In this article, I’ll take a look at how Privileged Access Management (PAM) in Windows Server 2016 enables Just-In-Time (JIT) Administration, helping to secure privileged user accounts.
It seems like a problem as old as computing itself, or, depending on your point of view, just a minor matter that doesn’t warrant losing too much sleep. But the proliferation of highly privileged accounts is an issue that many organizations are starting to take seriously, largely due to increasing regulation and costly data breaches.
Privilege Drift
Especially pertinent to Active Directory (AD), Microsoft’s ubiquitous directory services solution, the integrity of privileged domain accounts is vital, but security best practices are routinely ignored. For instance, did you know that domain administrator accounts should only be used to log in to domain controllers. This is not an extreme measure when you remember that once a domain administrator account is compromised, you must consider your entire network compromised, which could result in a costly rebuild of your domain.
But the most common problem is that IT staff are issued domain administrator privileges or other high-level rights without them ever being relinquished. Naturally, there are genuine reasons why domain administrator privileges might be needed temporarily to carry out an approved change, but they should never be granted on a permanent basis.
Just-In-Time Administration
To that end, Microsoft is complementing Just-Enough-Administration capabilities that already exist in Windows today with JIT Administration in Windows Server 2016, which is due for release in September 2016. Utilizing a bastion domain, where privileged accounts are isolated, a new type of trust and authentication capability in Active Directory, Windows Server 2016 PAM, is designed to make it harder for attackers to hack privileged AD accounts and easier for companies to regain control over compromised AD forests.
PAM requires users to request permission to use privileged accounts, and only after the request is approved is permission granted using a shadow security principal in the bastion forest. Microsoft decided to require a bastion forest for its PAM solution in order to give organizations greater control over when and how users become members of privileged groups, and to help establish control over domains after an attack.
Time-limited group memberships are allotted in the bastion forest, resulting in time-limited Kerberos ticket-granting tickets being issued to users. In other words, you can make sure that privileges are held by users for a limited period of time. Because Microsoft’s solution is based on Kerberos, the default authentication protocol in AD, only Kerberos apps and services can honor time limitations determined by PAM. However, this shouldn’t be a problem for built-in Windows services and apps.
PAM Workflow
PAM involves implementing a workflow, and for that purpose, Microsoft recommends its own Microsoft Identity Manager (MIM) solution. At this time, it’s not clear if Windows Server 2016 PAM will support other identity management solutions. Along with customizable workflows provided by MIM, AD logs each request, how it is authorized, and the actions that occur while the user holds the requested privileges.
Related articles:
How to Set Up Multiple Password and Account Lockout Policies
Best Practices: Active Directory Security
SysAdmin Magazine: Insider Threat Issue