Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privileged Access Management (PAM) with MIM 2016

Published byConstance Rice Modified over 9 years ago

Similar presentations

Presentation on theme: "Privileged Access Management (PAM) with MIM 2016"— Presentation transcript:

1 Privileged Access Management (PAM) with MIM 2016
Peter Stapf MVP – Enterprise Mobility 18. November 2015

2 About me Age: 44 Location: Germany, Bonn
MVP Enterprise Mobility) Senior Main focus: IDM, AD, Azure Working on IDM since 2006 Blog:

3 Agenda Introduction Components & Architecture Implementation
Differences between WS 2012 R2 and WS 2016 Good/Best Practices Limitations & Issues Demo

4 Introduction An attack timeline
You can use Advanced Threat Analytics (ATA) for discovery of attacks in your environment

5 Introduction What is Privileged Access Management (PAM) for Active Directory ? Implementation of Just-In-Time Administration with MIM 2016 Lifecycle Management of privileged group memberships Separate/different deployment scenario Benefits of PAM ? Separate admin accounts from user account with a new stronger forest Mitigate pass the hash attacks Permissions (Group membership's) applied only if needed Add additional authorization (Time Limits, Approvals, Azure MFA) Add reporting, auditing and monitoring of high privileged groups Consolidate multiple admin accounts

6 Components & Architecture
Corp Forest Priv Forest WS2003+ Trust (One-way) Corp forest trusts priv forest WS 2012 R2 (WS 2016) MIM 2016 PAM Component PAM Monitor MIM Service (MIM Portal) Additional Corp forests…

7 Components & Architecture

8 Implementation Corp Forest Priv Forest Trust (One-way) New-PAMGroup
Corp forest trusts priv forest New-PAMGroup ObjectSID -> SidHistory New-PAMRole FileAdmins CORP.FileAdmins New-PAMGroup ObjectSID -> SidHistory CORPAdmins SQLAdmins CORP.SQLAdmins Candidate New-PAMUser Peter Priv.Peter

9 Implementation Requesting Role by PowerShell
Requesting Role by REST-API (Sample Portal)

10 Differences WS 2012 R2 vs. WS 2016 New AD Object Type: msDS-ShadowPrincipal instead of groups Member will be removed by AD not by PAM on expiration Simplified deployment (ex. no audit policys needs to be enabled) Well known SID groups (Domain Admins) can become a PAM group Kerberos Token TTL will be the smallest TTL of a PAM group Use of msDS-ShadowPrincipalSid instead of sidHistory attribute

11 Good/Best Practices First: Always use PowerShell for PAM administration !!! Do not install SharePoint Foundation and MIM Portal Do a PAM forest hardening after deployment (ex. GPOs, Firewall) Limit admins that can access the PAM forest Apply additional authentication to PAM admins (ex. SmartCard) Implement MFA / Approvals for PAM requests if possible

12 Limitations & Issues Azure MFA currently supports phone calls only
Well known groups SIDs cannot be migrated to PAM groups (Workaround: nest PAM group into Built-in\administrators on DC) PAM Role approvers are always candidates Bug: MIM Monitor tries to connect to CORP domain by NetBIOS Name (Workaround: create hosts file entry with domain name) Missing PowerShell parameters (ex. add/remove single candidates) Availability Windows only on hours not days of week

13 Demo

14 Links MIM PAM Deployment Guide Using Azure MFA for PAM Eihab’s great small video on the PAM user experience My blog posts about PAM

Download ppt "Privileged Access Management (PAM) with MIM 2016"

Similar presentations

Service Manager for MSPs

Service Manager for MSPs
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Continually improving products and services to protect against cyber-attacks targeting administration First in Windows Server, and Active Directory......Next.

Continually improving products and services to protect against cyber-attacks targeting administration First in Windows Server, and Active Directory......Next.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
WMU GNL Automation How to make my IT life easier CHRISTOPHER KEYAERT CONSULTANT AT INOVATIV CLOUD AND DATACENTER MANAGEMENT MVP.

WMU GNL Automation How to make my IT life easier CHRISTOPHER KEYAERT CONSULTANT AT INOVATIV CLOUD AND DATACENTER MANAGEMENT MVP.
Senior Technical Writer

Senior Technical Writer
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.

Similar presentations

Ads by Google