User accounts

identities for people or services to log in and access resources. When a user logs in:

Windows verifies credentials. Creates an access token that contains:

User identity
Group memberships
Permissions

This token is used every time the user interacts with the system.

Groups

Instead of assigning permissions to each user individually, admins assign permissions to groups. Users are added to groups. Users inherit permissions automatically.

AD accounts in organizations

Almost every company uses Active Directory. Each employee typically has:

At least 1 account. Sometimes 2 accounts

Types of accounts in AD:

Standard user accounts
Admin accounts
Service accounts (run apps/services in background)

Local Accounts

Local accounts exist only on a specific computer. They DO NOT work across the domain. Default Local Accounts:

1. Administrator

this account has the SID S-1-5-domain-500 and is the first account created with a new Windows installation. It has full control over almost every resource on the system. It cannot be deleted or locked, but it can be disabled or renamed.

Windows 10 and Server 2016 hosts disable the built-in administrator account by default and create another local account in the local administrator’s group during setup.

2. Guest

disabled by default. The purpose of this account is to allow users without an account on the computer to log in temporarily with limited access rights.

By default, it has a blank password and is generally recommended to be left disabled because of the security risk of allowing anonymous access to a host.

3. SYSTEM

The SYSTEM (or NT AUTHORITY\SYSTEM) account on a Windows host is the default account installed and used by the operating system to perform many of its internal functions.

Unlike the Root account on Linux, SYSTEM is a service account and does not run entirely in the same context as a regular user.

Many of the processes and services running on a host are run under the SYSTEM context.

One thing to note with this account is that a profile for it does not exist, but it will have permissions over almost everything on the host. It does not appear in User Manager and cannot be added to any groups. A SYSTEM account is the highest permission level one can achieve on a Windows host and, by default, is granted Full Control permissions to all files on a Windows system.

More powerful than Administrator in many cases.

4. Network Service

This is a predefined local account used by the Service Control Manager (SCM) for running Windows services. When a service runs in the context of this particular account, it will present credentials to remote services.

5. Local Service

This is another predefined local account used by the Service Control Manager (SCM) for running Windows services. It is configured with minimal privileges on the computer and presents anonymous credentials to the network.

Domain Users vs Local Users

Local Users: Only work on one machine

Domain Users: Can log into any machine in the domain.

Special Account: KRBTGT

KRBTGT is the Kerberos KDC service account and is responsible for encrypting and signing all Kerberos tickets.

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory.

User Naming Attributes

Security in Active Directory can be improved using a set of user naming attributes to help identify user objects like logon name or ID. The following are a few important Naming Attributes in AD:

1. UserPrincipalName (UPN)

the primary logon name for the user. By convention, the UPN uses the email address of the user.

2. ObjectGUID

a unique identifier of the user. Never changes and remains unique even if the user is removed.

3. SAMAccountName

Legacy login name (old Windows support)

4. objectSID

The user’s Security Identifier (SID). This attribute identifies a user and its group memberships during security interactions with the server.

5. sIDHistory

contains previous SIDs for the user object if moved from another domain and is typically seen in migration scenarios from domain to domain.

After a migration occurs, the last SID will be added to the sIDHistory property, and the new SID will become its objectSID.