MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University.

Slides:



Advertisements
Similar presentations
User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.
Advertisements

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.
Lesson 17: Configuring Security Policies
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Module 4: Implementing User, Group, and Computer Accounts
Security Issues and Challenges in Cloud Computing
Spark Web 2.0 Tools for Communication and Collaboration David Grogan Manager, Curricular Technology Group UIT Academic Technology Tufts University What.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Understanding Active Directory
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Identity and Access Management
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Understanding Active Directory
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Chapter 7 WORKING WITH GROUPS.
Module 16: Software Maintenance Using Windows Server Update Services.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Overview of Access and Information Protection
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Managing Active Directory Domain Services Objects
Securing AD DS Module A 3: Securing AD DS
Security Planning and Administrative Delegation Lesson 6.
Module 13: Designing Active Directory Migrations in Windows Server 2008.
 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.
Windows 2000 Presented to CCC by Pat Schneider May 23, 2001.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Mr C Johnston ICT Teacher BTEC IT Unit 05 - Lesson 12 Network Security Policy.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Microsoft Management Seminar Series SMS 2003 Change Management.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Privileged Access Management (PAM) with MIM 2016
PRESENTATION TITLE Presented by: Xxxx Xxxxx. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000.
1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Understand Audit Policies LESSON Security Fundamentals.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Securing Privileged Identities Joseph Dadzie, Principal PM Manager, Microsoft 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 James Cowling,
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Windows Enterprise Services.  Introductions  UNM Directory Services  RSAT  Organizational Units (OU)  Active Directory Groups  Naming Convention.
James Cowling MIM Privileged Access Management.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Follow OCG Learning Twitter Facebook LinkedIn
Stopping Attacks Before They Stop Business
Active Directory Management Software Borna
Tactic 1: Adopt Least Privilege
Module 1: Identity is the New Perimeter
To Join the Teleconference
Determined Human Adversaries: Mitigations
FIM User Group BHOLD Eihab Isaac (FIM MVP) 11/14/2018
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Session 1 – Introduction to Information Security
Presentation transcript:

MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University

Spokesman Review August 22, 2015 WSU administrators announced this week they are trying to thwart a sophisticated hacking attempt that was detected more than a month ago … with help from federal investigators and private cyber security firm[s]. Copyright 2016, Washington State University

Spokesman Review The university said it has found no evidence the hackers have accessed sensitive or research data. Copyright 2016, Washington State University

Spokesman Review The university said it has found no evidence the hackers have accessed sensitive or research data. … the university will employ new software and eliminate compromised communication channels … Copyright 2016, Washington State University

The Problem We needed a better mechanism to prevent system administrators from falling victim to privilege escalation. Copyright 2016, Washington State University

The PAM Model Many recent well-publicised hacking attacks have targeted system administrators, with hackers gaining access to administrative credentials, with which they have created further accounts with extensive permissions. – James Cowling Copyright 2016, Washington State University

The PAM Model Privileged Access Management (PAM) helps mitigate unauthorized privilege escalation attacks. Copyright 2016, Washington State University

The PAM Model Privileged Access Management (PAM) helps mitigate unauthorized privilege escalation attacks. PAM utilizes MIM's request and approval workflow Copyright 2016, Washington State University

The PAM Model Privileged Access Management (PAM) helps mitigate unauthorized privilege escalation attacks. PAM utilizes MIM's request and approval workflow Uses AD’s SID History. Copyright 2016, Washington State University

The PAM Model Privileged Access Management (PAM) helps mitigate unauthorized privilege escalation attacks. PAM utilizes MIM's request and approval workflow. Uses AD’s SID History. The end result is an end-user requesting and using elevation of privilege. Copyright 2016, Washington State University

SID History SID History is an Active Directory (AD) user account object Copyright 2016, Washington State University

SID History SID History is an Active Directory (AD) user account object Helps in migration scenarios. Copyright 2016, Washington State University

SID History SID History is an Active Directory (AD) user account object Helps in migration scenarios. New infrastructure accounts need to access the old infrastructure. Copyright 2016, Washington State University

SID History SID History is an Active Directory (AD) user account object. Helps in migration scenarios. New infrastructure accounts need to access the old infrastructure. SID history attribute is included in authorization tickets. Copyright 2016, Washington State University

SID History SID History is an Active Directory (AD) user account object. Helps in migration scenarios. New infrastructure accounts need to access the old infrastructure. SID history attribute is included in authorization tickets. PAM drops people in/out of groups using SID history. Copyright 2016, Washington State University

Copyright Microsoft

Support from the President … the university will employ new software … Copyright 2016, Washington State University

Support from the President … the university will employ new software … WSU would use the new MIM/PAM. Copyright 2016, Washington State University

Support from the President … the university will employ new software … WSU would use the new MIM/PAM. 1,500—2,000 servers 300 system administrators Copyright 2016, Washington State University

Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Copyright 2016, Washington State University

Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Using a trusted, private forest. Copyright 2016, Washington State University

Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Using a trusted, private forest. RBAC model for roles and permissions. Copyright 2016, Washington State University

Full page photo sample 2 Copyright 2016, Washington State University

Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Using a trusted, private forest. RBAC model for roles and permissions. We used MIM Synch. Copyright 2016, Washington State University

Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Using a trusted, private forest. RBAC model for roles and permissions. We used MIM Synch. Typical MIM systems. Copyright 2016, Washington State University

Timeline MIM/PAM development began September Copyright 2016, Washington State University

Timeline MIM/PAM development began September About 3 people over 2 months. Copyright 2016, Washington State University

Timeline MIM/PAM development began September About 3 people over 2 months. Not including department work. Copyright 2016, Washington State University

Timeline MIM/PAM development began September About 3 people over 2 months. Not including department work. First production use in December. Copyright 2016, Washington State University

Timeline MIM/PAM development began September About 3 people over 2 months. Not including department work. First production use in December. It takes about 1-2 months per department/college to on board. Copyright 2016, Washington State University

Timeline MIM/PAM development began September About 3 people over 2 months. Not including department work. First production use in December. It takes about 1-2 months per department/college to on board. About 60% done. Copyright 2016, Washington State University

MIM PAM Issues PAM role expiration does not remove current session access. Copyright 2016, Washington State University

MIM PAM Issues PAM role expiration does not remove current session access. The patching of SQL hosts start dropping connections. Copyright 2016, Washington State University

MIM PAM Issues PAM role expiration does not remove current session access. The patching of SQL hosts start dropping connections. Bug in custom group synch. Copyright 2016, Washington State University

MIM PAM Issues PAM role expiration does not remove current session access. The patching of SQL hosts start dropping connections. Bug in custom group synch. ADMT runs as a domain admin. Copyright 2016, Washington State University

MIM PAM Issues PAM role expiration does not remove current session access. The patching of SQL hosts start dropping connections. Bug in custom group synch. ADMT runs as a domain admin. Role activated, but access not granted. Copyright 2016, Washington State University

MIM PAM Issues AD integrated tools do not always work in a different forest. Copyright 2016, Washington State University

MIM PAM Issues AD integrated tools do not always work in a different forest. Can’t use domain or enterprise admins groups. Copyright 2016, Washington State University

MIM PAM Issues AD integrated tools do not always work in a different forest. Can’t use domain or enterprise admins groups. Issues installing some applications. Copyright 2016, Washington State University

To Do list Finish RBAC for all campuses/colleges/departments. Copyright 2016, Washington State University

To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Copyright 2016, Washington State University

To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Help Desk training. Copyright 2016, Washington State University

To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Help Desk training. Automated workflow for role and permission creations. Copyright 2016, Washington State University

To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Help Desk training. Automated workflow for role and permission creations. Automated user creation. Copyright 2016, Washington State University

To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Help Desk training. Automated workflow for role and permission creations. Automated user creation. Implement Multifactor Authentication. Copyright 2016, Washington State University

To Do list Automate role candidate creation for users. Copyright 2016, Washington State University

To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Copyright 2016, Washington State University

To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Copyright 2016, Washington State University

To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Rethink the whole process through again post AD DS 2016 migration. Copyright 2016, Washington State University

To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Rethink the whole process through again post AD DS 2016 migration. Support additional PAM features available in AD DS Copyright 2016, Washington State University

To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Rethink the whole process through again post AD DS 2016 migration. Support additional PAM features available in AD DS Move some support to IAM. Copyright 2016, Washington State University

To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Rethink the whole process through again post AD DS 2016 migration. Support additional PAM features available in AD DS Move some support to IAM. Complete the documentation. Copyright 2016, Washington State University

To Do list MIM/portal approval workflow for “one time” elevated permission. Copyright 2016, Washington State University

To Do list MIM/portal approval workflow for “one time” elevated permission. Better monitoring for Data Center Operations. Copyright 2016, Washington State University

Final Thoughts The whole process is only as good as the strength, adoption, and enforcement of your RBAC model. Copyright 2016, Washington State University

Final Thoughts The whole process is only as good as the strength, adoption, and enforcement of your RBAC model. Get support from the highest leadership level possible. Copyright 2016, Washington State University

Final Thoughts The whole process is only as good as the strength, adoption, and enforcement of your RBAC model. Get support from the highest leadership level possible. It takes a lot of effort. Copyright 2016, Washington State University

Cast of Characters Tom Ambrosi, CISO Matt Kunkel, DCISO, PM Dan Hamilton, CDS Nathan Mertz, OCG Dean Guenther, IAM Copyright 2016, Washington State University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.