Implementing Privileged Access Management on Server 2016/2019: Part 3 – Deploying the MIM/PAM Server

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

In part three of this blog series, I will go through the steps to deploy the MIM/PAM server to host the MIM Synchronization Service and Portal.

*As I am using a lab environment I have chosen to install MIM, SQL and SharePoint on the same server but in production they would need to be planned and scaled out correctly.

 

Server Configuration

First install the required Windows features by running the following PowerShell commands:

## Install Prereqs

import-module ServerManager

Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-Tools,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature

Once the features are installed successfully, we need to define the local security policy. To do this open the Local Security Policy (secpol.exe) and make the following changes:

In the policy Local Policies > User Rights Assignment > Log on as a service

Add priv\MIMonitor, priv\MIMService, priv\SharePoint, priv\MIMComponent and priv\SQLServer

In the policy Local Policies > User Rights Assignment > Deny access to this computer from the network

Add priv\mimmonitor, priv\MIMService and priv\mimcomponent

In the policy Local Policies > User Rights Assignment > Deny log on locally

Add priv\mimmonitor, priv\MIMService and priv\mimcomponent

Configure local security policy and local admins

Close the local security policy window and open “Computer Management”. Navigate to “Local Users and Groups -> Groups -> Administrators”  and add priv\MIMAdmin and priv\SharePoint as local admins on the server.

localadmins.png

 

IIS Config

To configure IIS for Windows Authentication, run the below PowerShell commands:

iisreset /STOP

C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost

iisreset /START

 

Installing the Synchronization Service

Mount the MIM 2016 ISO and run the “FIMSplash.htm” page in the root folder to open the splash page.

syncservice.png

Follow through the wizard, accepting the terms and conditions and specify your SQL instance. In my lab I am using a local default SQL instance

sync1.png

Specify your MIMSync service account details

sync2.png

Update the group names to be created if you like

sync3.png

On the next page you can allow the installer to open the required firewall ports on the server for you

sync4.png

Finally click install and wait for the synchronization service to finish installing. At the end you will be prompted to save the encryption key locally. Save this key and keep it safe.

When the install completes click finish and you will be prompted to log off the server to update group membership.

sync5.png

 

Install MIM Service and Portal

After logging back on to the server, open up “FIMSplash.htm” again and this time run the “Service and Portal” installer.

portal1.png

Follow through the Wizard, accepting the license terms and opting in or out of the Customer Experience Program until you get to the Custom Setup page. At this page, select the options to install the MIM Service, Privileged Access Management and MIM Portal Roles and click next.

portal2.png

Select the SQL settings and click next. Again, in my lab I am using a local SQL instance.

portal3.png

Select a mail server to use, you can also optionally use Exchange Online or if there is no Exchange server in place enter “localhost” as the server name and deselect the top two options.

portal4.png

Create a new self-signed cert or use an existing certificate.

portal5.png

Enter the service account details for the MIMService.

portal6.png

Enter the details of the synchronization service.

portal7.png

Enter the name of the local server for the MIM Service Server Address.

portal9.png

Enter the name of the SharePoint Site Collection we created in part 2 of this blog to host the MIM Portal.

portal10.png

We are not using the Password Registration Portal so leave the next page blank.

portal11.png

Check the boxes to open the appropriate firewall ports and to allow authenticated users to access the MIM Portal site.

portal12.png

Leave the REST API Hostname blank and set the port to 8086.

portal13.png

Enter the account details of the SharePoint service account for the PAM REST API.

portal14.png

Enter the MIMComponent service account details for the PAM Component Service.

portal15.png

Enter the MIMMonitor service account details for the PAM Monitoring Service.

portal16.png

If you are using the other components on another server enter the details here, if not, click next.

portal17.png

Finally, click Install

 

When the installer finishes, reboot the system and log back on. Browse to your MIM Portal URL configured in Part 2 and you should see the MIM Portal page has been configured successfully.

portal18.png

 

Now the MAM Portal and Service are successfully installed. In the next and final post in this series, I will finalize and test the PAM configuration!

 

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

This is the second post in a series which will go through setting up Privileged Access Management on Server 2016/2019. in this post we will configure the SharePoint component of Microsoft Identity Manager.

*As I am using a lab environment I have chosen to install MIM, SQL and SharePoint on the same server but in production they would need to be planned and scaled out correctly.

 

Prerequisites:

  • I have installed SQL Server 2016 locally on the MIM/SharePoint server. a SQL instance will be required for both SharePoint and MIM
  • The PAM/MIM/SharePoint server should be joined to the priv domain

Installing SharePoint Server 2016

First download the SharePoint Server 2016 ISO and mount it. Open an administrative command prompt and navigate to the source files for the installation. From here run the prerequisite installer with the command:

.\prerequisiteinstaller.exe

prereqs.png

Follow the on screen prompts to install the required prerequisites, roles and features. when this finishes, the server will restart.

Next, open an administrative command prompt and navigate to the source files again. Run the setup using the command:

.\setup.exe

Follow the on screen prompts to enter your product key and install SharePoint Server 2016 as below:

setup.exe.png

 

setup.exe2.png

When the installer finishes, you should be prompted to run the SharePoint Products Configuration Wizard.

setup.exe3.png

Follow the screenshots below to configure SharePoint 2016 and create a new farm:

configwizard1.png

Specify a service account with access to your SQL instance

configwizard3.png

For my lab I will install a single server farm

configwizard4.png

 

configwizard5.png

 

configwizard6.png

 

When the configuration wizard finishes, you will be taken to the SharePoint Central Admin Page.

CentralAdmin.png

 

Now that the farm is set up, we can configure the MIM web app and Site Collection.

Set up Web App and Site Collection

Create two AD Service Accounts named priv\MIMPool  and priv\MIMInstall to use during the setup.

Also set up a DNS A record for your MIM Site Collection pointing to the SharePoint Server such as mim.priv.lab.corp.net.

 

Next, configure the MIMPool account as an SP Managed Service Account with the below commands:

*Note: in the below script blocks, I have marked in bold entries that you may need to change to match your environment

##Enter the credentials of the priv\MIMPool account

$ManagedServiceAccount = get-credential

## Create the SP Managed Service Account Entry

New-SPManagedAccount $ManagedServiceAccount

$dbManagedAccount = Get-SPManagedAccount -Identity $ManagedServiceAccount.username

## Create a new web application

New-SpWebApplication -Name “MIM Portal” -ApplicationPool “MIMAppPool” -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod “Kerberos” -Port 80 -URL http://mim.priv.lab.corp.net

spwebapp.png

Create a new site for MIM with the below commands:

$t = Get-SPWebTemplate -compatibilityLevel 15 -Identity “STS#1”

$w = Get-SPWebApplication http://mim.priv.lab.corp.net/

New-SPSite -Url $w.Url -Template $t -OwnerAlias priv\miminstall -CompatibilityLevel 15 -Name “MIM Portal”

$s = SpSite($w.Url)

create site.png

Run ‘$s.CompatibilityLevel’ to ensure the compatibility level of the new site is “15”

 

Disable the SP Timer Job “Health Analysis Job (Hourly, Microsoft SharePoint Foundation Timer, All Servers)” with the commands below:

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;

$contentService.ViewStateOnServer = $false;

$contentService.Update();

Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

 

Now that the site is set up, navigate to it and log in with the MIMInstall user credentials to verify it was created as expected. If you get an error logging in, follow one of the fixes here. When you are logged in successfully, you should see an empty site as below:

login.png

site.png

Finally add the site created to the local intranet zone on the server and restart the server:

localintranet.png

We have now Successfully configured SharePoint for MIM. In a following blog I will continue the MIM/PAM setup process.

Microsoft Teams Meeting Settings

This week Microsoft are rolling out the Meeting Settings configuration to the Microsoft Teams & Skype for business Admin Center in Office 365! This configuration page will allow admins to define teams meeting settings such as Email Invitation URLs and Network and QoS configuration. This allows us to very easily mark real-time media traffic packets for QoS natively, rather than utilizing TCP port and network configuration. We can also define the Port ranges which will be used for different types of traffic.

View the Microsoft Teams & Skype for business Admin Center  at https://admin.teams.microsoft.com

Teams Meeting Options.png

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

In many companies, users with admin accounts for different services are trusted to only use their admin privileges when there is a requirement that needs to be met. We rely on logging to track changes and many companies very rarely review logs until an issue is discovered elsewhere. As IT Admins, we get stuck between giving our staff the access to let them carry out their job and enforcing governance and change control procedures.

Privileged Access Management (PAM) is an often overlooked technology which allows us to apply that level of governance, while not creating overly complex and drawn out processes that prevent our staff from carrying out their job effectively. This is accomplished by applying a ‘Just In time’ access model. For example, when a member of the helpdesk needs to perform a password reset, they can request this access for the required amount of time, providing justification for the request. This can then be approved automatically, or follow a simple predefined approval process.

PAM is a part of Microsoft Identity Manager (MIM) 2016 and starting with Windows Server 2016, it becomes even easier to implement. This blog is part one of my “Implementing Privileged Access Management on Server 2016/2019” post and here I will step through how to prepare for a MIM installation, Create the Privileged AD DS domain required and prepare the corporate Domain.

 

Server Requirements:

  • An existing corporate domain of functional level 2016
  • One Windows Server 2016 Server to host the MIM application
  • One Windows Server 2016 Server to host the privileged domain

Note: MIM 2016 can be licensed by Office 365 EM+S licensing so if you have implemented Privileged Identity Management in Office 365, you can extend that environment to your on premise environment.

 

Configuring the Corporate Domain

For this blog I have created a lab domain called lab.corp.net. I will use this existing domain and prepare it for the PAM implementation.

first log onto your corporate Domain Controller(s). For PAM to work we need to enable RPC access to the SAM database. On the Corporate DC, open an administrative Powershell window anmd run the below command to add in the registry key to enable this:

New-ItemProperty –Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa –Name TcpipClientSupport –PropertyType DWORD –Value 1

 

Next we need to enable the AD Optional Feature for PAM is it is not already enabled. In the same window as above, enter the below commands to enable the feature.

Import-Module ActiveDirectory

Enable-ADOptionalFeature “Privileged Access Management Feature” -Scope ForestOrConfigurationset

Now we configure the auditing policies in the Default Domain Controller GPO. Make the below additions to the policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account Management

Audit account management policy

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit directory Service access

Audit Directory Service access

That’s all the configuration for our corporate domain, next we will create and configure the privileged domain.

Configuring the Privileged Domain

Create a new Windows Server 2016 Server with GUI. Log on to the server and as before, enable RPC access to the SAM DB with the below command:

New-ItemProperty –Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa –Name TcpipClientSupport –PropertyType DWORD –Value 1

Now let’s install the new domain. First we add the server manager module and install the AD-DS and DNS roles

#Install ADDS and DNS Features

import-module ServerManager

 

Install-WindowsFeature AD-Domain-Services,DNS –restart –IncludeAllSubFeature -IncludeManagementTools

After the Server restarts, we create our priv forest with the below commands. We are creating a delegation on DNS to our corporate domain, when prompted for credentials, enter your corporate domain credentials.

#Create Priv forest

$ca= get-credential

Install-ADDSForest –DomainMode 7 –ForestMode 7 –DomainName priv.lab.corp.net –DomainNetbiosName priv –Force –CreateDNSDelegation –DNSDelegationCredential $ca

Build Priv forest

 

Next we create the required service accounts and groups. Be sure to change all passwords after creation and keep track of them!

import-module activedirectory

 

$sp = ConvertTo-SecureString “Password01” –asplaintext –force

 

New-ADUser –SamAccountName MIMMA –name MIMMA

 

Set-ADAccountPassword –identity MIMMA –NewPassword $sp

 

Set-ADUser –identity MIMMA –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMMonitor –name MIMMonitor -DisplayName MIMMonitor

 

Set-ADAccountPassword –identity MIMMonitor –NewPassword $sp

 

Set-ADUser –identity MIMMonitor –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMComponent –name MIMComponent -DisplayName MIMComponent

 

Set-ADAccountPassword –identity MIMComponent –NewPassword $sp

 

Set-ADUser –identity MIMComponent –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMSync –name MIMSync

 

Set-ADAccountPassword –identity MIMSync –NewPassword $sp

 

Set-ADUser –identity MIMSync –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMService –name MIMService

 

Set-ADAccountPassword –identity MIMService –NewPassword $sp

 

Set-ADUser –identity MIMService –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName SharePoint –name SharePoint

 

Set-ADAccountPassword –identity SharePoint –NewPassword $sp

 

Set-ADUser –identity SharePoint –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName SqlServer –name SqlServer

 

Set-ADAccountPassword –identity SqlServer –NewPassword $sp

 

Set-ADUser –identity SqlServer –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName BackupAdmin –name BackupAdmin

 

Set-ADAccountPassword –identity BackupAdmin –NewPassword $sp

 

Set-ADUser –identity BackupAdmin –Enabled 1 -PasswordNeverExpires 1

 

New-ADUser -SamAccountName MIMAdmin -name MIMAdmin

 

Set-ADAccountPassword –identity MIMAdmin  -NewPassword $sp

 

Set-ADUser -identity MIMAdmin -Enabled 1 -PasswordNeverExpires 1

 

Add-ADGroupMember “Domain Admins” SharePoint

 

Add-ADGroupMember “Domain Admins” MIMService

 

Now that our users are created, we configure the auditing and security policies on the Priv domain through Group Policy.

Add the below policies on the Default Domain Controller Policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Account Management

Audit account management policy

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Directory Service Access

Audit Directory Service access

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy > Maximum lifetime for a user ticket

Maximum kerberos ticket

Click OK on the popup

POPUPMaximum kerberos ticket

 

 

Next we configure the Default Domain policy to restrict our service accounts as below:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User rights assignment > Deny log on as a batch job

Add: priv\mimcomponent; priv\mimmonitor; priv\mimservice

Deny log on as a batch job

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User rights assignment > Deny log on through Remote Desktop Services

Add: priv\mimcomponent; priv\mimmonitor; priv\mimservice

Deny log on as a rds

 

Now that our logging and security policies are done, we create a DNS forwarder so our Priv Domain can forward requests to our Corp domain. Replace 10.0.0.4 with the DNS server(s) in your Corp domain

Add-DnsServerConditionalForwarderZone –name “lab.corp.net” –masterservers 10.0.0.4

add-dnsforwarder

 

Add the appropriate Service Principal Names for the MIMservice:

setspn -S http/pamsrv.priv.lab.corp.net PRIV\SharePoint

setspn -S http/pamsrv PRIV\SharePoint

setspn -S FIMService/pamsrv.priv.lab.corp.net PRIV\MIMService

setspn -S FIMService/pamsrv PRIV\MIMService

 

The next step is to delegate Control in AD to our service accounts in AD Users and Computers. In ADUC right click your domain and click ‘Delegate Control’

1

In the Delegation of control Wizard, add the users: MIMComponent, MIMMonitor and MIMService.

2

select ‘Create, delete, and manage user accounts and Modify the membership of a group’ and click next and finish

create,delete and manage

 

Run the delegation Wizard again and select the MIMAdmin user. Select the option to ‘Create a custom task to delegate’

3

Sselect to delegate ‘this folder, existing objects in this folder and creation of new objects in this folder’

4

In the ‘General’ section, select the following attributes and then click next and finish:

  • Read
  • Write
  • Create all Child Objects
  • Delete all Child Objects
  • Read All Properties
  • Write All Properties
  • Migrate SID History

 

5

Delegate once more to MIMAdmin, creating a custom task to delegate as before and this time select ‘Only the following objects in the folder’ and tick ‘User Objects’ and click next.

6

Grant the ‘Change Password’ and ‘Reset Password’ Rights.

7

Next we need to allow permissions to MIM Admins and MIMService on the container “Configuration -> Services -> Shadow Principal Configuration”. Do this by opening ADSIEdit and connecting to the Configuration naming context. Navigate to the container and right click to set permissions for the MIMService and any other MIM Admins for write, create all child objects and delete all child objects  permission

ADSI

adsi2

The final step is to add the MIMService and MIMComponent accounts to the ACL for the ‘Admin SD Holder’ object to ensure they can update admin groups and to add the MIMadmin account to create and update authentication policy. To do this open an admin command prompt and run the below commands (Replace the domain structure top match your own). When finished restart both the Corp DC and the Priv DC.

dsacls “CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicy /i:s

dsacls “CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:CCDC;msDS-AuthNPolicy

dsacls “CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicySilo /i:s

dsacls “CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:CCDC;msDS-AuthNPolicySilo

dsacls “cn=adminsdholder,cn=system,dc=priv,dc=lab,dc=corp,dc=net” /G priv\mimservice:WP;”member”

dsacls “cn=adminsdholder,cn=system,dc=priv, dc=lab,dc=corp,dc=net” /G priv\mimcomponent:WP;”member”

 

Now our Priv DC is finally configured! That’s the end of this part of the blog series. In the next post, I will go through installing and Configuring MIM for PAM.

Install Exchange Server 2019 (Preview) on Windows Server 2016 Core

One of the interesting features of Exchange Server 2019 is the ability to install it on Windows Server Core. This brings all the security and performance benefits of running Server Core to Exchange Deployments. In this post, I will go through the installation steps for Exchange Server 2019 on Windows Server 2016 Core.

 

Required Downloads:

First we copy our Exchange 2019 ISO and Prereqs folder to our target core server. We can do this through file explorer on another server or by using the ‘Copy-Item’ PowerShell command.

21

Next, install the minimum prerequisite roles onto the target server. The full list of required roles can be automatically added a part of the installation process. The minimum required roles are the Windows Server Media Foundation and Remote Server Administrator Tools for Active Directory Domain Services Roles.

Install-WindowsFeature Server-Media-Foundation, RSAT-ADDS

Now we install the prerequisite software listed above in the ‘Required Downloads’ section.

Microsoft .NET Framework 4.7.1 for Windows 10 Version 1607 and Windows Server 2016 for x64 (KB4033393):

3

Microsoft .NET Framework 4.7.1 for Windows 10 Version 1607 and Windows Server 2016 for x64 (KB4033393):

4

So far the install is very similar to past Exchange installs however we would usually download and install the Unified Communications Managed API 4.0 Runtime. As the UCMA 4.0 depends on certain dll files that do not come with Windows Sever Core, we do not download the files. Instead we use the installer which is made available on the Exchange 2019 install media.

First lets use the ‘Mount-DiskImage’ command to mount our Exchange install media.

5

 

No let’s change to the \UCMARedist\ directory in the install media and run ‘Setup.exe’

6

With all the prerequisites installed, now we can begin the Exchange Server Installation. This is the first Exchange 2019 server in the organization so we need to prepare the Schema using the /PS or /PrepareSchema flag for Setup.exe in the root of the installation media.

.\Setup.Exe /IAcceptExchangeServerLicenseTerms /ps

7

 

Once the Schema is Extended we will prepare AD and define the Organization name.

.\Setup.Exe /IAcceptExchangeServerLicenseTerms /preparead /organizationname:exchangelab

8

 

Finally, we can run the full Exchange Server 2019 Setup and specify we would like to install the required Windows components during setup.

.\Setup.exe /mode:install /IAcceptExchangeServerLicenseTerms /roles:m /InstallWindowsComponents

9

Once the installation completes and the server reboots, log on to the server and open the Exchange Management Shell using the ‘LaunchEMS’ command to begin configuring your new Exchange Environment.

11.png