Skip to content

Active Directory Security - Intro to GPO

Prerequisites

  1. VirtualBox or VMware Workstation Pro Installed.
  2. Virtual Machine [project-x-win-client] is turned on and configured.
  3. Virtual Machine [project-x-dc] is turned on and configured.
  4. Virtual Machine [project-x-corp-fw] is turned on.
  5. Optional for Testing - Virtual Machine [project-x-attacker] is turned on.

Network Topology

Base Layout
(Click to zoom)

Overview

In this guide, we are going to be performing a lot of changes to [project-x-dc] and our general Active Directory environment.

Changes include:

  • Change IP and network information for [project-x-dc] since we have deployed a new network topology.
  • Add an Organizational Unit (OU) to logically combine our workstations and users for centralized management.
  • Change the DNS settings for [project-x-win-client].
  • Create five custom GPOs.
  • Apply GPOs to our OU.

A Word on DNS: We have lots of DNS now. In E101, we configured our DNS management through our Domain Controller. Workstations connected to Active Directory routed through the DC first. We have changed this. At this point of NA101, our [project-x-fw] VM, pfSense, is effectively serving as a router. We have the router configured to send DNS information over to any host residing within our CORP-LAN network segment. Active Directory uses DNS to manage and communicate with its computers. We are going to set the workstations client to use the [project-x-dc]. Our DNS capabilities will still be managed by our pfSense router. However, our workstation clients will first communicate with the Domain Controller. And remember, we also have our dns container... This is our internal DNS server. Don't worry about that one.

Active Directory Group Policy Objects (GPO) Overview

Group Policy Objects or GPOs, are configurations of settings used to control what can occur on the Windows machine. GPOs are deployed on enterprise networks to help network administrators gain control over the users' and computers' working environment in Active Directory.

GPOs are the settings that can be applied to its target group.

We could restrict access to Windows applications such as PowerShell, block access to certain directories, such as the %TEMP% directory, or enforce password security requirements for new, onboarding employees.

Types of GPO

There are a few types of GPO.

Local Group Policy Objects: These settings will only be applied to the local computer and all user accounts that can log into this local computer. Policy settings will be enforced on this local computer only.

Non-local Group Policy Objects: GPOs are applied to multiple Active Directory objects, these could be a group of computers, a group of users, or both. Policy settings will be enforced when these objects are linked to a site, domain, or organizational unit (OU).

Starter Group Policy Objects: These are non-local GPOs that provide templates for creating custom GPO for administrators. These help admins build a group of settings that are pre-configured. These promote consistency between custom GPOs. So that when it comes to creating new custom GPOs, it will inherit the default template.

Organizational Unit (OUs)

Organizational Units (OUs) are logical containers or groups used to organize and manage objects in Active Directory. During Enterprise 101, we created a few objects. Computer objects [project-x-windows-client] and [project-x-linux-client] were added. And a few accounts, John Doe and Jane Doe.

OUs allow us to group these objects types (computer, users, groups) into one logical unit, where we can apply policies (GPOs) and centralized management in one place.

We will create an OU, ProjectX Workstations, which will allow us to apply GPO policies to our workstation hosts.

GPO Profiles

We are going to set 5 Group Policy Objects, each of these accomplishes a different purpose to help lock down and minimize the capabilities within our environment.

Account Lockout Policy

Lock account after 3–5 failed login attempts.

Reset lockout counter after 15 minutes.

Duration of lockout: 15–30 minutes.

The user should know their password. Sometimes a typo here or there may occur, so giving three to five attempts adds a buffer for when this happens.

Remember we we cracked the hash for [email protected]? The password was smile.

Let's say the attacker didn't crack the hash. Instead of getting hashes, they had a large list of common passwords. If they got access (physical or most likely remote access) to [project-x-win-client], they would have to supply each password as a guess. Locking them out after 15 - 30 minutes slows the attacker.

We can enable logging on our workstations, ingest Windows Logon attempt logs, which would allow our SOC analysts to see something is going on, allowing them to take the necessary actions to lock down and isolate the machine in time.

UAC (User Account Control)

Elevation prompts for standard users.

Secure desktop prompt enabled

Our employees should not need general Administrator access for their everyday activities. We can use the User Account Control (UAC) to prompt users to enter a local or domain Administration account for activities that do require administrator access.

This helps isolate what a normal user account can do. Never give full administrative rights to users, they most likely aren't needed.

PowerShell Logging

Module logging.

Script block logging.

Transcription logging.

Remember our C2 exercise, where we dropped our victim.py file onto our victim machine? We used our terminal to accomplish this. PowerShell and the commandline are used very often to execute malicious payloads, achieve persistence, and exfiltrate data.

PowerShell logging can help us gain visibility into how are employees are using PowerShell, while monitoring for malicious payloads, scripts, and exectuables. PowerShell should always having logging enabled.

Limit RDP

Allow RDP only from specific IPs/subnets.

Enable NLA (Network Level Authentication).

Disable clipboard and drive redirection in RDP.

During Enterprise 101, we used the Remote Desktop Protocol (RDP) to log into [project-x-win-client], where we eventually moved laterally into additional machines.

Instead of giving allow access to every machine, we can limit who can log into RDP through subnets.

Let's say John has RDP enabled on his corporate machine because he wants to log in while at home, but he has a desktop in his office. When given the authorization to do this, we can get John's home IP address and allow only that machine to RDP into his corporate machine.

Software Restriction Policies (SRP) or AppLocker

Block EXEs from %AppData%, %TEMP%, USB drives.

A common technique used by malware is to drop staging files or payloads into temporary directories. This helps achieve defense evasion for the attackers.

Legitimate applications may also use these directories when downloading their applications. In this GPO, we could supply of allow listed applications that can drop their exectuables into these file locations and block everything else.

Change Network IP Information

Since we have changed our network topology, introducing pfSense as our main interface for routing and firewalls, we will need to add our [project-x-dc] VM into the CORP-LAN segment with a routable IP. We also need to turn off DHCP capabilities, features we enabled during Enterprise 101. DHCP leases to the client workstations are now being leased and managed from pfSense.

We are going to set a static IP address, similar to what we did for our [project-x-sec-box] machine. Servers typically have static IP addresses set, so let's set one for our Domain Controller.

Power on [project-x-dc].

Navigate to the search bar "Control Panel".

Base Layout
(Click to zoom)

Go to "Network and Internet"

Base Layout
(Click to zoom)

"Network and Sharing Center".

Base Layout
(Click to zoom)

"Change adapter settings".

Base Layout
(Click to zoom)

Right-click Ethernet ➔ "Properties".

Base Layout
(Click to zoom)

Choose "Internet Protocol Version 4" ➔ "Properties"

Base Layout
(Click to zoom)

Change the following:

  • IP Address: 192.168.15.25

  • Default Gateway: 192.168.15.2

"Ok".

Base Layout
(Click to zoom)

Navigate to VirtualBox Menu "Machine" ➔ "Settings" ➔ "Network".

Change to the "Host-only Adapter" and the Ethernet Adapter ## with the 192.168.15.0/24 network.

Base Layout
(Click to zoom)

Navigate back to a new command prompt:

ping 192.168.15.2

You should be able to reach the LAN's default gateway.

Base Layout
(Click to zoom)

Remove DHCP Service

Navigate to "Manage" ➔ "Remove Roles and Features".

Select "Next" until reaching "Server Roles".

Choose "DHCP Server" ➔ "Remove".

A box will appear, select "Remove Features".

Base Layout
(Click to zoom)

You will now no longer see DHCP as a service after you refresh Server Manager.

Base Layout
(Click to zoom)

Create Workstations OU

Navigate to "Tools" ➔ "Active Directory Users and Computers".

Base Layout
(Click to zoom)

Right-click corp.project-x-dc.com "New" "Organizational Unit".

Base Layout
(Click to zoom)

Name the OU "Project X Workstations" ➔ "OK".

Base Layout
(Click to zoom)

Navigate to the "Computers" folder, select "LINUX-CLIENT" and "PROJECT-X-WIN-C" Right-click ➔ "Move" ➔ Select "Project X Workstations".

Base Layout
(Click to zoom)

Navigate to the "Users" folder, select "Jane Doe" and "John Doe" Right-click ➔ "Move" Select ➔ "Project X Workstations".

Base Layout
(Click to zoom)

Now you should have all four objects inside the Project X Workstations OU.

Base Layout
(Click to zoom)

[project-x-win-client] Settings Change

DNS

Let's set [project-x-win-client]'s DNS to our Active Directory Domain Controller's new IP address.

Power on the VM.

Navigate to the search bar "Control Panel".

Base Layout
(Click to zoom)

Go to "Network and Internet"

Base Layout
(Click to zoom)

"Network and Sharing Center".

Base Layout
(Click to zoom)

"Change adapter settings".

Base Layout
(Click to zoom)

Right-click Ethernet ➔ "Properties".

Base Layout
(Click to zoom)

Choose "Internet Protocol Version 4" ➔ "Properties"

Base Layout
(Click to zoom)

We will leave the dynamic IP address setting checked.

Add the following IP address under the DNS settings

  • 192.168.15.25
Base Layout
(Click to zoom)

Add Folder

Open a new "File Explorer" Window.

"This PC".

"Local Disk (C:)".

Right-click "New Folder" ➔ Title Folder "Transcripts".

Base Layout
(Click to zoom)

Note

For the first GPO, we will showcase step-by-step screenshots to familiarize yourself with the UI navigation. The remaining four GPO will not have screenshots. All five follow a similar navigation workflow.

Testing GPO.

Whenever we test the GPO, we must force an update with gpforce /update on a Windows command line.

Base Layout
(Click to zoom)

GPO: Set Account Lockout Policy

Open Group Policy Management Console under "Tools" ➔ "Group Policy Management."

Base Layout
(Click to zoom)

Right-click the ProjectX Workstations OU ➔ Create a GPO ➔ Name it: px:Security - Account Lockout Policy

Base Layout
(Click to zoom)
Base Layout
(Click to zoom)
Base Layout
(Click to zoom)

Right-click the GPO ➔ Edit

Base Layout
(Click to zoom)

GPO Location: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

Base Layout
(Click to zoom)

Double click each of the individual setting to open the properties page.

Navigate to:

Account lockout threshold: Set to 5 attempts

Account lockout duration: Set to 15 minutes

Reset account lockout counter after: Set to 15 minutes
Base Layout
(Click to zoom)

Close GPO Editor.

Navigate back to the Group Policy Management Console ➔ Select "ProjectX Workstations".

Base Layout
(Click to zoom)

Right-click the individual tab ➔ "Enforced".

The px: Account Lockout Policy GPO has now been linked to the OU.

Testing

If we log out of our [project-x-win-client] machine and supply 5 random password attempts, we should now be locked out for 15 minutes.

Base Layout
(Click to zoom)

GPO: User Access Control (UAC)

Create/Edit a GPO ➔ Name it: px:User Access Control

GPO Location: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Navigate to:

User Account Control: Behavior of the elevation prompt for standard users ➔ Prompt for credentials on the secure desktop

User Account Control: Switch to the secure desktop when prompting for elevation ➔ Enabled

(Optional but helpful) UAC: Run all admins in Admin Approval Mode ➔ Enabled

GPO: PowerShell Logging

Create/Edit a GPO ➔ Name it: px:User PowerShell Logging

GPO Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell

Navigate to:

Turn on Module Logging > Enabled

Click Show... and enter * to log all modules

Base Layout
(Click to zoom)
Base Layout
(Click to zoom)

Turn on PowerShell Script Block Logging > Enabled

Turn on PowerShell Transcription > Enabled

Set output directory: C:\Transcripts

Base Layout
(Click to zoom)

Ensure the C:\Transcripts folder exists and has appropriate permissions on client machines.

GPO: Limit RDP Access

Allow only specific IPs via Windows Firewall (on the client):

Create/Edit a GPO ➔ Name it: px:Limit RDP

GPO Location: Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security

Navigate to:

Inbound Rules > New Rule > Type: Predefined > Remote Desktop

Click Next, leave all checked.

Choose "Allow the connection if it is secure".

Click Next. Check "Authorized users" Add.. [email protected]

Click Next.

Check "Authorized users" Add..  PROJECT-X-WIN-C. (or windows client name)

Finish.

GPO: Software Restriction Policies (SRP) or AppLocker

Create/Edit a GPO ➔ Name it: px:Limit %TEMP%

GPO Location: Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies

Navigate to:

Right-click Software Restriction Policies > New Software Restriction Policies

CLick into "Security Levels" Folder.

    Double-click Disallowed, "Set as Default"

    Right-click Additional Rules "New Path Rule".

Path Rules to Add: %TEMP%\*.exe Disallowed

GPO Policies

Base Layout
(Click to zoom)

We will now have five GPO policies applied. Each policy provides a set of checks and restrictions to help harden our corporate attack surface.