Many organizations struggle to secure their systems because their Active Directory is already compromised. AD is usually compromised by insiders or successful attacks on them. So how to keep environment protected even when a privileged your account got hacked?
Microsoft Windows Server 2016 has many great features to help.
User rights determine which tasks a user account can complete. Best practices require assigning user rights in accordance with the principle of least privilege — each user should have the minimum rights required to do their assigned tasks. This limits the damage the account owner can do, either intentionally or accidentally, and also minimizes the reach of an attacker who gains control of an account. The best practice is to assign users right by adding them to groups that have been assigned the appropriate permissions. You can also assign user accounts rights directly, by assigning the account the rights in Group Policy, but this is not recommended because it makes it difficult to keep track of permissions and adhere to the least-privilege principle.
Unfortunately, organizations tend to grant accounts more privileges than they need because it’s convenient — it’s easier to add an account to the local Administrators group on a computer, for instance, than it is to figure out the precise privileges that the account needs and add the user to the proper groups. Lack of communication and standard procedures also often results in failure to revoke privileges that users no longer need as they change roles within the organization. As a result, these organizations are at unnecessary risk for data loss, downtime and compliance failures.
Delegation of Control wizard
Organizations often want to enable certain staff members to do perform specific administrative tasks without giving them full administrative privileges. For instance, they might want to enable IT operations personnel to reset user passwords but not create or delete accounts. To help, Microsoft Windows Server 2016 offers the Delegation of Control wizard, which enables you to delegate the following privileges :
- Create, delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Read all user information
- Create, delete, and manage groups
- Change group membership
- Manage Group Policy links
- Generate Resultant Set of Policy (Planning)
- Generate Resultant Set of Policy (Logging)
- Create, delete, and manage inetOrgPerson accounts
- Reset inetOrgPerson passwords and force password change at next logon
- Read all inetOrgPerson information
You can learn more about this capability by reading Active Directory Delegated Permissions Best Practices.
Privileged Access Workstation (PAW)
Another integral part of securing an environment is to ensure that IT admins use only secure Windows servers for tasks that require administrative privileges. They should use other machines for daily tasks, such as browsing the Internet, responding to email, and opening files authored by other people, since those actions increase the risk of a host being compromised.
A Privileged Access Workstation (PAW), or secure administrative host, is a special computer that you use only for performing privileged tasks. To create a PAW, you must:
- Ensure that only authorized users can sign in to the host.
- Use Device Guard and AppLocker policies to restrict application execution to trusted applications that your organization’s employees use to perform administrative tasks.
- Enable Windows Defender Credential Guard to help protect against credential theft.
- Enable BitLocker to help protect the boot environment and the hard disk drives from tampering.
- Ensure that PAW is blocked from accessing all external sites by the perimeter network firewall.
- Block Remote Desktop Protocol (RDP), Windows PowerShell and management console connections from any computer that is not a PAW.
- Configure sign-in restrictions for accounts that are used to perform administrative actions.
A jump server is a special server that users connect to using Remote Desktop when they want to perform administrative tasks. You should configure jump servers in a manner similar to Privileged Access Workstations. The difference is that instead of signing in locally, a member of the IT operations team makes a Remote Desktop connection to the jump server and then signs in to the jump server with an account that has the required administrative permissions. The drawback of jump servers is that the computer that makes the connection to a jump server might be compromised by malware because you use it to browse the Internet, read email, open files and so on. In highly secure environments, you can use jump servers in conjunction with Privileged Access Workstations.
Just Enough Administration (JEA)
Just Enough Administration is a new administrative technology that enables you to apply role-based access control (RBAC) principles through Windows PowerShell remote sessions. Instead of assigning users general roles that grant them more permissions than they need to do their jobs, you can use JEA to configure special Windows PowerShell endpoints that provide the functionality necessary to perform a specific task: An authorized user can connect to the endpoint and use a specific set of Windows PowerShell cmdlets, parameters and parameter values. The tasks are performed by a privileged virtual account, rather than the user’s account.
The advantages of this approach include the following:
- The user’s credentials are not stored on the remote system.
- The user account used to connect to the endpoint does not need to be privileged.
- The virtual account is limited to the system on which it is hosted.
- The virtual account has local administrator privileges but is limited to performing only the activities defined by JEA.
Securing domain controllers
Domain controllers are one of the most valuable targets on a network; an attacker who compromise a DC has control of all domain identities. To secure your DCs, consider taking the following steps:
- Ensure that all domain controllers run the most recent version of the Windows Server operating system and have current security updates.
- Deploy domain controllers using the “Server Core” installation option rather than the “Server with a Desktop” option.
- Keep physically deployed domain controllers in dedicated secure racks that are separate from other servers.
- Deploy domain controllers on hardware that includes a Trusted Platform Module (TPM) chip, and configure all volumes with BitLocker Drive Encryption.
- Run virtualized domain controllers either on separate virtualization hosts or as shielded virtual machines on a guarded fabric.
- Use Security Compliance Manager to apply configuration baselines to domain controllers.
- Use AppLocker and Device Guard to control the execution of executables and scripts on your domain controllers.
- Use the Group Policy assigned to the Domain Controllers OU to ensure that RDP connections can be made only from jump servers and Privileged Access Workstations.
- Configure the perimeter firewall to block outbound connections from domain controllers to the internet.
Enhanced Security Administrative Environment (ESAE) forests
An Enhanced Security Administrative Environment (ESAE) forest, also called a “red forest,” is a special Active Directory forest that hosts privileged accounts. Putting privileged accounts in an ESAE forest makes it easier to apply more restrictive policies to protect them. An ESAE forest is configured with a one-way trust relationship with a production forest — accounts from the ESAE forest can be used in the production forest, but accounts in the production forest cannot be used in the ESAE forest. The production forest is configured so that administrative tasks can be performed there only by accounts hosted in the ESAE forest.
ESAE forests have the following benefits:
- Locked-down accounts. Standard user accounts in the ESAE forest can be configured as highly privileged in the production forest.
- Selective authentication. Accounts in the ESAE forest can sign in only to specific hosts in the production forest.
- Simple way to improve security. Because privileged administrative accounts are hosted in a separate forest, it is easy to apply more stringent security requirements (such as requiring multifactor authentication) to them than to the standard user accounts in the production forest.
Microsoft Identity Manager (MIM)
Active Directory Domain Services (AD DS) allows you to create, modify and delete user accounts, but provides very few tools to automate lifecycle management of those accounts. MIM is an on-premises identity and access management solution that fills that gap. For example, with MIM, you can enable users to use a self-service portal to reset their own passwords, and allow identity synchronization between your on-premises identity stores and those in cloud applications.
You can use MIM to manage:
- Privileged identities
MIM offers the following functionality:
- Self-service password reset. Users can reset their own forgotten passwords after they answer questions to verify their identity.
- Self-service account lockout remediation. Users can unlock their accounts by answering questions to verify their identity.
- Self-service user attribute management. Users can update certain of their own Active Directory attributes, such as their phone numbers.
- Manage the lifecycle of Active Directory users and groups. MIM provides tools for managing groups and users that go beyond the creation, modification and deletion functionality of AD DS.
- Manage the lifecycle of smart cards and certificates. MIM provides tools for managing smart cards and certificates, including certificate provisioning and renewal.
- Role management and assignment. MIM helps you manage RBAC functionality.
- Password synchronization across directories. You can synchronize passwords to other directories, including Azure Active Directory (Azure AD).
- Privileged account management (PAM). Admins can be assigned privileges on a temporary, rather than permanent, basis.
- Analytics and compliance reporting. You can analyze and report on all activity that MIM 2016
Just-in-time (JIT) administration
JIT administration is the idea of granting privileges to users when they need them to do a particular task, and only for a limited amount of time, rather than permanently. This limits the usefulness of the accounts to an attacker who compromises them, and also minimizes the opportunity for the account owner to accidentally or deliberately misuse the elevated privileges. JIT is implemented by granting the user temporary membership in a security group that has the required privileges.
When properly implemented, this approach can provide the following security improvements:
- All accounts that the IT Operations team uses are standard user accounts.
- All requests for privileges are logged.
- Privileges are temporary.
- Once privileges are granted, a user must establish a new session (either by opening a new Windows PowerShell session or by signing out and signing in again) in order to leverage the new temporary group memberships and the associated permissions.