Skip to main content

What Is 'ntds.dit'?

The ‘ntds.dit’ file is the database used by Microsoft Active Directory Domain Services (AD DS). It stores:

  • User Data: Includes account details, password hashes (e.g., NTLM), and security identifiers (SIDs).
  • Schema Definitions: Information about object types and attributes used in the directory.
  • Configuration Data: Domain structure, replication settings, and more.
  • Replicated Data: Copies of objects synchronized across domain controllers.

How Attackers gain access to the 'ntds.dit' file:

1. Exploiting Backups
Domain controller backups often include the 'ntds.dit' file. Attackers may:

  • Access Backups: If backups aren’t encrypted or are stored in unsecured locations.
  • Compromise Backup Solutions: Vulnerabilities in backup systems or accounts can give attackers access.

2. Volume Shadow Copies
The Volume Shadow Copy Service (VSS) creates snapshots of the system, including the 'ntds.dit' file. Common techniques include:

  • Using VSSAdmin: Attackers can list and manipulate shadow copies to extract the file.
  • Mounting Shadow Copies: With tools or PowerShell, attackers access shadow copies for data extraction.

3. Direct Access
Once attackers have sufficient privileges on a domain controller, they will use various tools, which wont be named here, to extract the information.


Protecting Against 'ntds.dit' dumping:

1. Secure Backups

2. Mitigate Volume Shadow Copy Abuse

  • Disable VSS on Domain Controllers: Unless necessary, disable VSS to reduce potential exposure.
  • Monitor VSS Activities: Log and alert on unusual VSS-related activities using tools like Sysmon.

3. Secure the 'ntds.dit' File

  • File Permissions: Ensure only the LocalSystem account can access the file.
  • Disk Encryption: Use full-disk encryption (e.g., BitLocker) to protect domain controller disks.

4. Monitor and Harden Domain Controllers

  • Limit Admin Access: Restrict administrative privileges to essential personnel.
  • Log Auditing: Track access to the 'ntds.dit' file and system registry for Syskey extractions.
  • SIEM Alerts: Set up alerts for suspicious behaviour on domain controllers.

5. Regularly Rotate Passwords

  • Frequently update passwords for high-privilege accounts to minimize the impact of leaked hashes.

Advanced Protection

1. Read-Only Domain Controllers (RODCs):

  • Deploy RODCs in environments like branch offices. These store limited credentials and don’t hold writable 'ntds.dit' files.

2. Privileged Access Management (PAM):

  • Implement PAM solutions to tightly control and monitor the use of privileged accounts.

3. Incident Response Plans:

  • Prepare a response plan for suspected breaches of domain controller data, including steps to reset accounts and investigate the intrusion.

Great article Dips. Can never be too secure with your domain.


Thank you ​@dips , very informative and concise article.


Great Article ​@dips  ! 


Very useful, thank you ​@dips 


The more I read about these things and the creativity used to get to them, the more I wonder how anything is secure.  And in that regard, I suppose nothing is really secure.  Thanks for sharing Dipen.


Maybe also consider running the DCs as Encrypted VMs in VMware vSphere.


Comment