Tag Archives: Windows Tutorial

Windows operating systems are particularly common on personal computers and servers.

Protect Accounts by Active Directory Protected Users

Protect sensitive AD accounts with high privileges by adding them to the Protected Users group

Starting with Windows Server 2012 R2, the Protected Users security group was introduced. With the membership of this group, legacy functions are automatically blocked, legacy technologies such as NTLM authentication can be exploited and attackers can be used to steal identities.

The Protected Users group was introduced with Windows Server 2012 R2 and Windows 8.1 by Microsoft to harden accounts. The group (“Protected Users”) exists by default in the Users container, accounts that are members of this group are protected, especially against pass-the-hash and pass-the-ticket attacks by disabling NT LAN Manager (NTLM), a legacy technology and authentication protocol that still exists for backward compatibility.

dsa.msc - Users - Protected Users. Members of this group are provided with additional protection against security threats during authentication

Members of this group are provided with additional protection against security threats during authentication. The additional protections are provided only if users log on to Windows Server 2012 R2 with Windows 8.1 and later, and for which full protections are set to the domain functional level on Windows Server 2012 R2 (or later).

Protected Users are primarily intended to use domain and enterprise administrator accounts, which are particularly vulnerable to attack because they provide wide-open access to systems in the event of a compromise. This is not to say that other user accounts that could be considered a target cannot be added to protected users. However, due to the strict restrictions imposed on members of protected users, it is important to conduct thorough testing beforehand.

NTLM uses a hash value to authenticate a user. This is a complex code, but in the end it is nothing more than a password. Now, if an attacker enters the network, he can intercept the hash value and use it to authenticate himself.

  It is a good way to ensure that when highly privileged accounts such as domain and enterprise administrators are added, at least one account that is not used for regular administrative tasks remains outside the group.

The following protections are enabled for members of the Protected Users group when they log on from a supported device and the domain functional level is ensured on Windows Server 2012 R2 or later:

  • Cached credentials are blocked. A domain controller must be available for authentication.
  • Long-term Kerberos keys at logon are not supported.
  • Plaintext passwords are not cached for Windows Digest authentication or standard credential delegation (CredSSP), even if the appropriate policies are enabled.
  • The maximum lifetime for the user’s Kerberos ticket is 240 minutes.
  • Offline login to a device is no longer possible.
  • NTLM and NTLM disposable function (NTOWF) is locked.
  • Kerberos Ticket Granting (TGT) tickets cannot be renewed for more than 4 hours of Time-to-Live (TTL).
  • Data Encryption Standard (DES) and RC4 cannot be used for Kerberos preauthentication.
  • Constrained and unconstrained Kerberos delegation is not supported (may have administrative limitations).
  • Constrained and unrestricted delegation is blocked.

In principle, some of these restrictions can also be configured using Group Policy. However, membership in the Protected Users group automatically takes effect and there is no risk of being unconfigured.

Penetration Testing with Mimikatz

Checking for effectiveness of the restrictions by the security group, allows the penetration hacking tool Mimikatz. If the account is not a member of the Protected Users group, it displays the NTLM hash, among other things.

Mimikatz is a very powerful tool to carry out attacks on the Active Directory. It makes it possible to access plain text passwords, password hashes and Kerberos tickets, and to extend the rights in foreign systems and thus take control of entire company networks.

The tool can be run in interactive mode by simply hit mimikatz.exe, or in PowerShell with append parameters and the exit option to end the query.

.\mimikatz "privilege::d ebug" "sekurlsa::logonpasswords" exit

Here you can see the NTLM hash in the output, this if the account is not a member of Protected Users.


Authentication Id : 0 ; 643260 (00000000:0009cc96)
 Session           : RemoteInteractive from 2
 User Name         : adadmin
 Domain            : COMPANY
 Logon Server      : ADDC01
 Logon Time        : 12/24/2019 11:43:56 AM
 SID               : S-1-5-21-1581655573-3923512380-696547694-500
 msv :
 [00000003] Primary
 * Username : ADAdmin
 * Domain   : COMPANY
 * NTLM     : 5164b9a0fda665d56739954bbcc26833
 * SHA1     : f8db297cb5ae403f8915675ceae78643d0d3b09f
 [00010000] CredentialKeys
 * NTLM     : 5164b9a0fda665d56739954bbcc26833
 * SHA1     : f8db297cb5ae403f8915675ceae78643d0d3b09f

 tspkg :
 wdigest :
 * Username : ADAdmin
 * Domain   : COMPANY
 * Password : (null)
 kerberos :
 * Username : adadmin
 * Domain   : AD.COMPANY.LOCAL
 * Password : (null)
 ssp :   KO

After you become a member of the Protected Users group, the NTLM hash no longer appears.

  The Mimikatz Binary can be downloaded from Github: gentilkiwi/mimikatz, while downloading in the browser it appears a security warning, such as “This file contains a virus or malware“, by clicking on Allow download the download can be preset.

Windows view file extensions

How to make file extensions in Explorer visible

For Windows 10, the file extensions are hidden by default, settings are in control panel – File Explorer Options – Advanced Settings:

Hide extensions for known file types

The file extension is often used to identify the format of a file. For example: name.txt indicates a text file. Modern Windows versions do not know the limitation of file names, like the 8.3 convention known by MS-DOS (8 characters file name, 3 characters extension). In Windows 10, the default setting is that all file extensions known to the system are hidden in Explorer. This fact is exploited by various malware programs. To make the file extension visible, go to the Explorer options in the Control Panel, or call up File Explorer Options directly.

Press the Win + R key to open Run, enter control folders and click OK.

In the File Explorer Options, the setting for file extensions can be hidden or displayed in the View Tab.

Hide extensions for known file types

Uncheck Hide extensions for known file types and click OK. Any files are now displayed with extensions.