Building on our understanding of Windows architecture from the previous lesson, we now dive into the identity layer — how Windows identifies users, organizes them into groups, and authenticates them. This is the foundation of all Windows security: every access control decision ultimately comes back to "who is requesting this, and what are they allowed to do?"
As a security professional, you need to understand not just how authentication works, but how attackers steal, forge, and abuse credentials. This lesson covers both the legitimate mechanisms and the attack surface they create.
Every user, group, and computer in Windows is identified by a Security Identifier (SID) — a unique alphanumeric string. SIDs are the true identity in Windows; usernames are just friendly labels that map to SIDs.
SID Structure Example: S-1-5-21-3623811015-3361044348-30300820-1001
S = SID identifier
1 = Revision level (always 1)
5 = Identifier Authority (5 = NT Authority)
21 = Sub-authority (domain/local)
3623811015-3361044348-30300820 = Domain/computer identifier (unique)
1001 = Relative Identifier (RID) — identifies the specific accountWell-known SIDs are consistent across all Windows installations. Understanding these is critical for security analysis:
| SID | Account | Security Significance |
|---|---|---|
| S-1-5-21-<domain>-500 | Administrator | Built-in admin account; RID 500 is always the first admin |
| S-1-5-21-<domain>-501 | Guest | Disabled by default; should remain disabled |
| S-1-5-21-<domain>-512 | Domain Admins | Full domain control; highest-value target |
| S-1-5-21-<domain>-519 | Enterprise Admins | Forest-level admin; exists only in forest root |
| S-1-5-21-<domain>-520 | Group Policy Creator Owners | Can modify GPOs; lateral movement target |
| S-1-5-18 | SYSTEM | Local machine's operating system account; highest local privilege |
| S-1-5-19 | LOCAL SERVICE | Limited service account for local-only services |
| S-1-5-20 | NETWORK SERVICE | Service account with network credentials |
The RID (Relative Identifier) is the last component of a SID. RID 500 is always the built-in Administrator account. Attackers specifically target RID 500 accounts because they cannot be deleted (only disabled) and often have the same predictable name across environments. Always rename and monitor the RID 500 account.
On a standalone (non-domain-joined) Windows machine, user accounts are stored in the SAM (Security Account Manager) database, located at C:\Windows\System32\config\SAM. The SAM is locked while Windows is running and encrypted with a system key (SYSKEY).
Key local groups and their security implications:
# List all local users
Get-LocalUser
# List all local groups
Get-LocalGroup
# View members of the Administrators group
Get-LocalGroupMember -Group "Administrators"
# View detailed information about a specific user
Get-LocalUser -Name "Administrator" | Select-Object *
# Check if the built-in Administrator account is enabled
Get-LocalUser -Name "Administrator" | Select-Object Name, EnabledNTLM (NT LAN Manager) is Microsoft's legacy authentication protocol. Despite being deprecated in favor of Kerberos, NTLM is still widely used in enterprise environments — especially for local authentication, workgroup scenarios, and legacy systems. Understanding NTLM is essential because it is a primary target for credential theft and relay attacks.
The NTLM authentication process (challenge-response):
1. NEGOTIATE: Client sends a negotiation message to the server
2. CHALLENGE: Server generates a random 8-byte challenge (nonce) and sends it
3. AUTHENTICATE: Client encrypts the challenge with the NTLM hash of the
user's password and sends the response
4. Server verifies the response (either locally via SAM or via domain controller)The NTLM hash is computed as: MD4(UTF-16-LE(password)). It is stored in the SAM (local accounts) or NTDS.dit (domain accounts). Critically, the NTLM hash is a **pass-the-hash** compatible credential — an attacker who obtains the hash can authenticate without knowing the plaintext password.
⚠️ NTLM is vulnerable to several attack types: Pass-the-Hash (use the hash directly), NTLM Relay (relay the authentication to another server), and brute-force/crack the hash offline. In an authorized penetration test, you will frequently encounter NTLM hashes in memory (from LSASS dumps) or in database dumps. Always ensure you have written authorization before attempting any credential attacks.
Kerberos is the default authentication protocol for Active Directory domains. It is significantly more secure than NTLM when properly configured, but it has its own attack surface that every security professional must understand.
The Kerberos authentication flow involves three parties: the client, the Authentication Server (AS), and the Ticket Granting Service (TGS):
1. AS-REQ: Client requests a Ticket Granting Ticket (TGT) from the KDC
(Key Distribution Center) on the Domain Controller
2. AS-REP: KDC encrypts the TGT with the KRBTGT account's hash and
sends it. The session key is encrypted with the user's hash.
Client decrypts the session key using their password hash.
3. TGS-REQ: Client sends the TGT + authenticator to request a service
ticket (TGS) for a specific service (e.g., CIFS/fileserver)
4. TGS-REP: KDC returns a service ticket encrypted with the target
service's account hash.
5. AP-REQ: Client presents the service ticket to the target server.
Server decrypts it with its own hash to authenticate the client.Key Kerberos concepts for security professionals:
💡 Kerberoasting is one of the most common Active Directory attack techniques. Any domain user can request service tickets for any SPN. If the service account has a weak password, the ticket can be cracked offline without any special privileges. Always use long, random passwords (25+ characters) for service accounts.
Windows stores credentials in several locations, each with different protection levels:
| Location | What's Stored | Protection | Attack Method |
|---|---|---|---|
| SAM Registry Hive | Local user NTLM hashes | SYSKEY encrypted, locked at runtime | Offline extraction from hive files |
| LSASS Process Memory | NTLM hashes, Kerberos tickets, sometimes plaintext | Protected by LSA Protection (RunAsPPL) | Mimikatz, ProcDump, comsvcs.dll |
| NTDS.dit | All domain user hashes and data | Encrypted with BOOTKEY | DCSync, volume shadow copy extraction |
| Credential Manager | Saved web/app credentials | DPAPI encrypted with user master key | Mimikatz vault::cred |
| LSA Secrets | Service account passwords, machine account password | Encrypted in registry | Registry extraction, Mimikatz |
| Cached Credentials | Last 10-25 domain logons (configurable) | Stored in registry, encrypted | Registry extraction (requires SYSTEM) |
# Check if LSA Protection is enabled (RunAsPPL)
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL"
# Check Credential Guard status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
# View cached credential policy
gpresult /h gpresult.html # Then review the report⚠️ Credential Guard uses virtualization-based security (VBS) to isolate LSASS in a secure environment, preventing even administrators from reading credential material. However, Credential Guard does not protect against all attacks — it primarily defends against Pass-the-Hash and credential dumping. It does not prevent Kerberoasting, DCSync, or NTLM relay attacks.
Verify exercises to earn ★ 120 XP and unlock next lab level.