ntds.dit Auditing

By searching for a way to remotely force an Windows Update check, I accidentally found this: DSInternals
This looked very promising, so I checked out the linked blog and found this: Retrieving Active Directory Passwords Remotely

This might be useful in some disaster recovery scenarios (or for hackers to create Golden Tickets…) or to prevent the use of the “Reversible Encryption option” and push people to encrypt and prevent unauthorized physical access to there Domain Controllers (including backups).

– On Domain Controllers use Bitlocker with a TPM
– Encrypt your Backups
– Physical access control (to dc and backups)

Golden Ticket attacks are no entry attacks. An attacker has to gain Administrative rights on a Domain Controller in order to apply this attack.

Enable Strict Replication Consistency

If your Domain had existed pre Windows 2003 you have to run the following command:

  1. Open Nodepad and add the text (NO WHITE-SPACES AT THE END):
    1. dn: CN=94fdebc6-8eeb-4640-80de-ec52b9ca17fa,CN=Operations,CN=ForestUpdates,CN=Configuration,DC=<contoso>,DC=<com>
    2. changetype: add
      objectClass: container
    3. showInAdvancedViewOnly: TRUE
    4. name: 94fdebc6-8eeb-4640-80de-ec52b9ca17fa
    5. objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=<contoso>,DC=<com>
  2. Save the File As EnableSTC.ldf
  3. Open elevated command prompt, navigate to the place where you saved the file
  4. Run “ldifde.exe -i -f EnableSTC.ldf

Don’t forget to enable it on your existing DCs as well using:

  1. Regedit: HKLM\SYSTEM\ControlSetXXX\Services\NTDS\Parameters
  2. Create “Strict Replication Consistency” as a new DWORD with the value “1”