Академический Документы
Профессиональный Документы
Культура Документы
In This Guide
This guide contains instructions for demonstrating Microsoft Identity Manager and
Active Directory Domain Services features for privileged access management for
administration across forests.
In This Guide............................................................................................................... 1
Background................................................................................................................ 1
Principles of Operation............................................................................................... 2
Test Lab Overview...................................................................................................... 3
Hardware and Software Requirements.......................................................................4
Configuring the MIM CTP Test Lab for Privileged Access Management.......................6
Step 1 Prepare CORP domain controller and member workstation..........................7
Step 2 Prepare PRIV domain controller..................................................................12
Step 3 Prepare a PAM server.................................................................................. 16
Step 4 Install MIM components on PAM server and workstation............................20
Step 5 Establish trust between PRIV and CORP forests..........................................26
Step 6 Transition a group to Privileged Access Management.................................28
Step 7 Elevate a users access............................................................................... 30
Summary.................................................................................................................. 32
Appendix Diagnosing Issues.................................................................................. 32
Document Revision History...................................................................................... 33
Background
In many sophisticated cyber-attacks against various enterprises worldwide, the
attackers often focus their attention on gaining administrative privileges. In
particular, they may use Pass-the-Hash, spear-phishing, or other techniques to
gain the access rights of a user who has administrative privileges across a domain
or forest. These attacks are exacerbated because many users have permanent
administrative privileges associated with their Active Directory account. If an
attacker compromises any one of those users accounts and then can log in or run a
program as that user, the attacker then has administrative privileges. Organizations
concerned about the possibility for insider attack and constraining access with IT
outsourcing are also motivated for improving controls or users with highly privileged
access. The document Best Practices for Securing Active Directory highlights the
1
This solution is primarily focused on domain accounts in which an end user will be
authenticating and authorized to act as a role or application administrator of a
particular collection of systems or across multiple services which rely upon Kerberos
(or ADFS) with Active Directory-hosted security groups. This test lab guide is not
intended to cover scenarios for service accounts, local administrator accounts,
shared accounts, or non-AD environments.
Principles of Operation
The solution for externalizing administrative accounts is composed of parallel
forests. In this guide, there are two forests:
The Active Directory domain controller for the PRIV forest provides privileged user
authentication and authorization. Furthermore, MIM enforces access through timelimited memberships of user accounts in security and foreign principal groups. Note
that in the versions of the Windows Server referenced in this Test Lab Guide, foreign
principal groups are not yet available; this will be provided in future updates to this
Guide for the next version of Windows Server.
Microsoft Identity Manager adds new workflow activities and related resources for
privileged access just in time elevation requests, which communicate directly to
the Active Directory domain controller for the PRIV forest. It also provides new
PowerShell cmdlets for elevation requests.
The MIM solution as configured for PAM includes the following components:
MIM Service implements business logic for performing identity and access
management operations, including privileged account management and
elevation request handling.
2
Once installed and configured, each group created by the migration procedure in
the PRIV forest is a shadow SIDHistory-based security group (or in a later update
with Windows Server vNext, a foreign principal group) mirroring the SID a group in
the original CORP forest. Furthermore, when the MIM Service adds members to
these groups in the PRIV forest, those memberships will be time limited.
As a result, when a user requests elevation using the PowerShell cmdlets, and their
request is approved, the MIM Service will add their account in the PRIV forest to a
group in the PRIV forest. When the user logs in with their privileged account, their
Kerberos token will contain a Security Identifier (SID) identical to the SID of the
group in the CORP forest. Since the CORP forest is configured to trust the PRIV
forest, the elevated account being used to access a resource in the CORP forest
appears, to a resource checking the Kerberos group memberships, be a member of
that resources security groups. This is provided via Kerberos cross-forest
authentication.
Furthermore, these memberships are time limited so that after a preconfigured
interval of time, the users administrative account will no longer be part of the
group in the PRIV forest. As a result, that account will no longer be usable for
accessing additional resources.
For example, assume the CORP forest CONTOSO contains a group
CONTOSO\CorpAdmins with a member CONTOSO\Jen. There is a sensitive
resource, for instance a file share, whose access control list refers to that group.
Because Jen is a member of that group, when Jen tries to access the file share, then
she will have access.
After installing and configuring MIM, a new user is created in the PRIV forest:
PRIV.Jen. This user account will not have any privileges by default. Also, a new
group will be created in the PRIV forest: PRIV\CONTOSO.CorpAdmins. That group
will not have any members by default. Furthermore, that group
PRIV\CONTOSO.CorpAdmins has the same SID as CONTOSO\CorpAdmins.
PRIVDC:
CORPDC:
forest
SharePoint
domain
trust
SQL Server 2014WS 2012
R2 AD DS (PRIV DC)
join
WS 2012 R2 or later
AD DS (CORP DC)
WS 2012 R2 or earlier
CORPWKSTN:
domain
join
Windows 8.1
If you do not have licenses for Windows or SQL Server, Windows Server 2012 R2
evaluations can be downloaded from the TechNet Evaluation Center for Windows
Server:, Windows 8.1 evaluations can be downloaded from the TechNet Evaluation
Center for Windows: http://www.microsoft.com/en-us/evalcenter/evaluate-windows8-1-enterprise and SQL Server evaluations can be downloaded from the Microsoft
Download Center: http://www.microsoft.com/en-us/download/details.aspx?id=29066
.
The following software is required and can be downloaded from Microsoft Download
Center:
import-module ServerManager
Add-WindowsFeature AD-Domain-Services,DNS,FS-FileServer restart
IncludeAllSubFeature -IncludeManagementTools
Install-ADDSForest DomainMode Win2008R2 ForestMode Win2008R2 DomainName
contoso.local DomainNetbiosName contoso Force -NoDnsOnNetwork
This will prompt for a Safe Mode Administrator Password to use. Note that
warning messages for DNS delegation and cryptography settings will appear.
These are normal.
8
c. After the forest creation is complete, sign out and the server will restart
automatically.
6. After the server restarts, login to CORPDC as an administrator of the domain,
typically the user CONTOSO\Administrator, which will have the same password
as specified when installing Windows on CORPDC.
7. Create new users and groups, including a group named CorpAdmins, a user
named Jen, as well as a group needed for auditing purposes by AD itself.
The name of the group must be is the NetBIOS domain name followed by
three dollar signs: CONTOSO$$$. The group scope must be Domain local,
and the group type Security. This is necessary to enable groups to be
created in the PRIV forest in a later step.
a. Launch PowerShell.
b. Type the following commands.
import-module activedirectory
New-ADGroup name CorpAdmins GroupCategory Security GroupScope Global
SamAccountName CorpAdmins
New-ADUser SamAccountName Jen name Jen
Add-ADGroupMember identity CorpAdmins Members Jen
$jp = ConvertTo-SecureString "Pass@word1" asplaintext force
Set-ADAccountPassword identity Jen NewPassword $jp
Set-ADUser identity Jen Enabled 1 -DisplayName "Jen"
New-ADGroup name 'CONTOSO$$$' GroupCategory Security GroupScope DomainLocal
SamAccountName 'CONTOSO$$$'
8. Configure auditing.
a. Go to Start, Administrative Tools, and launch Group Policy
Management.
b. Navigate to Forest: contoso.local, Domains, contoso.local, Domain
Controllers, Default Domain Controllers Policy. An informational
message will appear.
10
e. In the details pane, right click on Audit account management and select
Properties in the right-click menu. Click Define these policy
settings, put a checkbox on Success, put a checkbox on Failure, click
Apply and OK.
f. In the details pane, right click on Audit directory service access and
select Properties in the right-click menu. Click Define these policy
settings, put a checkbox on Success, put a checkbox on Failure, click
Apply and OK.
9. Close the Group Policy Management Editor window, the Group Policy
Management window. Then apply the audit settings by launching a
PowerShell window and typing:
11
This will restart CORPDC. For further information on this registry setting,
see: http://support.microsoft.com/kb/322970
11.On another new virtual machine with no software installed, install Windows
8.1 Enterprise to make a computer CORPWKSTN.
a. Use Express settings during installation.
b. Note that the installation may not be able to connect to the Internet.
Click to Create a local account. Specify a different username; do not
use Administrator or Jen.
12.Using the Control Panel, give this computer a static IP address on the virtual
network, and set the interfaces preferred DNS server to be that of the CORPDC
server.
13.Using the Control Panel, domain join the CORPWKSTN computer to the
contoso.local domain. This will require providing the Contoso domain
administrator credentials. Then when this completes, restart the computer
CORPWKSTN.
14.After the computer restarts, click the Switch user icon, click on Other
user. Ensure that the user CONTOSO\Jen can log into CORPWKSTN.
15.On CORPWKSTN, create and share a new folder named CorpFS with the
CorpAdmins group.
a. On the Start menu, type PowerShell and select to Run as Administrator.
b. When the window opens, type the following commands.
mkdir c:\corpfs
New-SMBShare Name corpfs Path c:\corpfs ChangeAccess CorpAdmins
$acl = Get-Acl c:\corpfs
$car = New-Object
System.Security.AccessControl.FileSystemAccessRule( "CONTOSO\CorpAdmins",
12
"FullControl", "Allow")
$acl.SetAccessRule($car)
Set-Acl c:\corpfs $acl
13
import-module ServerManager
Install-WindowsFeature AD-Domain-Services,DNS restart
IncludeAllSubFeature -IncludeManagementTools
$ca= get-credential
Install-ADDSForest DomainMode 6 ForestMode 6 DomainName priv.contoso.local
DomainNetbiosName priv Force CreateDNSDelegation DNSDelegationCredential $ca
When the popup appears, provide the credentials for the CORP forest
administrator (e.g., the username CONTOSO\Administrator and the
corresponding password from step 1). Then this will prompt within the
PowerShell window for a Safe Mode Administrator Password to use: enter a
new password twice. Note that warning messages for DNS delegation and
cryptography settings will appear; these are normal.
c. After the forest creation is complete, the server will restart
automatically.
5. Create the user and service accounts, which will be needed during MIM
Service and Portal setup, in Users container of the priv.contoso.local
domain.
a. After restarting, log on to PRIVDC as the domain administrator
(PRIV\Administrator).
b. Type the following command to update the DC from the group policy
settings.
import-module activedirectory
$sp = ConvertTo-SecureString "Pass@word1" asplaintext force
New-ADUser SamAccountName MIMMA name MIMMA
Set-ADAccountPassword identity MIMMA NewPassword $sp
Set-ADUser identity MIMMA Enabled 1 PasswordNeverExpires 1
New-ADUser SamAccountName MIMMonitor name MIMMonitor -DisplayName MIMMonitor
14
15
After a minute, it will complete with the message Computer Policy update
has completed successfully.
16
11.Configure delegation.
a. Launch Active Directory Users and Computers.
b. Right click on the domain priv.contoso.local and select Delegate
Control.
c. On the Selected users and groups tab, click Add.
d. On the Select Users, Computers, or Groups popup, type mimcomponent;
mimmonitor and click Check Names. After the names are underlined,
click OK, then click Next.
e. In the list of common tasks, select "Create, delete, and manage user
accounts" and "Modify the membership of a group", then click Next
and click Finish.
f. Close Active Directory Users and Computers.
12.Restart the PRIVDC server so that these changes take effect.
17
18
g. Click Add User or Group, and in the User and group names, type
priv\mimmonitor; priv\MIMService; priv\mimcomponent and click OK.
h. Click OK to close the Deny access to this computer from the network
Properties window.
i. On the details pane, right click on Deny log on locally, and select
Properties.
j. Click Add User or Group, and in the User and group names, type
priv\mimmonitor; priv\MIMService; priv\mimcomponent and click OK.
k. Click OK to close the Deny log on locally Properties window.
l. Close the Local Security Policy window.
9. Change the IIS configuration to allow applications to use Windows
Authentication mode.
a. Open a PowerShell window.
b. Stop IIS and unlock the application host settings using these
commands
iisreset /STOP
19
with
<section name="windowsAuthentication" overrideModeDefault="Allow" />
Then save the file, and restart IIS with the command iisreset /START
10.Install SQL Server 2012 Service Pack 1 or later, or SQL Server 2014. The
following steps assume SQL 2014.
a. Launch PowerShell as a domain administrator.
b. Change to the directory where the SQL Server setup program is
located.
c. Type the following commands.
.\setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION=install /FEATURES=SQL,SSMS
/INSTANCENAME=MSSQLSERVER /SQLSVCACCOUNT="PRIV\SqlServer"
/SQLSVCPASSWORD="Pass@word1"
/AGTSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT
AUTHORITY\Network Service" /SQLSYSADMINACCOUNTS="PRIV\Administrator"
11.Using the SharePoint Foundation 2013 with SP1 installer, install SharePoints
software prerequisites on PAMSRV. Note that this will cause the server to
restart, and will also require Internet connectivity for this computer for the
installer to download its prerequisites.
a. Launch PowerShell as a domain administrator.
b. Change to the directory where SharePoint was unpacked.
c. Type the following command.
.\prerequisiteinstaller.exe
20
21
$w = Get-SPWebApplication http://pamsrv.priv.contoso.local:82
New-SPSite -Url $w.Url -Template $t -OwnerAlias PRIV\Administrator
-CompatibilityLevel 14 -Name "MIM Portal" -SecondaryOwnerAlias PRIV\BackupAdmin
$s = SpSite($w.Url)
$s.AllowSelfServiceUpgrade = $false
$s.CompatibilityLevel
$contentService =
[Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
$contentService.Update();
Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob
l.
Configure the MIM PAM REST API account to use the same account as
SharePoint (as the MIM Portal is co-located on this server). Specify the
account name as SharePoint, and the Application Pool Account
Password as Pass@word1 (the password specified in step 2 above),
and the Application Pool Account Domain as PRIV.
24
Note that a warning may appear that the Service Account is not secure
in its current configuration.
m. Configure the MIM PAM component service. Specify the account name
as mimcomponent, and the Service Account Password as Pass@word1
(the password specified in step 2 above), and the Service Account
Domain as PRIV.
25
27
$d.Roles['db_datareader'].AddMember("priv\mimcomponent")
$d.Roles['db_datareader'].AddMember("priv\mimmonitor")
7. Download the sample web application archive from the connect site, and
unpack from the archive the contents of the folder PAMsamplePortal into a
new folder Privileged Access Management Portal within the folder C:\Program
Files\Microsoft Forefront Identity Manager\2010.
8. Install and configure the sample web application for the MIM PAM REST API.
a. Create new web site in IIS with a site name of "MIM Privileged Access
Management Example Portal", physical path " C:\Program
Files\Microsoft Forefront Identity Manager\2010\Privileged Access
Management Portal" and port 8090. This can be done using the
/>
28
iisreset
e. (Optional) verify that the user can authenticate to the REST API. Open
a web browser, as the administrator on pamsrv. Navigate to the web
site URL
http://pamsrv.priv.contoso.local:8086/api/pamresources/pamroles/
Ensure that the output indicates a nameserver record for this domain.
29
2. On PAMSRV, establish one-way trust with CORPDC so that the CORP domain
controller trusts the PRIV forest.
a. Ensure you are logged into PAMSRV as a PRIV domain administrator
(such as PRIV\Administrator).
b. Launch PowerShell.
c. Type the following PowerShell commands, and enter the credential for
the CORP domain administrator (e.g., CONTOSO\Administrator) when
prompted, if needed.
$ca = get-credential
New-PAMTrust -SourceForest "contoso.local" -Credentials $ca
New-PAMDomainConfiguration -SourceDomain "contoso" -Credentials $ca
5. (optional) Verify that SID history is enabled and SID filtering is disabled on the
trust from the CORP domain to the PRIV domain.
a. Ensure you are logged into CORPDC as a domain administrator (such as
CONTOSO\Administrator).
b. Open a PowerShell window.
c. Use netdom to ensure SID history is enabled and SID filtering is
disabled. Type:
netdom trust contoso.local /quarantine /enablesidhistory:yes /domain
priv.contoso.local
The output should indicate either Enabling SID history for this
trust or SID history is already enabled for this trust.
The output should also indicate that SID filtering is not enabled
for this trust. See http://technet.microsoft.com/enus/library/cc772816(v=WS.10).aspx for more information.
Creates a new group in the PRIV forest with the same SID (Security Identifier)
as a group in the CORP forest and as an object in the MIM Service database
corresponding to the group in the PRIV forest.
For each user account, the cmdlets creates two objects in the MIM Service
database, corresponding to the user in the CORP forest and the new user
account in the PRIV forest.
Creates a PAM Role object in the MIM Service database.
In this prerelease preview, the cmdlets needs to be run once for each group, and
once for each member of a group. (Note that the migration cmdlets do not change
or modify any user or groups in the CORP forest: that is to be done manually by the
PAM administrator subsequently.)
31
Import-Module MIMPAM
$pg = Get-PAMGroup
$sj = Get-PAMUser -SourceDisplayName "Jen"
$pr = New-PAMRole DisplayName "CorpAdmins" Privileges $pg Candidates $sj
b.
If you have reached this from step 5 and are not using the
preconfigured VMs, launch PowerShell and run the following
commands, specifying the CORP domain admin
(CONTOSO\Administrator) password where prompted:
Import-Module MIMPAM
Import-Module ActiveDirectory
$ca = get-credential UserName CONTOSO\Administrator Message "CORP forest domain admin
credentials"
$pg = New-PAMGroup SourceGroupName "CorpAdmins" SourceDomain CONTOSO.local
SourceDC CORPDC.contoso.local Credentials $ca
$sj = New-PAMUser SourceDomain CONTOSO.local SourceAccountName Jen
$jp = ConvertTo-SecureString "Pass@word1" asplaintext force
Set-ADAccountPassword identity priv.Jen NewPassword $jp
Set-ADUser identity priv.Jen Enabled 1
Add-ADGroupMember "Protected Users" priv.Jen
32
Next, you will transition a user who is currently group member to JIT elevation, and
then verify that cross-forest access rights are effective or the user's administrator
account.
3. On CORPDC, remove Jens account from the CONTOSO CorpAdmins group, if it is
still present.
a. Log into CORPDC as CONTOSO\Administrator.
b. Launch PowerShell, run the following command and confirm the
change.
c. When prompted, type the password for the PRIV.Jen account. A new
command prompt window will appear.
d. When the PowerShell window appears, change to that window and type
the following commands (note that all subsequent interactions are
time-sensitive).
33
Import-module MIMPAM
$r = Get-PAMRoleForRequest | ? { $_.DisplayName eq "CorpAdmins" }
New-PAMRequest role $r
klist purge
g. Type the password for the PRIV.Jen account. A new command prompt
window will appear.
3. Validate the elevated access.
a. In the newly opened window, type the following commands.
whoami /groups
dir \\corpwkstn\corpfs
If the dir command fails with the error message Access is denied,
then re-check the trust relationship.
4. (Optional) Elevate by requesting privileged access via the PAM sample portal.
a. On CORPWKSTN, ensure that you are logged in as CORP\Jen and a DOS
command window is open.
b. Type the following command.
runas /user:Priv.Jen@priv.contoso.local "c:\program files\Internet
Explorer\iexplore.exe"
c. When prompted, type the password for the PRIV.Jen account. A new
web browser window will appear.
d. Navigate to http://pamsrv.priv.contoso.local:8090 and ensure that a
web page from the sample portal is visible.
e. In Internet Explorer, select Tools, Internet Options and change to the
Security tab.
f. Click on the Local intranet zone, click Sites, click Advanced, and add
the website to the zone. Close the Internet Options dialogs.
34
In this environment you can also learn how to develop applications which use the
PAM REST API to elevate. For more information, download the MIM PAM REST API
reference document from the connect site.
Summary
Once you have completed the steps in this test lab guide, you have demonstrated a
privileged access management scenario, in which user privileges are elevated for a
limited amount of time, allowing the user to access protected resources with a
separate privileged account. As soon as the elevation session expires, the privileged
account can no longer access the protected resource. The decision which security
groups represent privileged roles is coordinated by the PAM administrator. Once
access rights are migrated to the privileged access management system, access
that was previously made possible with the original user account is now made
possible only by logging in with a special privileged account, and made available
upon request. As a result, group memberships for highly privileged groups are
effective for a limited amount of time.
ID
82
Event Details
Add User to AD Group Activity Started.
Request ID: <Request ID>
PAM Request: <Request Display Name>
35
Applied Changes
Update instructions for configuring MIM monitoring and
component services
March 4, 2015
November 7, 2014
Updated URL
36
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy
of any information presented after the date of publication.
The Test Lab Guide is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing
of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be
inferred.
2015 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are
either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
37