Setting Up Honey Pots for Active Directory 

The world of computing is replete with threats which, at any time, can compromise the security of your system. Unauthorized users may try to gain access to client machines and perform malicious activities using existing loopholes. A honey pot is a decoy network. It masquerades itself as a real or genuine network.

Honey Pots are used to trick intruders and give them the impression that they are attacking the right network. The activity of the attacker is then logged and studied. In a nutshell, a honeypot protects your system.

A Honey Pot is a computer system set up to lure would-be attackers and deflect their attempts to gain unauthorized access to the network. It is a system installed on a computer in order to simulate the behavior of the real system. The decoy system is isolated and monitored by system administrators.

Setting Up the Honey Pot Account

Securing an Active Directory is an important organizational policy that helps system auditors track relevant events and changes taking place in the network. Everyday threats are becoming more elusive which calls for the need to have several security measures to better handle threats, including those coming from insider attacks.

One way of implementing this is through the use of Honey Pot accounts to trick the attacker that they have full access to the system.

Within the Active Directory context, a Honey Pot administrator account can be set up because most attackers look for this account. The administrator account gives them the impression of having uncontrolled access to all resources of the Active Directory.

Advanced hackers may not fall for this trick, but using Honey Pots in your network is the best way of detecting malicious activity. System administrators need to realize that Honey Pots are not foolproof because some hackers will immediately know the legitimacy of the Honey Pot account. For the Honey Pot account to thwart the most sophisticated attacks, here is what the administrator needs to do:

  • Renaming the Built-in Administrator Account
    This account has to be renamed and the default decryption removed. Naming the account means creating a username that matches the Active Directory naming conventions.
  • Create Another User Account with Username “Administrator”
    The default description for this account should be “Built-in account for registering the computer/domain”. The idea is to create a proxy Administrator with a similar description to the default account.
  • Enable Auditing
    Auditing for activities such as failed and successful Logon Attempts for the account just created in step two above. The configuration of Auditing may be used alongside a tool that enables searches and alerts whenever this account is accessed. The Microsoft built-in tool may not give details of searches and alerts promptly. Therefore, downloading third-party tools such as the Active Directory Audit Plus can be helpful in monitoring, searching, analyzing, and giving live alerts when a login attempt is made at the Honey Pot account.
  • Monitor the Honey Pot Activities
    Using an appropriate account auditing solution, all live activities on the account should be logged and monitored.

The four steps above should enable the Honey Pot account. It is also a good idea to have logging and monitoring activities on the renamed administrator account. The organization’s security policy should be that the renamed account should not be used unless it is a case of an emergency.

Tracking all Logon activities of all users is important in keeping the system security tight. The two accounts should now give an immediate alert when a Login attempt is made and thus the network is deemed secure and prepared for external intrusions.

Decisions to be Made When Deploying a Honey Pot

Before any consideration is made to deploy a Honey Pot account, here are some of the critical decisions system administrators are faced with:

  1. Reason of the Account
    Two primary reasons determine whether deploying a Honey Pot account is necessary. One of the need for an early security warning, the second reason being for forensic analysis. Honey Pots address both reasons by giving out the information needed for immediate follow-up.
  2. What Needs Protecting
    The most valuable objects in an Active Directory will determine the type of fake account to be used as a Honey Pot. In most cases, Honey Pot accounts are used to mimic web servers, file servers, application servers, database servers, and Logon servers. There is an option of deploying a Honey Pot that mimics open ports or having several ports with each one dedicated to a particular server type.
  3. The Active Directory Interaction Levels
    Three levels of interactions define Honey Pot accounts thus:
  • Low level
  • Medium level
  • High level

The low-level accounts give early warning signs of malicious activities; the medium level accounts may have basic file structures to give the hacker a “true” reflection of the system content, while the high-level accounts may contain a complete copy of the server they emulate.

  1. The Location of the Honey Pot
    Location of the Honey Pot should be near the resources that they are trying to protect. For example, a web server decoy account should share the same IP address where the real server is located.
  2. Real or Emulation Software
    Using real systems is a good idea because it becomes difficult for the most advanced hacker to know if they are dealing with a Honey Pot or not. Using an emulation software means having access to built-in signature detection tool useful for monitoring.
  3. Monitoring and Alert Tools to Use
    A Honey Pot will only be of value when logging takes place. The tool used for monitoring should be able to report on all activities in a real time.
  4. How to Administer the Honey Pot
    Once a Honey Pot account is set up, it should continue running throughout the life of the services it is mimicking. At least one person (or more if necessary) should be given control of the decoy accounts. His responsibility will be the installation, planning, configuration, monitoring, and updating the Honey Pot.

All communications coming through a Honey Pot are considered hostile. Therefore, the system administrators should use all these activities as an insight into the level and types of threats the network is prone to. A Honey Pot account should be treated as an added security setup and not a replacement of security measures already in place.

Active Directory Federation Services in Windows Server 2016 

.When we look at IT businesses today, the most common spoken word is the “cloud”. Cloud computing made a huge impact in a way of functioning and business organization. 

But with more possibilities, usually we get more problems. And one of biggest challenges with doing business in the cloud is security and access control, especially in organizations with the need of extranet access. 

With that in mind, Microsoft has introduced an improvement to the Microsoft Windows Server 2016 system. 

Active Directory Federation Services  (ADFS)  

Active Directory Federation Services (ADFS) provides access control and single sign-in across a wide variety of applications like Office 365, cloud-based SaaS applications, and other applications on the corporate network. 

It enables organizations to provide a sign-in and access control to both modern and legacy applications — on-premises and in the cloud — with the unified set of credentials and policies. 

ADFS was first presented as an additional download in Windows Server 2003 R2 edition. But in the Windows Server 2016 edition, it became one of the most significant components of the system. 

ADFS 2016 has numerous improvements to offer. But the two most important ones are the three new options for signing in without using passwords and support for any LDAPv3 directory. 

Azure Multi-Factor Authentication  

The first option is the use of the Azure Multi-Factor Authentication (MFA) adapter for ADFS. Azure MFA can be configured for intranet or extranet, or as part of any access control policy. 

In the past, the Azure MFA server on premise was the only way of eliminating passwords as authentication methods. Now, with a configuration on the MFA adapter, the primary authentication method is the username and the OTP (One Time Password) code from the Azure Authenticator app. 

With MFA as the additional authentication method, the user provides primary authentication credentials (using Windows Integrated Authentication — username and password, smart card, or user/device certificate), then comes a prompt for text, voice, or OTP based Azure MFA login. 

 Access from Compliant Devices

ADFS 2016 upgraded device registration capabilities and enabled sign-on and access control based on the device compliance status. Sign-in is now possible with device credentials. And if/when device attributes change, compliance is re-evaluated, which brings certainty in enforcing policies. 

This can be allowed by enabling the following policies:  

  • Enable Access only from devices that are managed and/or compliant. 
  • Enable Extranet Access only from devices that are managed and/or compliant.  
  • Multi-factor authentication for computers that are neither managed nor compliant.

Windows Hello for Business  

The Windows Hello for Business (formerly known as Microsoft Passport for Work) feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. ADFS 2016 supports this way of authentication and enables user sign-in on all ADFS applications without the need for a password. 

LDAPv3 Support  

Another improvement in ADFS 2016 is support for a combination of Active Directory and third-party directories. With the addition of ADFS support for authenticating users stored in LDAP v3-compliant directories, ADFS can now be used for:  

  • Third party, LDAP v3-compliant directories.
  • Active Directory forests where an Active Directory two-way trust is not configured. 
  • Active Directory Lightweight Directory Services (AD LDS).

New and Improved Migration Procedure 

Earlier, this operation was pretty painful for administrators. It required building completely new parallel server farm and export of configuration from old one which will then be imported into a new one. 

In ADFS 2016, Microsoft took a different approach, and simplified the process by a lot.  

Now, moving from ADFS (on Windows Server 2012 R2) to ADFS 2016 requires adding new Windows Server 2016 to an existing Windows Server 2012 R2 farm. This will completely run as 2012 R2, but with adding more servers to the farm and removing old ones from the load balancer, the system will allow upgrade and usage of new features.  

More Features

Other than these, some more important new options and interesting features of ADFS 2016 are:

  • Supports the latest modern protocols which will provide a better user experience on the most relevant platforms (Windows, iOS, Android).
  • Ability to add industry standard OpenID Connect and OAuth 2.0-based authentication and authorization to applications in development.
  • A way to customize messages, images, logos, and web themes per application.
  • Streamlined auditing for easier administrative management and configuration to participate in confederations such as InCommon Federation and other implementations conforming to the eGov 2.0 standard. 

ADFS 2016 provided the best improvements in the development of the Windows Server systems, especially in the extranet access situation. Most experts agree that listening to user feedback made a significant impact.

New Active Directory Features in Windows Server 2016

Active Directory is an extensively-used service on many enterprise networks. Besides offering authentication and authorisation services in Windows domain-type networks, Active Directory supports several other capabilities, which makes it popular.

Windows Server 2016 Active Directory Improved Features

In Windows Server 2016, the Active Directory Domain Services (AD DS) received some enhancements intended to assist organisations realise optimised performance for their network resources.

In this article, we are going to talk about four significant features improved in AD DS.

Privileged Access Management (PAM)

Microsoft has introduced privileged access management (PAM) feature to assist in safeguarding AD DS from credential theft attacks. Examples of such types of attacks include spear phishing and pass-the-hash.

At its core, PAM depends on the Microsoft Identity Manager (MIM) as well as a domain functional level that is not below Windows Server 2012 R2.

The MIM is important for provisioning what is called the bastion Active Directory forest. Whenever PAM is configured, MIM generates a new Active Directory forest, which is segregated to be accessed by privileged accounts. The created Active Directory environment is freed from any illicit activities.

With the creation of the trusted Active Directory environment, MIM can now determine the assigning of permissions to users.

MIM offers workflows for granting administrative privileges, which is based on the type of requests approved. If users are given extra administrative privileges, they are also given memberships in the shadow security groups found in the created secure forest.

What’s more, membership to the groups is time-bound. MIM has an expiring links feature which allows memberships to be revoked after the allocated time period elapses. Users are given just enough time to complete the allocated administrative duties. This time-controlled membership is defined as a time-to-live variable.

If a user enjoys time-controlled membership in several security groups, Microsoft has included improvements in Kerberos Key Distribution Center (KDC) to take care of such a situation by restricting his or her Kerberos ticket lifetime to the lowest attainable time-to-live value.

Furthermore, PAM also provides improved monitoring tools. As such, it makes it easy to quickly establish the users who requested access permissions, the level of access that was given, and the type of tasks that were completed.

Azure Active Directory Join

With the Azure Active Directory Join feature, you can deploy your identity management tasks to the cloud and benefit from centralised management for your corporate and personal devices.

The main objective of the Azure Active Directory Join is to offer the advantages of an on-premise Active Directory environment without much hassles to the users.

This new feature enables users to access Oxygen Services without the need of a Microsoft account. Oxygen Services, with its various features and settings, will be available on devices that are connected to on-premise Windows domain as well as devices connected to the Azure Active Directory account.

Azure Active Directory Join also allows devices, whether they are corporate-owned or BYOD, to benefit from single-sign on web applications. It also allows those devices to be managed using the Mobile Device Management (MDM) integration tool, even if they are not in the Windows intune tool.

It is also possible to use the feature to configure “Kiosk” mode for shared corporate and personal devices. There are also some developer improvements that enhance the process of creating applications for both enterprise and personal uses.

Microsoft Passport

The use of weak credentials is one of the major security issues facing the IT industry today. Most users do not care about their password security and engage in insecure habits like using the same password in numerous places, using poorly crafted passwords, and using simple passwords that are easy to guess.

Fortunately, Microsoft Passport intends to provide a solution to this issue. It incorporates two-factor authentication techniques that enhance the security of users’ passwords without needing the traditional, complex methods like physical smart cards.

Microsoft Passport is created to work together with Windows Hello (the in-built biometric sign-in for the Windows operating system).

Its two-factor authentication technique utilises the credentials available to the user together with the precise credentials of the device the user is accessing. Every user accessing a device is given a precise authenticator (referred to as hello) or a PIN, which verifies the identity of the user before being allowed access.

Microsoft is calling this new Passport feature “password-less authentication”, which can be deployed to safeguard traditional on-premise Active Directory environments and Azure Active Directory environments.

Additionally, the Passport feature can also be used in FIDO (Fast Identity Online) accounts. With the FIDO capabilities, Passport can be used in extensive array of platforms and devices, eliminating the need to remember multiple passwords.

Deprecated features

There are a few features that are no longer supported in Windows Server 2016. For example, the old File Replication Service (FRS), which was utilised to replicate folder data between servers, has now been exclusively replaced with Distributed File Service (DFS) Replication. DFS is useful in replicating SYSVOL.

Furthermore, the Windows Server 2003 functional levels are not recognised in Windows Server 2016. Consequently, to achieve increased reliability and performance, all domain controllers still depending on Windows Server 2003 are required to be taken out from the domain.

Therefore, it is recommended for companies to increase their functional level to Windows Server 2008 (or even to a higher level). Shifting to the higher functional levels guarantees optimal SYSVOL replication compatibility as well as faster support for enhanced performance.


Each of the above Active Directory features are intended to enhance the experience of the large community of Windows Server 2016 users.

PAM offers a technique for preventing credential theft when data is being exchanged in very sensitive environments.

Azure Active Directory Join functionalities allow users to benefit from the advantages of on-premise Active Directory without much hassles. Microsoft Passport aims to revolutionise the way authentication takes place.

Finally, the deprecated features points to Microsoft’s commitment to eliminate flaws and inconsistencies in Windows Server 2016.

Useful Resources

Here is a guide how to set up Active Directory in Windows Server 2016:



Report NTFS Permissions in 60 Seconds!

Download your Free Edition of the easiest and fastest NTFS Permission Reporter now!