We have covered a plethora of topics on Active Directory (AD) in parts one to nine of this series on Active Directory Domain Services.
In this final and 10th part, we will look at one other crucial aspect of AD—Group Policies and Group Policy Objects (GPOs). We will discuss what Group Policies are and what role GPOs play in the effective setup of any AD environment.
What are Group Policies and GPOs?
Group Policies are the centralized means by which AD administrators manage and control the configurations and settings that are applied to users and computer accounts in an AD infrastructure. Group Policies are the designated ways that help in achieving and improving the security of AD data.
GPOs are AD container objects that represent a collection of Group Policy settings. Every group of related settings is designated as one GPO in an AD setup. This approach makes the management of Group Policies easier.
The Group Policy Management Console (GPMC) is a tool available through the Server Manager dashboard. The GPMC helps in the creation, management, and deletion of GPOs, which is similar to the functionalities offered by other tools such as Active Directory Administrative Center (ADAC) that help in the life cycle management of user and computer accounts.
As a best practice, GPOs are applied separately to computer accounts and user accounts. On closer examination of how Group Policies are applied, you will find that policies and preferences are two categories under which GPO settings are configured for both users and computers. This subcategory of settings ultimately makes up any GPO.
Figure 1 below is a screenshot of the GPMC. It shows the various settings categorized under the Policies and Preferences tabs.
Figure 1. This screenshot shows the GPMC console with the various settings under Policies and Preferences. These are applicable for both user and computer configurations.
Policies
Policies relate to Windows settings and other software delivery settings that administrators use to control software installations. They also use policies to monitor local policies and event logs.
➤ These settings are centrally controlled; individual users usually have no flexibility to change these settings.
➤ Examples include password policies, account lockout policies, and advanced audit policy configurations.
Preferences
Preferences are administrative configurations like file and folder management, network sharing settings, and so on that can be changed by individual domain-connected users.
➤ Generally speaking, these settings are more flexible in nature.
➤ Examples of preferences include control panel configuration, access to an overview of various running applications, and shared storage drive mapping.
Policies and preferences for both user and computer objects have to be examined individually by the AD administrator. Through the GPMC, they have to be enabled or disabled, and linked to any newly created or preexisting GPO. These GPOs can only then be linked to AD domains, organizational units, or specific AD sites. This makes up the design of the AD architectural topology. Figure 2 below shows the steps involved in the setup of GPOs.
Figure. 2 GPO linkage to AD domains, organizational units, or AD sites.
AD security and its dependencies on Group Policies
Starting from part 7 of this blog series, we have taken a look at various cybersecurity-related topics. Now, let us gain a better understanding of how AD security is interlinked with Group Policies. We will first look into how GPOs are exploited by cyberattackers to take control of the AD environment.
While GPOs undoubtedly enable effective administration of the AD environment, their detailed categorization and individual descriptions of all the available GPO settings in the GPMC make them a lucrative target for even the most novice of AD attackers.
Once malicious actors successfully make the initial unlawful entry into AD, lateral movement and subsequent privilege escalation follows. Most privilege escalation and lateral movement techniques involve accessing and gaining control of the security protocols as set up by the GPOs.
There are reconnaissance tools such as BloodHound and other open-source scripting tools such as Mimikatz that attackers can use to get a list of the GPOs in any AD network. These tools reveal the shortest path the attackers can take to achieve their desired outcomes, including that of privilege escalation. This enables them to access almost all restricted, highly sensitive groups, including the highly coveted Domain Administrators group. This is how they get ahold of the keys to the kingdom!
When exploited, GPOs can enable attackers to carry out numerous other activities from within the compromised AD network. Attackers can:
-
Access AD data and use it offline to plan secondary, custom-made attacks.
-
Tamper with various password policies, account lockout settings, and other account settings to launch Denial-of-Service attacks.
-
Compromise file access control lists (ACLs) to get access to highly sensitive data.
-
Exploit security ACLs to meddle with the AD environment’s group memberships.
-
Deploy ransomware after the security GPO settings are compromised. Encryption of files begins shortly after this, which forms the essence of the planned ransomware attacks.
We now know that GPOs provide means by which attackers gain access to domain controllers, shared network devices, and all AD-connected endpoints. The data stored in AD is like a gold mine for attackers. GPOs are attractive starting points in their journey to compromise the AD setup. Because of this, GPOs cannot be an area of negligence.
This concludes the 10-part series on Active Directory Domain Services. AD has a deep-rooted bearing in not only ensuring an organization that is secured against cyberthreats but also one that is operationally healthy. Through this blog series, I hope you have become well-equipped and have secured a strong foothold on various AD concepts. I hope that you can now work with AD in the most efficient ways possible.
Truth be told, there is no limit to learning when it comes to AD. While this might be the end of this blog series, for you on your AD journey, this should just be the beginning.
