you detect and prevent them:

Pass-the-Hash — reusing a stolen NTLM hash without the password. Mitigate with Credential Guard, LAPS, and limiting admin logons.

Kerberoasting — requesting service tickets to crack service-account passwords offline. Mitigate with long, random service-account passwords and gMSAs.

Golden Ticket — forging Kerberos tickets after compromising the krbtgt account. Mitigate by protecting DCs and rotating krbtgt.

Lateral movement via admin shares and RDP. Mitigate with network segmentation and tiered admin models.

Tiered Administration Model¶

A best practice: separate admin accounts into tiers so a compromised workstation admin can't reach domain controllers:

Tier 0 — Domain Controllers, identity systems (most protected) Tier 1 — Servers, applications Tier 2 — Workstations

Admins never use Tier 0 credentials on Tier 2 machines, breaking the lateral-movement path.