-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathglossary-win.tex
423 lines (379 loc) · 16.4 KB
/
glossary-win.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
\newglossaryentry{win:AD}
{
parent=,
type=windows,
name=Active Directory,
description={}
}
\newglossaryentry{win:GC}
{
parent={win:AD},
type=windows,
name={Global Catalog (GC)},
description={a domain controller that stores copies of ALL objects in an
\gls{win:forest}. The GC stores a full copy of all objects in the
current domain and a partial copy of objects that belong to other
domains in the forest. Standard domain controllers only hold a complete
replica of objects belonging to its domain. }
}
\newglossaryentry{win:tree}
{
parent={win:AD},
type=windows,
name={AD tree},
description={a collection of \gls{win:domain} that begins at a single root domain. Each domain in a tree shares a boundary with the other domains. A parent-child trust relationship is formed when a domain is added under another domain in a tree. Two trees in the same forest cannot share a name (namespace).
All domains in a tree share a standard \gls{win:GC}. }
}
\newglossaryentry{win:forest}
{
parent={win:AD},
type=windows,
name={AD forest},
description={a collection of \gls{win:tree}. It is the topmost container
and contains all of the AD objects. Each forest operates independently but may have various trust relationships with other forests. }
}
\newglossaryentry{win:access-token}
{
parent=,
type=windows,
name=Access Token,
description={Token whiwh describes the security content of a process or thread and includes the user's security identity and group membership.}
}
\newglossaryentry{win:GUID}
{
parent=,
type=windows,
name=Global Unique Identifier (GUID),
description={is a unique (across the entreprise) 128-bit value assigned
when an object is created by Active Directory. It will never change and
is stored in the {\tt ObjectGUID} attribute. Searching in Active
Directory by GUID value is the most accurate and reliable way to find
the exact object. }
}
\newglossaryentry{win:GPO}
{
parent=,
type=windows,
name={Group Policy Object (GPO)},
description={is a virtual collections of policy settings. Each GPO has a
unique \gls{win:GUID}. A GPO can contain local file system settings or Active
Directory settings. GPO settings can be applied to both user and computer
objects. They can be applied to all users and computers within the domain or
defined more granularly at the \gls{win:OU} level.}
}
\newglossaryentry{win:OU}
{
parent={win:AD},
type=windows,
name=Organisational Unit (OU),
description={a container object that can contain different objects from
the same domain. }
}
\newglossaryentry{win:object}
{
parent={win:AD},
type=windows,
name={Object (AD)},
description={ANY resource present within an Active Directory environment. }
}
\newglossaryentry{win:schema}
{
parent={win:AD},
type=windows,
name={AD Schema},
description={is essentially the blueprint of any enterprise environment. It
defines what class of objects can exist in the AD database and their
associated attributes. It lists definitions corresponding to AD objects
and holds information about each object. }
}
\newglossaryentry{win:site}
{
parent={win:AD},
type=windows,
name={AD Site},
description={a collection of well-connected IP subnets that are
used to replicate information among \gls{win:DC}
efficiently. }
}
\newglossaryentry{win:DC}
{
parent={win:AD},
type=windows,
name={Domain Controller (DC)},
description={a server running the Active Directory Domain Service Role. }
}
\newglossaryentry{win:domain}
{
parent={win:AD},
type=windows,
name={AD Domain},
description={A logical group of objects. Domains can operate entirely
independently of one another or be connected via trust relationships. }
}
\newglossaryentry{win:SecurityPrincipal}
{
parent={win:AD},
type=windows,
name= {Security Principal},
description={is an object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE). Examples are user, computer, and security group objects in AD. Contacts, distribution groups, Organizational Units, and containers are not security principals. Foreign security principals have the objectSID attribute and are security principals.
}
}
\newglossaryentry{win:SecurityGroup}
{
parent={win:AD},
type=windows,
name= {Security Group},
description={group of accounts that can be used to easily assign to a
resource or apply for permissions. }
}
\newglossaryentry{win:SID}
{
parent={win:AD},
type=windows,
name= {Security ID (sID)},
description={identifier used to uniquely identify a
gls{win:SecurityPrincipal} or \gls{win:SecurityGroup}. In an Active Directory (AD) domain environment, the SID also includes the domain SID.}
}
\newglossaryentry{win:sIDHistory}
{
parent={win:AD},
type=windows,
name={sIDHistory},
description={This attribute holds any \gls{win:SID}s that an object was assigned previously. It is usually used in migrations so a user can maintain the same level of access when migrated from one domain to another. This attribute can potentially be abused if set insecurely, allowing an attacker to gain prior elevated access that an account had before a migration if SID Filtering (or removing SIDs from another domain from a user's access token that could be used for elevated access) is not enabled.}
}
\newglossaryentry{win:NTDS.DIT}
{
parent={win:AD},
type=windows,
name={NTDS database (NTDS.dit)},
description={
File, considered the heart of Active Directory, stored on a Domain Controller at {\tt C:\textbackslash Windows\textbackslash NTDS\textbackslash} It is a database that stores AD data including the password hashes for all users in the domain. }
}
\newglossaryentry{win:RDN}
{
parent={win:AD},
type=windows,
name={Relative Distinguished Name (RDN)},
description={component of the Distinguished Name that identifies the object as unique from other objects at the current level in the naming hierarchy. }
}
\newglossaryentry{win:sAMAccountName}
{
parent={win:AD},
type=windows,
name={sAMAccountName},
description={attribute used for account logons to a domain. It was the
primary means to logon to a domain for older Windows versions, it can
still be used on modern versions of Windows.
}
}
\newglossaryentry{win:UPN}
{
parent={win:AD},
type=windows,
name={userPrincipalName (UPN)},
description={Mandatory attribute which allows to identify users in AD. It
consists of a prefix (the user account name) and a suffix (the domain
name) in the format of an email.
}
}
\newglossaryentry{win:RODC}
{
parent={win:AD},
type=windows,
name={Read-Only Domain Controllei (RODC)},
description={has a read-only Active Directory database. No AD account passwords are cached on an RODC (other than the RODC
computer account and RODC KRBTGT passwords. No changes are pushed out via an RODC's AD database, SYSVOL, or DNS.
}
}
\newglossaryentry{win:SPN}
{
parent={win:AD},
type=windows,
name={Service Principal Name (SPN)},
description={uniquely identifies a service instance. They are used by Kerberos authentication to associate an instance of a service with a logon account, allowing a client application to request the service to authenticate an account without needing to know the account name.
}
}
\newglossaryentry{win:ACE}
{
parent={win:AD},
type=windows,
name={Access Control Entities (ACE)},
description={ identifies a trustee (user account, group account, or logon session) and lists the access rights that are allowed, denied, or audited for the given trustee.
}
}
\newglossaryentry{win:ACL}
{
parent={win:AD},
type=windows,
name={Access Control List (ACL)},
description={ordered collection of \gls{win:ACE}s that apply to an object.
}
}
\newglossaryentry{win:DACL}
{
parent={win:AD},
type=windows,
name={Discretionary Access Control List (DACL)},
description={define which security principles are granted or denied access
to an object; it contains a list of \gls{win:ACE}s. When a process tries to
access a securable object, the system checks the \gls{win:ACE}s in the object's DACL to determine whether or not to grant access. If an object does NOT have a DACL, then the system will grant full access to everyone, but if the DACL has no ACE entries, the system will deny all access attempts. ACEs in the DACL are checked in sequence until a match is found that allows the requested rights or until access is denied.
}
}
\newglossaryentry{win:SACL}
{
parent={win:AD},
type=windows,
name={System Access Control List (SACL)},
description={Allows for administrators to log access attempts that are made to secured objects. ACEs specify the types of access attempts that cause the system to generate a record in the security event log.
}
}
\newglossaryentry{win:FSMO}
{
parent={win:AD},
type=windows,
name={Flexible Single Master Operation roles (FSMO)},
description={Microsoft separated the various responsibilities that a DC
can have into Flexible Single Master Operation (FSMO) roles. There are
five FMSO roles: {\tt Schema Master}, {\tt Domain Naming Master},
{\tt Relative ID Master} (RID), {\tt Primary Domain Controller Emulator}
and {\tt Infrastructure Master}.
}
}
\newglossaryentry{win:Tombstone}
{
parent={win:AD},
type=windows,
name={Tombstone},
description={container object in AD that holds deleted AD objects. When an object is deleted from AD, the object remains for a set period of time known as the Tombstone Lifetime, and the isDeleted attribute is set to TRUE. Once an object exceeds the Tombstone Lifetime, it will be entirely removed. If an object is deleted in a domain that does not have an AD Recycle Bin, it will become a tombstone object. When this happens, the object is stripped of most of its attributes and placed in the Deleted Objects container for the duration of the tombstoneLifetime. It can be recovered, but any attributes that were lost can no longer be recovered.
}
}
\newglossaryentry{win:Recycle-Bin}
{
parent={win:AD},
type=windows,
name={AD Recycle Bin},
description={When the AD Recycle Bin is enabled, any deleted objects are
preserved for a period of time, facilitating restoration if needed.
Sysadmins can set how long an object remains in a deleted, recoverable
state (default 60 days). Recycle Bin preserve most of a deleted
object's attributes.
}
}
\newglossaryentry{win:SYSVOL}
{
parent={win:AD},
type=windows,
name={SYSVOL},
description={folder, or share, that stores copies of public files in the domain such as system policies, Group Policy settings, logon/logoff scripts, and often contains other types of scripts that are executed to perform various tasks in the AD environment. The contents of the SYSVOL folder are replicated to all DCs within the environment using File Replication Services (FRS).
}
}
\newglossaryentry{win:ADUC}
{
parent={win:AD},
type=windows,
name={Active Directory Users and Computers (ADUC)},
description={a GUI console commonly used for managing users, groups, computers, and contacts in AD. Changes made in ADUC can be done via PowerShell as well.
}
}
\newglossaryentry{win:ADSI-Edit}
{
parent={win:AD},
type=windows,
name={ADSI Edit},
description={a GUI tool used to manage objects in AD more complete than
ADUC. It can be used to set or delete any attribute available on an
object, add, remove, and move objects as well.
}
}
\newglossaryentry{win:adminCount}
{
parent={win:AD},
type=windows,
name={adminCount},
description={object used to manage ACLs for members of built-in groups in AD marked as privileged. It acts as a container that holds the Security Descriptor applied to members of protected groups. The SDProp (SD Propagator) process runs on a schedule on the PDC Emulator Domain Controller. When this process runs, it checks members of protected groups to ensure that the correct ACL is applied to them. It runs every hour by default. For example, suppose an attacker is able to create a malicious ACL entry to grant a user certain rights over a member of the Domain Admins group. In that case, unless they modify other settings in AD, these rights will be removed (and they will lose any persistence they were hoping to achieve) when the SDProp process runs on the set interval.
}
}
\newglossaryentry{win:dsHeuristics}
{
parent={win:AD},
type=windows,
name={dsHeuristics},
description={sring attribute set on the Directory Service object used to define multiple forest-wide configuration settings. One of these settings is to exclude built-in groups from the Protected Groups list. Groups in this list are protected from modification via the AdminSDHolder object. If a group is excluded via the dsHuerisitcs attribute, then any changes that affect it will not be reverted when the SDProp process runs.
}
}
\newglossaryentry{win:AdminSDHolder}
{
parent={win:AD},
type=windows,
name={AdminSDHolder},
description={attribute which determines whether or not the SDProp process protects a user. If the value is set to 0 or not specified, the user is not protected. If the attribute value is set to value, the user is protected. Attackers will often look for accounts with the adminCount attribute set to 1 to target in an internal environment. These are often privileged accounts and may lead to further access or full domain compromise.
}
}
\newglossaryentry{win:SDProp}
{
parent={win:AD},
type=windows,
name={SD Propagator process},
description={process that runs on a schedule (default 1h) on the PDC Emulator Domain Controller. When this process runs, it checks members of protected groups to ensure that the correct ACL is applied to them. For example, suppose an attacker is able to create a malicious ACL entry to grant a user certain rights over a member of the Domain Admins group. In that case, unless they modify other settings in AD, these rights will be removed (and they will lose any persistence they were hoping to achieve) when the SDProp process runs on the set interval.
}
}
\newglossaryentry{win:SAM}
{
parent=,
type=windows,
name={Security Accounts Manager (SAM)},
description={
}
}
\newglossaryentry{win:LSA}
{
parent=,
type=windows,
name={Local Security Authority (LSA)},
description={
}
}
\newglossaryentry{win:security-descriptor}
{
parent=,
type=windows,
name={security descriptor},
description={contains the security information associated with a securable
object. it contains the \gls{win:SID} for the owner and the primary
group, a \gls{win:DACL}, a \gls{win:SACL} and a set of control bits
that qualify the meaning of a security descriptor or its individual
members.
}
}
\newglossaryentry{win:UAC}
{
parent=,
type=windows,
name={User Account Control (UAC)},
description={ is a security feature in Windows to prevent malware from running or manipulating processes that could damage the computer or its contents.
}
}
\newglossaryentry{win:registry-hive}
{
parent=,
type=windows,
name={registry hive},
description={A registry hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.
}
}
\newglossaryentry{win:PAC}
{
parent={win:AD},
type=windows,
name={Privileged Attribute Certificate (PAC)},
description={s an extension to Kerberos tickets that contains useful information about a user’s privileges. This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Directory domain. When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and used to determine their level of privileges without reaching out to the domain controller to query for that information (more on that to follow).
}
}
\newglossaryentry{win:}
{
parent={win:AD},
type=windows,
name={},
description={
}
}