This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Advanced Topics

Password Settings Objects (PSOs)

  • Apply different password policies to specific users or groups

  • Override default domain password policy

  • Useful for administrative accounts requiring stronger passwords

PSO Configuration:

# Create new PSO
New-ADFineGrainedPasswordPolicy -Name "AdminPolicy" -MinPasswordLength 15 -PasswordHistoryCount 24 -MaxPasswordAge 30.00:00:00

# Apply PSO to group
Add-ADFineGrainedPasswordPolicySubject -Identity "AdminPolicy" -Subjects "Domain Admins"

Group Managed Service Accounts (gMSA)

  • Automatic password management

  • Multi-server service account support

  • Integrated with Kerberos authentication

gMSA Implementation:

# Create KDS root key
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

# Create gMSA
New-ADServiceAccount -Name "WebServiceAccount" -DNSHostName "webservice.company.com" -PrincipalsAllowedToRetrieveManagedPassword "WebServers"

# Install gMSA on server
Install-ADServiceAccount -Identity "WebServiceAccount"

Active Directory Federation Services (ADFS)

ADFS Components:

  • Federation Server: Issues and validates security tokens

  • Federation Server Proxy: Provides external access to federation services

  • Claims Provider: Authenticates users and creates claims

  • Relying Party: Consumes tokens and grants access

ADFS Benefits:

  • Single sign-on across organizational boundaries

  • Support for web-based applications

  • Integration with cloud services

  • Reduced password fatigue for users

Active Directory Certificate Services (ADCS)

ADCS Components:

  • Certification Authority (CA): Issues and manages digital certificates

  • Certificate Templates: Define certificate properties and usage

  • Certificate Revocation Lists (CRLs): Track revoked certificates

  • Online Certificate Status Protocol (OCSP): Real-time certificate validation

ADCS Security Considerations:

  • CA hierarchy design and security

  • Certificate template permissions

  • Key archival and recovery procedures

  • Regular CRL updates and distribution

Active Directory Lightweight Directory Services (AD LDS)

AD LDS Use Cases:

  • Application-specific directory services

  • Development and testing environments

  • Directory-enabled applications requiring custom schema

  • Perimeter network directory services

AD LDS Benefits:

  • Multiple instances on single server

  • Custom schema extensions

  • Independent of domain membership

  • Reduced attack surface

PreviousSecurity FrameworkNextActive Directory Enumeration

Last updated

Was this helpful?