Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring and Deploying Just Enough and Just-In-Time Administration

Published byGwendolyn Easter Mills Modified over 6 years ago

Similar presentations

Presentation on theme: "Configuring and Deploying Just Enough and Just-In-Time Administration"— Presentation transcript:

1 Configuring and Deploying Just Enough and Just-In-Time Administration
Orin Thomas @orinthomas

2 In This Session … Assume Breach Privileged Access Workstations
Jump Servers Just In Time Administration Just Enough Administration

3 We are so focused on getting it to “just work” that we spend little time ensuring that it is working in a secure manner

4 A lot of IT security involves closing barn doors after horses have bolted

5 To make our environments secure, we need to rethink the tools of systems administration

6 Context … A large number of attacks involve insiders Edward Snowden
Bradley/Chelsea Manning Ashley Madison

7 Context … A substantial number of attacks involve use of insider credentials Target Breach Metals Fired Admins PMC / ASIO

8 Context … Someone who wants to attack an organization attacks the Administrators as this is often easier than attacking the system.

9 How would you stop an evil mirror universe version of yourself from compromising your network?

10 Always assume that your attacker is smarter and more competent than you are

11 When properly prepared, the less intelligent can block the plans and actions of the more intelligent

12 Context … Administrator accounts are often over-privileged
Administrators are unlikely to complain that they have been given too many rights on the system Administrators often have an attitude that only they can be trusted with the keys to the kingdom

13 Assume Breach Security design where an organization assumes that attackers have already breached the perimeter

14 Assume Breach The current approach is to shore up the castle defenses
A strong castle defense is important … But a great castle design allows defenders to continue their defense once the enemy is inside the gates

15 Assume Breach Design for resiliency
One proton torpedo should not take out the Death Star One vulnerability should not allow everything on the network to be PWNED

16 JIT and JEA are about limiting What accounts can do and when they can do it

17 Microsoft Identity Manager Requirements
SQL Server 2012 SP1 or SQL Server 2014 Standard Edition. SharePoint Foundation 2013 with SP1 Windows Server 2012 R2 Host Computer

18 Just In Time Administration
Privileged Access Management Delegated privileges will only work for limited amount of time User booted from group after expiration date

19 Just In Time Administration
Uses multiple forests Integrated with Microsoft Identity Manager Forest Trust Resource Forest Admin Account Forest with Identity Manager

20 Setting up JIT/PAM The privileged account creation in the Account forest is done using several new PowerShell cmdlets. These cmdlets perform the following functions: Create a new group in the Account forest with the same SID (Security Identifier) as a group in the Resource forest and as an object in the MIM Service database corresponding to the group in the Account forest.

21 Setting up JIT/PAM For each user account, the cmdlets create two objects in the MIM Service database, corresponding to the user in the Resource forest and the new user account in the Account forest. Create a PAM Role object in the MIM Service database.

22 Setting up JIT/PAM The cmdlets need to be run once for each group, and once for each member of a group. Note: The migration cmdlets do not change or modify any user or groups in the Resource forest: that is to be done manually by the PAM administrator subsequently.

23 Setting up JIT/PAM $ca = get-credential –UserName CONTOSO\Administrator –Message "CORP forest domain admin credentials" $pg = New-PAMGroup –SourceGroupName "CorpAdmins" –SourceDomain CONTOSO.local –SourceDC CORPDC.contoso.local –Credentials $ca $sj = New-PAMUser –SourceDomain CONTOSO.local –SourceAccountName Jen $jp = ConvertTo-SecureString –asplaintext –force Set-ADAccountPassword –identity priv.Jen –NewPassword $jp Set-ADUser –identity priv.Jen –Enabled 1 Add-ADGroupMember "Protected Users" priv.Jen $pr = New-PAMRole –DisplayName "CorpAdmins" –Privileges $pg –Candidates $sj

24 Just In Time Administration
User needs to request privileged access

25 Just In Time Administration
Provide Reasons

26 Just In Time Administration
Record kept of elevation requests

27 Just In Time Administration
Modifying properties of secure group

28 Demo: Just In Time Administration

29 Going Further with JIT/PAM
Time based restrictions Requiring approval for elevation Requiring 2 Factor Authentication

30 PAM Guide https://aka.ms/pam

31 Just Enough Administration
Create special task specific endpoints PowerShell sessions configured so that Only certain cmdlets and parameters can be used Limit what they can be used against Ensure all activity is logged

32 Just Enough Administration
Configure endpoint so that only users who are members of specific groups can connect When connected to endpoint, special virtual account is used to perform tasks rather than user’s account

33 Just Enough Administration
Requires: PowerShell 5 / WMF 5 Windows Server 2012 R2 Windows Server 2016

34 Building JEA Determine which PowerShell cmdlets, functions, aliases and providers are needed to accomplish task.

35 Building JEA Store this information in a variable

36 Building JEA

37 Building JEA

38 Building JEA

39 Building JEA

40 JEA Demo: Locking Down Access to Windows Roles

41 JEA Extended Need to configure servers to only accept remote sessions from Jump Servers Admin workstations Lock down who is able to sign on to people who are responsible for configuring JEA endpoints Limit non JEA PowerShell connections

42 JEA Extended JEA can be deployed using DSC or scripting
DSC is a better option as you are likely to want to have multiple servers with the same JEA endpoint configuration

43 Combining JEA with PAM JEA configuration uses groups managed by PAM
User requests PAM elevation There account is made member of appropriate JEA endpoint group Can establish session during PAM elevation window

44 Configuring JEA You have to know exactly what tools people need to perform tasks Most administrators pull tools out of the box as they need them and will be reluctant to embrace a locked-down toolbox JEA requires having an excellent knowledge of what tasks people perform and how they perform them in PowerShell

45 Warning It requires your administration team to use PowerShell
JEA does not support anything other than PowerShell You can build PowerShell tools and use those with JEA

46 Things to keep in mind Complexity is the enemy of correct security configuration Configuring MIM 2016 is challenging Configuring JEA is challenging Getting both of them to work together is very very very challenging

47 Things to keep in mind Security is inconvenient
You can configure MIM to use 2FA. Even though this doubles down on the inconvenience and complexity, it would make things more secure PAM (JIT Administration) is easier to implement than JEA

48 Things to keep in mind Security needs to be commensurate with value of asset protected

49 Q&A

50 11/9/ :55 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Configuring and Deploying Just Enough and Just-In-Time Administration"

Similar presentations

Service Manager for MSPs

Service Manager for MSPs
Continually improving products and services to protect against cyber-attacks targeting administration First in Windows Server, and Active Directory......Next.

Continually improving products and services to protect against cyber-attacks targeting administration First in Windows Server, and Active Directory......Next.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Understanding Active Directory

Understanding Active Directory
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.

Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.
Using PowerShell to Configure Secure Environments and Delegated Administration.

Using PowerShell to Configure Secure Environments and Delegated Administration.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.
Enforcing Concurrent Logon Policies with UserLock.

Enforcing Concurrent Logon Policies with UserLock.
PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.

PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.
Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.

Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.
Chapter 7: WORKING WITH GROUPS

Chapter 7: WORKING WITH GROUPS
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

Similar presentations

Ads by Google