Windows security fundamentals

Most enterprise networks run on Windows and Active Directory. Even if you primarily work with Linux, you need to understand Windows security because you will encounter it in penetration tests, incident investigations, and hybrid environments. This article covers the core concepts at a level where you can understand the attacks and defenses without needing a Windows lab.

Prerequisites

You should understand authentication and authorization concepts and Linux privilege escalation for comparison.

Active Directory basics

Active Directory (AD) is a directory service that manages users, computers, groups, and policies across a Windows network. It is the backbone of enterprise identity management.

Key components:

Domain Controller (DC): the server that runs AD and handles authentication for the entire domain. Compromising a DC means owning the entire network.

Domain: a logical group of network objects (users, computers) that share the same AD database. Example: corp.company.com.

Forest: one or more domains that share a common schema. The forest root domain is the top-level trust anchor.

Organizational Units (OUs): containers within a domain for organizing users and computers. Group policies are applied to OUs.

Group Policy Objects (GPOs): settings that apply to users and computers. Password policies, software deployment, security settings, all managed centrally through GPOs.

graph TD
  A[Forest: company.com] --> B[Domain: corp.company.com]
  A --> C[Domain: dev.company.com]
  B --> D[OU: Engineering]
  B --> E[OU: Sales]
  D --> F[User: john.doe]
  D --> G[Computer: WORKSTATION-01]
  E --> H[User: jane.smith]
  style A fill:#f9a825,stroke:#f57f17,color:#000
  style B fill:#64b5f6,stroke:#1976d2,color:#000
  style C fill:#64b5f6,stroke:#1976d2,color:#000

Authentication: NTLM vs Kerberos

Windows uses two authentication protocols. Kerberos is preferred, but NTLM is still used as a fallback.

NTLM (NT LAN Manager)

NTLM is a challenge-response protocol:

1. Client sends username to the server
2. Server sends a random challenge (nonce)
3. Client encrypts the challenge using a hash of the user’s password
4. Server verifies by doing the same encryption and comparing

Problems with NTLM:

• The password hash is used directly for authentication (enables Pass-the-Hash)
• No mutual authentication (server does not prove its identity)
• Vulnerable to relay attacks (attacker captures and replays the challenge-response)
• Weaker encryption than Kerberos

Kerberos

Kerberos uses tickets instead of sending credentials over the network:

1. User authenticates to the Key Distribution Center (KDC, runs on the DC)
2. KDC issues a Ticket Granting Ticket (TGT)
3. User presents TGT to request Service Tickets for specific resources
4. User presents Service Ticket to the target server

Advantages:

• Credentials are never sent over the network
• Mutual authentication (both client and server prove identity)
• Time-limited tickets
• Supports delegation

Weaknesses:

• Depends on time synchronization (tickets expire)
• The KDC is a single point of compromise (if the DC is owned, all tickets can be forged)

The SAM database

The Security Account Manager (SAM) database stores local user accounts and their password hashes. It is located at C:\Windows\System32\config\SAM and is locked while Windows is running.

On a domain-joined machine, domain credentials are cached in the system’s memory (LSASS process) and in the SAM for local accounts.

Windows privileges

Windows has a granular privilege system. Key privileges that attackers target:

Service accounts often have SeImpersonatePrivilege, which enables “potato” attacks that escalate to SYSTEM.

Common attack vectors

Pass-the-Hash (PtH)

NTLM authenticates using the password hash, not the password itself. If an attacker obtains the hash (from memory, SAM, or network capture), they can authenticate as that user without knowing the password.

How it works:

1. Attacker compromises one machine
2. Dumps NTLM hashes from memory (using tools like mimikatz in a lab)
3. Uses the hash to authenticate to other machines where the user has access

Defense:

• Disable NTLM where possible (use Kerberos)
• Enable Credential Guard (protects hashes in memory)
• Use tiered administration (admin accounts for different security levels)
• Implement Local Administrator Password Solution (LAPS)

Golden Ticket

A Golden Ticket is a forged Kerberos TGT. If an attacker obtains the KRBTGT account’s password hash (the account used by the KDC to sign all tickets), they can create tickets for any user, including non-existent users, with any privileges.

How it works:

1. Attacker compromises a Domain Controller
2. Extracts the KRBTGT hash
3. Creates a TGT for any user with any group memberships
4. The forged ticket is accepted by all services in the domain

Defense:

• Reset the KRBTGT password twice (it keeps the current and previous password)
• Monitor for TGTs with abnormally long lifetimes
• Implement tiered administration to protect DCs
• Use Azure AD/Entra ID with modern authentication where possible

Kerberoasting

Some service accounts have Service Principal Names (SPNs). Any domain user can request a Service Ticket for any SPN. The ticket is encrypted with the service account’s password hash. The attacker requests the ticket and cracks it offline.

Defense:

• Use long, random passwords for service accounts (30+ characters)
• Use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs)
• Monitor for unusual Service Ticket requests

Example 1: Understanding the attack chain

Here is a typical Windows network attack, described conceptually:

Phase 1: Initial access Attacker sends a phishing email to an employee. The attachment executes a macro that downloads a reverse shell.

Phase 2: Local enumeration The attacker runs commands to understand the environment:

• whoami /all to see current privileges and group memberships
• net user /domain to list domain users
• net group "Domain Admins" /domain to find admin accounts
• ipconfig /all to understand the network layout

Phase 3: Credential harvesting With local admin access on the workstation, the attacker dumps credentials from memory. They find cached domain credentials from an IT admin who logged in recently.

Phase 4: Lateral movement Using the IT admin’s credentials (Pass-the-Hash), the attacker connects to other workstations and servers. They find a file share with a script containing database credentials.

Phase 5: Domain compromise The IT admin has access to a Domain Controller. The attacker uses those credentials to access the DC, extracts the KRBTGT hash, and creates a Golden Ticket.

Phase 6: Persistence The Golden Ticket provides unlimited access. The attacker also creates a new domain admin account and installs persistence mechanisms on multiple systems.

Example 2: Key differences between Linux and Windows privilege escalation

The core principles are the same: find misconfigurations, abuse trust relationships, and exploit the gap between intended and actual permissions. The specific techniques differ because the operating systems work differently.

Defense recommendations for Windows environments

1. Disable NTLM where Kerberos is available
2. Enable Credential Guard on workstations
3. Implement LAPS for local administrator passwords
4. Use tiered administration: separate admin accounts for workstations, servers, and DCs
5. Monitor for lateral movement: unusual login patterns, Pass-the-Hash indicators
6. Regular password rotation for service accounts, or use gMSAs
7. Patch promptly: many Windows attacks exploit known CVEs

What comes next

The next article covers Malware types and analysis basics, where you will learn to identify and analyze different types of malicious software.

For the Linux side of privilege escalation, review Linux privilege escalation. For defensive hardening, see Linux security basics and Defensive security.