Privileged Access Management (PAM) with MIM 2016

Slides:



Advertisements
Similar presentations
Service Manager for MSPs
Advertisements

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Continually improving products and services to protect against cyber-attacks targeting administration First in Windows Server, and Active Directory......Next.
Lesson 17: Configuring Security Policies
Module 4: Implementing User, Group, and Computer Accounts
Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
WMU GNL Automation How to make my IT life easier CHRISTOPHER KEYAERT CONSULTANT AT INOVATIV CLOUD AND DATACENTER MANAGEMENT MVP.
Senior Technical Writer
Chapter 7 WORKING WITH GROUPS.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Overview of Active Directory Domain Services Lesson 1.
Module 8 Configuring and Securing SharePoint Services and Service Applications.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Module 6: Designing Active Directory Security in Windows Server 2008.
Chapter 7: WORKING WITH GROUPS
Designing Active Directory for Security
DEP313 Active Directory Restructuring with ADMT v-2
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.
Module 7: Implementing Security Using Group Policy.
PRESENTATION TITLE Presented by: Xxxx Xxxxx. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000.
FROM MIT KERBEROS TO MICROSOFT ACTIVE DIRECTORY The Pennsylvania State University’s move from a lower case MIT Kerberos realm to a Standard Microsoft Active.
Introduction to Active Directory
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Configuring Advanced Windows Server 2012 R2 Services Exams4sure.
One Foot in the Cloud, Another On-Premises Ross Adams 2016 Redmond Summit | Identity Without Boundaries May 25 th 2016 Azure AD
Securing Privileged Identities Joseph Dadzie, Principal PM Manager, Microsoft 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 James Cowling,
MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University.
SaaS apps.
MCSA Windows Server 2012 Pass Upgrading Your Skills to MCSA Windows Server 2012 Exam By The Help Of Exams4Sure Get Complete File From
Windows Enterprise Services.  Introductions  UNM Directory Services  RSAT  Organizational Units (OU)  Active Directory Groups  Naming Convention.
James Cowling MIM Privileged Access Management.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Follow OCG Learning Twitter Facebook LinkedIn
Recording Brief EMS Partner Bootcamp Variables Values Module Title
Building AD-SQL-APP Server on AZURE
Stop Those Prying Eyes Getting to Your Data
TechReady 16 5/10/2018 Day 2, Session 4 Reaching the Summit: ITIL-integrated Self-Service in the Hybrid Cloud © 2013 Microsoft Corporation. All rights.
Max Fritz Senior Systems Consultant, Now Micro
Assignment # 8.
Tactic 1: Adopt Least Privilege
Overview of Active Directory Domain Services
Using a 2nd MIM as data generator for referential objects
Module 1: Identity is the New Perimeter
SaaS Application Deep Dive
Azure AD for the client management guy (or gal!)
Using Microsoft Identity Manger with SharePoint 2016 to fill the User Profile Sync Gap Max Fritz Senior Systems Consultant Now Micro.
ACTIVE DIRECTORY ADMINISTRATION
Microsoft Ignite /20/2018 2:21 PM
Five mistakes to avoid when deploying Enterprise Mobility + Security
Brian Arkills Microsoft Solutions Architect
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Unit 6 NT1330 Client-Server Networking II Date: 7/19/2016
Presentation transcript:

Privileged Access Management (PAM) with MIM 2016 Peter Stapf MVP – IAM @ Enterprise Mobility 18. November 2015

About me Age: 44 Location: Germany, Bonn MVP (IAM @ Enterprise Mobility) Senior Consultant @ Main focus: IDM, AD, Azure Working on IDM since 2006 Blog: http://justIDM.wordpress.com

Agenda Introduction Components & Architecture Implementation Differences between WS 2012 R2 and WS 2016 Good/Best Practices Limitations & Issues Demo

Introduction An attack timeline You can use Advanced Threat Analytics (ATA) for discovery of attacks in your environment

Introduction What is Privileged Access Management (PAM) for Active Directory ? Implementation of Just-In-Time Administration with MIM 2016 Lifecycle Management of privileged group memberships Separate/different deployment scenario Benefits of PAM ? Separate admin accounts from user account with a new stronger forest Mitigate pass the hash attacks Permissions (Group membership's) applied only if needed Add additional authorization (Time Limits, Approvals, Azure MFA) Add reporting, auditing and monitoring of high privileged groups Consolidate multiple admin accounts

Components & Architecture Corp Forest Priv Forest WS2003+ Trust (One-way) Corp forest trusts priv forest WS 2012 R2 (WS 2016) MIM 2016 PAM Component PAM Monitor MIM Service (MIM Portal) Additional Corp forests…

Components & Architecture

Implementation Corp Forest Priv Forest Trust (One-way) New-PAMGroup Corp forest trusts priv forest New-PAMGroup ObjectSID -> SidHistory New-PAMRole FileAdmins CORP.FileAdmins New-PAMGroup ObjectSID -> SidHistory CORPAdmins SQLAdmins CORP.SQLAdmins Candidate New-PAMUser Peter Priv.Peter

Implementation Requesting Role by PowerShell Requesting Role by REST-API (Sample Portal)

Differences WS 2012 R2 vs. WS 2016 New AD Object Type: msDS-ShadowPrincipal instead of groups Member will be removed by AD not by PAM on expiration Simplified deployment (ex. no audit policys needs to be enabled) Well known SID groups (Domain Admins) can become a PAM group Kerberos Token TTL will be the smallest TTL of a PAM group Use of msDS-ShadowPrincipalSid instead of sidHistory attribute

Good/Best Practices First: Always use PowerShell for PAM administration !!! Do not install SharePoint Foundation and MIM Portal Do a PAM forest hardening after deployment (ex. GPOs, Firewall) Limit admins that can access the PAM forest Apply additional authentication to PAM admins (ex. SmartCard) Implement MFA / Approvals for PAM requests if possible

Limitations & Issues Azure MFA currently supports phone calls only Well known groups SIDs cannot be migrated to PAM groups (Workaround: nest PAM group into Built-in\administrators on DC) PAM Role approvers are always candidates Bug: MIM Monitor tries to connect to CORP domain by NetBIOS Name (Workaround: create hosts file entry with domain name) Missing PowerShell parameters (ex. add/remove single candidates) Availability Windows only on hours not days of week

Demo

Links MIM PAM Deployment Guide https://technet.microsoft.com/en-us/library/mt345568.aspx Using Azure MFA for PAM https://technet.microsoft.com/en-us/library/mt517876.aspx Eihab’s great small video on the PAM user experience https://www.youtube.com/watch?v=Iqif5vRg2GY My blog posts about PAM https://justidm.wordpress.com/tag/pam/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.