It’s a normal Wednesday at Company XYZ Inc., where you’ve been a System Engineer since 2007. Your typical day starts with a multitude of issues – some large and some small. A group of workstations in Legal missed the most recent patch cycle, your friend in Finance can’t seem to get her cool IE plug-in to work and the SQL admin team is having issues logging in to the SQL cluster that runs XYZ’s line of business applications. You solve the issues in a timely manner, logging in to each problem system using your Domain Admin credentials. The pressing problems of the day have been remediated but a larger, more sinister security situation may be developing.
Leveraging a highly privileged account, I.E. Domain Admin, across multiple and varying systems increases the possibility that a Pass-the-Hash (PtH) attack or other credential theft technique can be used to gain control of accounts that have admin level access to virtually all of an organization’s high value systems. The premise of these credential theft techniques is to grab as many domain credentials as possible that are stored on a compromised system. Once a workstation or server is compromised, typical time to gaining Domain Admin credentials is 24-48 hours. Adding to the risk is that discovery of the initial compromise usually takes months – leaving the interlopers more than enough time to get at mission critical systems and data. The math is quite simple, the less systems that you log in to with these privileged accounts, the more your risk of compromise is reduced.
Microsoft has released security updates as well as mitigations in newer operating systems to address some of these attacks. These patches and mitigations should be part of a larger strategy that also implements controls around your highly privileged accounts. These controls should involve, among other things, restricting and protecting privileged domain accounts, limiting the number of privileged domain accounts and separate administrative accounts by action or duty. One of the major investments in Microsoft Identity Manager 2015 (MIM) is Privileged Access Management (PAM). PAM in MIM 2015 leverages new functionality in Windows Server 10 Active Directory Domain Services (ADDS) and PAM PowerShell CMDLETS that help mitigate the risk of lateral movement and privilege escalation by isolating and restricting the use of highly privileged domain accounts.
The MIM approach to PAM is Just-in-Time (JIT) Admin Access. The ability for admins to “step-up” access on an as needed basis while at the same time, leveraging rights geared specifically to the task at hand. The lifecycle of this process is as follows:
- Prepare: Determine what users currently hold privileged access. Isolation and scoping of these privileges is also necessary.
- Protect: Implement Step-up process and AuthN protection of these privileged accounts.
- Operate: Users request JIT admin access prior to performing tasks that require privileged credentials. Step-up access is placed in a finite "time box" typically for the duration of the task at hand.
- Monitor: A “safety net” of auditing, reporting and alerting on these requests is put in place.
Architecturally, how does this all happen?
There are several moving parts to the solution:
A separate forest built on Windows Server 10 ADDS and houses the MIM 2015 infrastructure as well as duplicates of the privileged groups and user accounts from your CORP forest. These user objects and groups are what handle the step-up access/rights elevation. The server footprint for this forest would include 2 domain controllers for high-availability.
A two-way forest level trust with SID filtering disabled is then set up between the PAM forest and the CORP forest. SID history is leveraged to allow the duplicate user and group objects in the PAM forest access in the CORP forest. The elevated access occurs when users AuthN to CORP with their PAM account that has been granted temporary access by MIM into one of the duplicate Admin groups. Not new concepts to admins familiar with AD and SID History – the kicker is what MIM, PowerShell and Server 10 bring to the equation.
Windows Server 10 allows for the ability to add a TTL to group membership. This TTL is what is utilized to “time box” the step-up access. MIM handles the provisioning of objects in to these groups as well as the application of the TTL value. Server 10 ADDS DE-provisions the users when the TTL value is hit.
Workflow for this entire process can be handled via a GUI developed using the PAM REST API in MIM and/or PAM PowerShell CMDLETS.
Does this solution completely solve credential theft in the enterprise?
No, but as part of a larger effort to strengthen one’s security posture, PAM leveraging MIM 2015 and Server 10 ADDS can go a long way towards helping admins and CISOs sleep better at night.
In the references section below you’ll find multiple links with additional information about PAM, MIM 2015 and credential theft techniques.