Implementing Privileged Access Management on Server 2016/2019: Part 4 – Finalize Configuration and Test PAM Requests

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

Implementing Privileged Access Management on Server 2016/2019: Part 3 – Deploying the MIM/PAM Server

It’s been a few weeks since the last post in this series due to an issue with my lab environment. In this final post, we will go through the last configuration pieces and test our PAM installation!

 

Prerequisites:

* Ensure that the priv domain is accessible from the corporate domain and resolves in DNS. You’ll remember in part 1 of this series we set up a DNS delegation for the priv domain in our corporate domain. Verify this is functional by performing a ping or NS lookup against the priv domain FQDN from the corp domain.

 

Set up management policy rules in MIM Portal

In the MIM Portal, open the “Management Policy Rules” Page, search and select the management policy rule “User management: Users can read attributes of their own” and uncheck the “Policy is disabled” checkbox, then click ‘OK’ and “Submit”

MIMPortal.png

mimportal2.png

mimportaL3.png

Next ensure Windows firewall is allowing TCP ports 5725, 5726, 8086 and 8090. In my lab I have disabled the Windows Firewall on the MIM server.

Set up a Sample Web Application for the MIM PAM REST API

First download the contents of  the Identity Management samples files and unpack the contents of the folder “identity-management-samples-master\Privileged-Access-Management-Portal\src” to the directory “C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management Portal” of the MIM Server. You will need to create this directory as it doesn’t exist by default.

Now create a new web site for the sample portal, open an administrative PowerShell window and run the below command:

New-WebSite -Name “MIM Privileged Access Management Example Portal” -Port 8090   -PhysicalPath “C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management Portal\”

To allow the new web application to redirect users to the MIM PAM REST API, open the web.config file in the directory “C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management REST API” and add the below entries in the <system.webServer> section. This can be added just under the “<validation validateIntegratedModeConfiguration=”false” />” entry. Ensure to take a backup of the original file before editing.

<httpProtocol>

<customHeaders>

<add name=”Access-Control-Allow-Credentials” value=”true”  />

<add name=”Access-Control-Allow-Headers” value=”content-type” />

<add name=”Access-Control-Allow-Origin” value=”http://<MIM Server Name>:8090″ />

</customHeaders>

</httpProtocol>

 

Next open the file “C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management Portal\js\utils.js.” and change the value for the PAM API URL “pamRespApiUrl” to ‘http://<PAMServerFQDN>:8086/api/pamresources’ (eg. http://mim.priv.lab.corp.net:8086/api/pamresources)

After replacing the values above, perform an IISReset.

Browsing to ‘http://<PAMServerFQDN>:8086/api/pamresources/pamroles/’ should now initiate a download of the pamroles.json file.

 

Establish a PAM Trust

Log on to the MIM server and run the following powershell commands to establish a new PAM trust from the server

$ca = get-credential

New-PAMTrust -SourceForest “lab.corp.net” -Credentials $ca

Log onto the PRIV Domain Controller and run the following commands from an administrative command prompt to modify the trust settings for the corporate domain admin account.

 

netdom trust lab.corp.net /domain:priv.lab.corp.net /enablesidhistory:yes /usero:lab\adminseanmc /passwordo: <password>

 

netdom trust lab.corp.net /domain:priv.lab.corp.net /quarantine:no /usero:lab\adminseanmc /passwordo: <password>

 

netdom trust lab.corp.net /domain:priv.lab.corp.net /enablepimtrust:yes /usero:lab\adminseanmc /passwordo:<password>

 

Prepare an Admin Workstation

On an admin workstation, mount the MIM2016 install files and copy the “Add-ins and extensions” directory to the local machine. Run the appropriate ‘Setup.exe’ to install the MIM PAM requester cmdlets.

The only software we need to install is the ‘PAM Client’

PAMClient.png

At the next page, enter the FQDN of the PAM server.

pamclient2.png

Click ‘Finish’ on the next window and when the installer completes, reboot the workstation.

 

Delegate read access to the priv domain

On the corp domain controller, open Active directory Users and Computers, right click the top level of the domain and select ‘Delegate Control…’

delegate.png

On the ‘Users or Groups’ page, select the ‘Locations’ option and change to the priv domain.

delegate1.png

Delegate2.png

Add ‘priv\domain admins’ and ‘priv\mimmonitor’ to the object field then click ‘check Names’ and when prompted, enter the password for the priv domain administrator and click ‘OK’

Delegate3.png

delegate4.png

Click ‘Next’. On the ‘Tasks to Delegate page, select the option to delegate the ‘Read all user information’ task and click ‘next’ and ‘finish’ to complete the delegation

delegate5.png

delegate6.png

Next Create a security group for auditing purposes on the CORP domain with the below PowerShell commands (The group name should be the NetBIOS name of your corporate domain followed by ‘$$$’):

import-module activedirectory

New-ADGroup –name ‘LAB$$$’ –GroupCategory Security –GroupScope DomainLocal –SamAccountName ‘LAB$$$’

Start the PAM services if they are not already started

Use the below commands in an administrative command prompt on the MIM server to start the PAM services:

net start “PAM Component service”

net start “PAM Monitoring service”

Create privileged Accounts, Groups and Roles

To create privileged accounts for our admins, lets first create an account in the corp domain that we will want to add to PAM. I’ve create the below user ‘LAB\Clint.Eastwood’ in my corporate domain.

priv.png

Now lets create a corresponding account in the PRIV domain for the user. Log on to the MIM server and open an administrative PowerShell (ISE) Window.

Run the below Powershell commands to create a new PAM user and user object in the PRIV domain to represent our CORP domain user, this will also maintain the user SID which is key to the PAM process. Below we can see both user accounts have an identical ObjectSID value.

Import-Module MIMPAM

Import-Module ActiveDirectory

 

$PAMUser = New-PAMUser –SourceDomain lab.corp.net –SourceAccountName clint.eastwood

$SecurePassword = ConvertTo-SecureString “Password2018” –asplaintext –force

Set-ADAccountPassword –identity priv.clint.eastwood –NewPassword $SecurePassword

Set-ADUser –identity priv.clint.eastwood –Enabled 1

priv1.png

Now let’s select an administrative group to test with. For demo purposes I have created a “Password Admins” group and delegated out password reset access to the group. Run the below PowerShell commands in the same window that we used to create the user account to add the group to PAM and to set up a new role containing the group and adding our user to the role. When prompted, enter the credentials for the admin of the CORP forest.

$credentials = get-credential

$PAMGroup = New-PAMGroup –SourceGroupName “Password Management” –SourceDomain lab.corp.net –SourceDC dc2019.lab.corp.net –Credentials $credentials

$PAMRole = New-PAMRole –DisplayName “LAB Password Admins Role” –Privileges $PAMGroup –Candidates $PAMUser

Elevating a users access with PIM

Now that everything is configured and ready, lets try to request the Password Admins role.

First lets try to reset a users password using the priv.clint.eastwood account. We can do this by opening an MMC console as priv.clint.eastwood on our corporate workstation and trying a password reset.

To open an MMC as priv.clint.eastwood, log onto the CORP PC using the regular clint.eastwood account and run:

runas /user:Priv.clint.eastwood@priv.lab.corp.net mmc

We get an access denied error when we attempt a password reset.

access.png

Now let’s request the role we want, open a PowerShell window as priv.clint.eastwood using the run command:

runas /user:Priv.clint.eastwood@priv.lab.corp.net powershell

And then request the role as below:

request.png

We can also use the PAM Sample Portal to request this role:

requestportal.png

Now the user is in the “priv\LAB.Password admins” group. Relaunch an MMC console as the user priv\priv.clint.eastwood and retry a password reset. This time our password reset is successful.

request3.png

That is the basic configuration of PAM using MIM 2016. From here we can configure approval, TTLs and customize the web portal from the Example portal template.

Setting up PAM is a lengthy process and the past four posts and I found that a lot of the resources online were confusing  so I hope this series of posts proves helpful in configuring PAM for Windows Server 2016/2019.

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

This is the second post in a series which will go through setting up Privileged Access Management on Server 2016/2019. in this post we will configure the SharePoint component of Microsoft Identity Manager.

*As I am using a lab environment I have chosen to install MIM, SQL and SharePoint on the same server but in production they would need to be planned and scaled out correctly.

 

Prerequisites:

  • I have installed SQL Server 2016 locally on the MIM/SharePoint server. a SQL instance will be required for both SharePoint and MIM
  • The PAM/MIM/SharePoint server should be joined to the priv domain

Installing SharePoint Server 2016

First download the SharePoint Server 2016 ISO and mount it. Open an administrative command prompt and navigate to the source files for the installation. From here run the prerequisite installer with the command:

.\prerequisiteinstaller.exe

prereqs.png

Follow the on screen prompts to install the required prerequisites, roles and features. when this finishes, the server will restart.

Next, open an administrative command prompt and navigate to the source files again. Run the setup using the command:

.\setup.exe

Follow the on screen prompts to enter your product key and install SharePoint Server 2016 as below:

setup.exe.png

 

setup.exe2.png

When the installer finishes, you should be prompted to run the SharePoint Products Configuration Wizard.

setup.exe3.png

Follow the screenshots below to configure SharePoint 2016 and create a new farm:

configwizard1.png

Specify a service account with access to your SQL instance

configwizard3.png

For my lab I will install a single server farm

configwizard4.png

 

configwizard5.png

 

configwizard6.png

 

When the configuration wizard finishes, you will be taken to the SharePoint Central Admin Page.

CentralAdmin.png

 

Now that the farm is set up, we can configure the MIM web app and Site Collection.

Set up Web App and Site Collection

Create two AD Service Accounts named priv\MIMPool  and priv\MIMInstall to use during the setup.

Also set up a DNS A record for your MIM Site Collection pointing to the SharePoint Server such as mim.priv.lab.corp.net.

 

Next, configure the MIMPool account as an SP Managed Service Account with the below commands:

*Note: in the below script blocks, I have marked in bold entries that you may need to change to match your environment

##Enter the credentials of the priv\MIMPool account

$ManagedServiceAccount = get-credential

## Create the SP Managed Service Account Entry

New-SPManagedAccount $ManagedServiceAccount

$dbManagedAccount = Get-SPManagedAccount -Identity $ManagedServiceAccount.username

## Create a new web application

New-SpWebApplication -Name “MIM Portal” -ApplicationPool “MIMAppPool” -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod “Kerberos” -Port 80 -URL http://mim.priv.lab.corp.net

spwebapp.png

Create a new site for MIM with the below commands:

$t = Get-SPWebTemplate -compatibilityLevel 15 -Identity “STS#1”

$w = Get-SPWebApplication http://mim.priv.lab.corp.net/

New-SPSite -Url $w.Url -Template $t -OwnerAlias priv\miminstall -CompatibilityLevel 15 -Name “MIM Portal”

$s = SpSite($w.Url)

create site.png

Run ‘$s.CompatibilityLevel’ to ensure the compatibility level of the new site is “15”

 

Disable the SP Timer Job “Health Analysis Job (Hourly, Microsoft SharePoint Foundation Timer, All Servers)” with the commands below:

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;

$contentService.ViewStateOnServer = $false;

$contentService.Update();

Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

 

Now that the site is set up, navigate to it and log in with the MIMInstall user credentials to verify it was created as expected. If you get an error logging in, follow one of the fixes here. When you are logged in successfully, you should see an empty site as below:

login.png

site.png

Finally add the site created to the local intranet zone on the server and restart the server:

localintranet.png

We have now Successfully configured SharePoint for MIM. In a following blog I will continue the MIM/PAM setup process.

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

In many companies, users with admin accounts for different services are trusted to only use their admin privileges when there is a requirement that needs to be met. We rely on logging to track changes and many companies very rarely review logs until an issue is discovered elsewhere. As IT Admins, we get stuck between giving our staff the access to let them carry out their job and enforcing governance and change control procedures.

Privileged Access Management (PAM) is an often overlooked technology which allows us to apply that level of governance, while not creating overly complex and drawn out processes that prevent our staff from carrying out their job effectively. This is accomplished by applying a ‘Just In time’ access model. For example, when a member of the helpdesk needs to perform a password reset, they can request this access for the required amount of time, providing justification for the request. This can then be approved automatically, or follow a simple predefined approval process.

PAM is a part of Microsoft Identity Manager (MIM) 2016 and starting with Windows Server 2016, it becomes even easier to implement. This blog is part one of my “Implementing Privileged Access Management on Server 2016/2019” post and here I will step through how to prepare for a MIM installation, Create the Privileged AD DS domain required and prepare the corporate Domain.

 

Server Requirements:

  • An existing corporate domain of functional level 2016
  • One Windows Server 2016 Server to host the MIM application
  • One Windows Server 2016 Server to host the privileged domain

Note: MIM 2016 can be licensed by Office 365 EM+S licensing so if you have implemented Privileged Identity Management in Office 365, you can extend that environment to your on premise environment.

 

Configuring the Corporate Domain

For this blog I have created a lab domain called lab.corp.net. I will use this existing domain and prepare it for the PAM implementation.

first log onto your corporate Domain Controller(s). For PAM to work we need to enable RPC access to the SAM database. On the Corporate DC, open an administrative Powershell window anmd run the below command to add in the registry key to enable this:

New-ItemProperty –Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa –Name TcpipClientSupport –PropertyType DWORD –Value 1

 

Next we need to enable the AD Optional Feature for PAM is it is not already enabled. In the same window as above, enter the below commands to enable the feature.

Import-Module ActiveDirectory

Enable-ADOptionalFeature “Privileged Access Management Feature” -Scope ForestOrConfigurationset

Now we configure the auditing policies in the Default Domain Controller GPO. Make the below additions to the policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account Management

Audit account management policy

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit directory Service access

Audit Directory Service access

That’s all the configuration for our corporate domain, next we will create and configure the privileged domain.

Configuring the Privileged Domain

Create a new Windows Server 2016 Server with GUI. Log on to the server and as before, enable RPC access to the SAM DB with the below command:

New-ItemProperty –Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa –Name TcpipClientSupport –PropertyType DWORD –Value 1

Now let’s install the new domain. First we add the server manager module and install the AD-DS and DNS roles

#Install ADDS and DNS Features

import-module ServerManager

 

Install-WindowsFeature AD-Domain-Services,DNS –restart –IncludeAllSubFeature -IncludeManagementTools

After the Server restarts, we create our priv forest with the below commands. We are creating a delegation on DNS to our corporate domain, when prompted for credentials, enter your corporate domain credentials.

#Create Priv forest

$ca= get-credential

Install-ADDSForest –DomainMode 7 –ForestMode 7 –DomainName priv.lab.corp.net –DomainNetbiosName priv –Force –CreateDNSDelegation –DNSDelegationCredential $ca

Build Priv forest

 

Next we create the required service accounts and groups. Be sure to change all passwords after creation and keep track of them!

import-module activedirectory

 

$sp = ConvertTo-SecureString “Password01” –asplaintext –force

 

New-ADUser –SamAccountName MIMMA –name MIMMA

 

Set-ADAccountPassword –identity MIMMA –NewPassword $sp

 

Set-ADUser –identity MIMMA –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMMonitor –name MIMMonitor -DisplayName MIMMonitor

 

Set-ADAccountPassword –identity MIMMonitor –NewPassword $sp

 

Set-ADUser –identity MIMMonitor –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMComponent –name MIMComponent -DisplayName MIMComponent

 

Set-ADAccountPassword –identity MIMComponent –NewPassword $sp

 

Set-ADUser –identity MIMComponent –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMSync –name MIMSync

 

Set-ADAccountPassword –identity MIMSync –NewPassword $sp

 

Set-ADUser –identity MIMSync –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMService –name MIMService

 

Set-ADAccountPassword –identity MIMService –NewPassword $sp

 

Set-ADUser –identity MIMService –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName SharePoint –name SharePoint

 

Set-ADAccountPassword –identity SharePoint –NewPassword $sp

 

Set-ADUser –identity SharePoint –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName SqlServer –name SqlServer

 

Set-ADAccountPassword –identity SqlServer –NewPassword $sp

 

Set-ADUser –identity SqlServer –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName BackupAdmin –name BackupAdmin

 

Set-ADAccountPassword –identity BackupAdmin –NewPassword $sp

 

Set-ADUser –identity BackupAdmin –Enabled 1 -PasswordNeverExpires 1

 

New-ADUser -SamAccountName MIMAdmin -name MIMAdmin

 

Set-ADAccountPassword –identity MIMAdmin  -NewPassword $sp

 

Set-ADUser -identity MIMAdmin -Enabled 1 -PasswordNeverExpires 1

 

Add-ADGroupMember “Domain Admins” SharePoint

 

Add-ADGroupMember “Domain Admins” MIMService

 

Now that our users are created, we configure the auditing and security policies on the Priv domain through Group Policy.

Add the below policies on the Default Domain Controller Policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Account Management

Audit account management policy

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Directory Service Access

Audit Directory Service access

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy > Maximum lifetime for a user ticket

Maximum kerberos ticket

Click OK on the popup

POPUPMaximum kerberos ticket

 

 

Next we configure the Default Domain policy to restrict our service accounts as below:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User rights assignment > Deny log on as a batch job

Add: priv\mimcomponent; priv\mimmonitor; priv\mimservice

Deny log on as a batch job

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User rights assignment > Deny log on through Remote Desktop Services

Add: priv\mimcomponent; priv\mimmonitor; priv\mimservice

Deny log on as a rds

 

Now that our logging and security policies are done, we create a DNS forwarder so our Priv Domain can forward requests to our Corp domain. Replace 10.0.0.4 with the DNS server(s) in your Corp domain

Add-DnsServerConditionalForwarderZone –name “lab.corp.net” –masterservers 10.0.0.4

add-dnsforwarder

 

Add the appropriate Service Principal Names for the MIMservice:

setspn -S http/pamsrv.priv.lab.corp.net PRIV\SharePoint

setspn -S http/pamsrv PRIV\SharePoint

setspn -S FIMService/pamsrv.priv.lab.corp.net PRIV\MIMService

setspn -S FIMService/pamsrv PRIV\MIMService

 

The next step is to delegate Control in AD to our service accounts in AD Users and Computers. In ADUC right click your domain and click ‘Delegate Control’

1

In the Delegation of control Wizard, add the users: MIMComponent, MIMMonitor and MIMService.

2

select ‘Create, delete, and manage user accounts and Modify the membership of a group’ and click next and finish

create,delete and manage

 

Run the delegation Wizard again and select the MIMAdmin user. Select the option to ‘Create a custom task to delegate’

3

Sselect to delegate ‘this folder, existing objects in this folder and creation of new objects in this folder’

4

In the ‘General’ section, select the following attributes and then click next and finish:

  • Read
  • Write
  • Create all Child Objects
  • Delete all Child Objects
  • Read All Properties
  • Write All Properties
  • Migrate SID History

 

5

Delegate once more to MIMAdmin, creating a custom task to delegate as before and this time select ‘Only the following objects in the folder’ and tick ‘User Objects’ and click next.

6

Grant the ‘Change Password’ and ‘Reset Password’ Rights.

7

Next we need to allow permissions to MIM Admins and MIMService on the container “Configuration -> Services -> Shadow Principal Configuration”. Do this by opening ADSIEdit and connecting to the Configuration naming context. Navigate to the container and right click to set permissions for the MIMService and any other MIM Admins for write, create all child objects and delete all child objects  permission

ADSI

adsi2

The final step is to add the MIMService and MIMComponent accounts to the ACL for the ‘Admin SD Holder’ object to ensure they can update admin groups and to add the MIMadmin account to create and update authentication policy. To do this open an admin command prompt and run the below commands (Replace the domain structure top match your own). When finished restart both the Corp DC and the Priv DC.

dsacls “CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicy /i:s

dsacls “CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:CCDC;msDS-AuthNPolicy

dsacls “CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicySilo /i:s

dsacls “CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:CCDC;msDS-AuthNPolicySilo

dsacls “cn=adminsdholder,cn=system,dc=priv,dc=lab,dc=corp,dc=net” /G priv\mimservice:WP;”member”

dsacls “cn=adminsdholder,cn=system,dc=priv, dc=lab,dc=corp,dc=net” /G priv\mimcomponent:WP;”member”

 

Now our Priv DC is finally configured! That’s the end of this part of the blog series. In the next post, I will go through installing and Configuring MIM for PAM.