Hello everyone, my name is still David
Loder, and I’m still PFE out of Detroit, Michigan.Hopefully you’ve read Securing
Privileged Access for the AD Admin – Part 1.If not, go ahead.We’ll wait for you.Now that you’ve started implementing the
roadmap, and you’re reading this with your normal user account (which no longer
has Domain Admin rights), we’ll continue the journey to a more secure
environment.Recall the overarching goal
is to create an environment that minimizes tier-0 and in doing so establishes a
clear tier-0 boundary.This requires
understanding the tier-0 equivalencies that currently exist in the environment
and either planning to keep them in tier-0 or move them out to a different tier.
Privileged Access Workstations (PAWs) for AD Admins
You’ve (hopefully) gone through the small effort to have a
credential whose only purpose is to manage AD.
Let’s assume you now need to go do some actual administering. The only implementation that prevents
expansion of your tier-0 equivalencies would be to physically enter your data
center and directly log on to the console of a Domain Controller. But that’s not very practical for any number
of obvious reasons and I think everyone would agree that an AD Admin being able
to perform their admin tasks remotely from a DC console is a huge productivity
gain. Therefore, you now need a
I’m going to guess that most of you use the one workstation
that was handed out by your IT department.That workstation which uses the same base image for every employee in
the organization.That workstation which
is designed to be managed by your IT department for ease of support.Yes, that workstation.
Recall last time we spent almost all our time talking about
tier-0 equivalencies.Guess what?I’m going to sound like a broken record.Item #3 from our elevator speech in part one
stated “Anywhere that tier-0
credentials are used is a tier-0 system.” What is the new system we just
added to tier-0?That workstation.Now, any process that has administrative
control over that workstation is a tier-0 equivalency.Consider patching, anti-virus, inventory and
event log consolidation.Is each of
those running as local system on your workstation and managed by a service
external to the laptop?Check, check,
check and check.Does it have Helpdesk
personnel as local admins? Check. I’ll ask again how big is your tier-0?
I hear some of you starting to argue ‘I don’t actually log
on to my workstation with my AD admin credential, I use [X].’What if you use RunAs?That workstation is still a tier-0
system.What if you use it to RDP into a
jump-box?That workstation is still a tier-0
system.What if you have smartcard
logons?Still a tier-0 system.Some of the supplemental
material goes into the details of the various logon types, but the simple
concept is ‘secure the keyboard.’Whatever keyboard you’re using to perform tier-0 administration is a
Now that we’ve established that your workstation really is a
tier-0 system, let’s treat it as such.Start acting like your workstation is a portable Domain Controller.Think of all those plans, procedures and
systems you have in place to manage the DCs.You need to start using them to manage your workstation.My fellow PFE Jerry Devore has an
in-depth look at creating a PAW to be your admin workstation.
Should your PAW be a separate piece of hardware?Preferably, yes.That way it is only online when it needs to be
used, helping to reduce the expansion of tier-0 to the minimum necessary.If your organization can’t afford separate
hardware you can virtualize on one piece of hardware.But the virtualization needs to occur in the
opposite direction than you might ordinarily expect.The PAW image will still need to run as the
host image, and your corporate desktop would be virtualized inside.This keeps any compromise of your
unprivileged desktop from elevating access into your PAW.
This is another big step/small step decision.PAWs will be a change for your
organization.If you can start small by
implementing it for a few AD Admins, you can show your enterprise that using
PAWs can be a sustainable model.At
later phases in the roadmap you can expand PAWs to more users.
With a PAW in place you now have a tier-0 workstation for
your tier-0 credential to manage your tier-0 asset.Congratulations, by implementing the first
two steps down the SPA roadmap, you now have the beginnings of a true tier-0
Unique Local Admin Passwords for Workstations
So far, we’ve been talking about protecting your personal AD
Admin accounts.But everyone knows AD
has its own built-in Administrator account that is shared across all DCs.Ensure you have some process in place to
manage that specific “break in case of fire” account.Maybe two Domain Admins each manage half of
the password, and those halves are securely stored.The point is: have a procedure for managing
this one account.Be careful if you
decide to implement an external system to manage that password.Do you want that external system to become
tier-0 just to manage one AD Admin account?I can’t answer that question for you, but I can point out that it is a
tier-0 boundary decision.Your new PAWs,
on the other hand, will have one built-in Administrator account per PAW.How do we practically secure those multiple
Administrator accounts without increasing the size of tier-0?
The answer is to implement Microsoft’s Local Administrator Password Solution (LAPS).Simply put, LAPS is a new Group Policy Client
Side Extension (CSE), available for you to deploy at no additional cost.It will automatically randomize the local
Administrator account on your tier-0 PAWs on an ongoing basis, store that
password in AD and allow you to securely manage its release to authorized
personnel (which should only be the tier-0 admins).Since the PAW and AD are both already tier-0
systems, using one to manage the other does not increase the size of tier-0.That fits our goal of minimizing the size of
These new PAWs that you just introduced into the environment
also become the perfect place to begin a pilot deployment of LAPS.Install the CSE on the PAWs, create a
separate OU to hold the PAW computer objects, create the LAPS GPO and link it
to the PAW OU.You’ll never have to
worry about the local admin password on your PAW again.As another big step/small step decision,
using LAPS to manage the new PAWs should be an easier step than starting out
using LAPS for all your workstations.
If you’re interested in how LAPS allows us to help combat
Pass the Hash attacks, here are a few additionalresources you
Unique Local Admin Password for Servers
Building on your previous work of where you want your tier-0
boundary to be, start running LAPS on those member servers that are going to
remain part of tier-0.Again, a smaller
step than LAPS everywhere, and not much else to say on the subject.By this point you should be familiar with
LAPS and are just expanding its usage.
End of the Stage 1 and the Roads Ahead
If you expand LAPS to cover all workstations and all servers,
congratulations, you have now followed the roadmap
to the end of Stage 1.
Stage 2 and Stage 3 of
the roadmap involves expanding the use of the PAWs to all administrators,
implementing advanced credential management that begins to move you away from
password-only credentials, minimizing the amount of standing, always-on, admin
access, implementing the tier-0 boundary you already decided upon, and
increasing your ability to detect attacks against AD.You can also start looking at implementing
Windows Server 2016 and taking advantage of some of our newest security
In these stages, we’re looking at implementing new
capabilities that defend against more persistent attackers.As such, these will take longer to implement
than Stage 1.But if you’ve already
gotten people familiar with the tiering model and talking about your tier-0
boundary you’ll have an easier time implementing this guidance, with less
resistance, as all the implementations are aligned to the singular goal of
minimizing your tier-0 surface area.
2.1. PAW Phases 2 and 3: all
admins and additional hardening
Get a PAW into the hands of
everyone with admin rights to separate their Internet-using personal
productivity end user account from their admin credentials.Even if they’re still crossing tiers at this point
in time, there is now some separation from the most common compromise channel.
2.2. Time-bound privileges (no
If an account has no admin
rights, is it still an admin credential?The least vulnerable administrators are those with admin access to
nothing.We provide tooling in current
versions of both AD and Microsoft Identity Manager to deliver this functionality.
2.3. Multi-factor for
Passwords are no longer a
sufficient authentication mechanism for administrative access.Having to breach a secondary channel significantly
increases the attackers’ costs.
Allowing junior or delegated Admins
to perform approved tasks, instead of having to make them full admins, further
reduces the tier-0 surface area.You can
even consider delegating access to yourself for common actions you perform all
the time, fully eliminating work tasks that require the use of a tier-0
2.5. Lower attack surface of
Domain and DCs
This is where all the up-front
work of understanding and defining your tier boundaries pays off in
spades.When you reach this step, no one
should be surprised about what you intend to do.If you’ve decided to keep tier-0 small and
are isolating the security infrastructure management from the general
Enterprise management, everyone has already agreed to that.If you’ve decided that you must keep some of
those systems as tier-0, you’ve hardened them like they are DCs and have
elevated the maturity of those admins to treat their credentials like the
tier-0 assets they are.
2.6. Attack Detection
Threat Analytics (ATA) in action, and providing visibility into exactly what your DCs are doing,
will likely be an eye-opening revelation for most environments.Consider this your purpose-built Identity
SIEM instead of simply being a dumping ground for events in general.
And, while not officially on
the roadmap at this time, if you have SCOM, take a look at the great work some
of our engineers have put into the Security Monitoring Management Pack.
3.1. Modernize Roles and
This goes together with
lowering the attack surface of the Domain and DCs.You can’t accomplish that reduction without
providing alternate roles and delegations that don’t require tier-0
credentials.You should be trying to
scope tier-0 AD admin activity to actions like patching the OS and promoting
new DCs.If someone isn’t performing a
task along those lines, they likely are not tier-0 admins and should instead be
delegated rights to perform the activity and not be Domain Admin.
3.2. Smartcard or Passport
Authentication for all admins
More of the same advice that
you need to start eliminating passwords from your admins.
3.3. Admin Forest for Active
I’m sure your AD environment is
perfectly managed.All the legacy
protocols have been disabled, you have control over every account (human or
service) that has admin rights on any DC.In essence, you’ve already been doing everything is the roadmap.
Your environment doesn’t look
Sometimes it’s easier to admit
that it’s going to be too difficult to regain administrative control over the
current Enterprise forest.Instead, you
can implement a new, pristine environment right out of the box and shift your
administrative control to this forest.Your current Enterprise forest is left mostly alone due to all the
app-compat concerns that go along with everything that’s been tied to AD. We have lots of guidance and implementation
services to help make sure you build this new forest right and ensure it’s only
used for administration purposes.That
way you can turn on all the new security features to protect your admins without
fear of breaking the old app running in some forgotten closet.
3.4. Code Integrity Policy for
DCs (Server 2016)
Your DCs should be your most
controlled, purpose-built servers in your environment.Creating a policy that locks them down to
exactly what you intended helps keep tier-0 from expanding as your DCs can’t
just start running new code that isn’t already part of their manifest.
3.5. Shielded VMs for virtual
DCs (Server 2016 Hyper-V Fabric)
I remember the first time I saw
a VM POST and realized what a game-changer virtualization was going to be.Unfortunately, it also made walking out the
door with a fully running DC as easy as copy/paste.With Shielded VMs you can now enforce
boundaries between your Virtualization Admins and your AD Admins.You can allow your virtualization services to
operate at tier-1 while being able to security host tier-0 assets without
violating the integrity of the tier boundary.Can you say “Game changer”?
Don’t Neglect the Other Tiers
While this series focused on tier-0, the methodology of
tackling the problem extends to the other tiers as well.This exercise was fundamentally about
segmentation of administrative control.What we’ve seen, is that over the years, unintentional administrative
control gets granted and then becomes an avenue for attack.Be especially on the lookout for service accounts
that are local admin on lots of systems and understand how those credentials
are used and if they are present on those endpoints in a manner that allows
them to be reused
for lateral movement.If you’ve gone
through the effort to secure tier-0 but you have vulnerable credentials with
standing admin access to all of tier-1, where your business-critical data is
stored, you probably haven’t moved the needle as much as you need to.Ideally you get to the point where the compromise
of a single workstation or a single server is contained to that system and
doesn’t escalate into a compromise of most of the environment.
I know this has been a lot of guidance over these two posts.Even if you can’t do everything, I know you
can do something to improve your environment.Hopefully I provided some new insight into how you can make your
environment more secure than it is currently and exposed you to the volumes of
guidance in the SPA roadmap.Now get out there and start figuring out
where your tier-0 boundary is and where you want it to be!
Thanks for spending a little bit of your time with me.
Hello again, my name is still David
Loder, and I’m still a PFE out of Detroit, Michigan. I have a new confession to make.I like cat videos.Your end users like cat videos.You may like cat videos yourself.Microsoft will even help you find cat
videos.Unfortunately, cat videos
may have it out for you and your environment.How do you keep your environment secure when malicious cat videos are
out there, waiting to pounce?
Microsoft has a significant amount of published guidance
around Securing Privileged Access (SPA), Privileged Access Workstations and the Administrative Tier Model.My fellow PFEs have also contributed their
own great thoughts around these topics.Go browse through our Security
tagged posts to get easy access to them.As for myself, I was staff IT in the security department for a large,
global corporation, prior to joining Microsoft, where we operated in a tiered
administrative model and had implemented many, though not all, of the defenses
highlighted in the SPA roadmap.So I’d
like to share my perspective on the items in the roadmap and the practical
implications from an Active Directory Administrator point of view.
But first a caveat for this series of articles.I love the SPA roadmap.I espouse its virtues to all my customers and
anyone else who will listen.But there
are times where the SPA roadmap takes a big step, and I know it can sometimes
be difficult to get the people in charge to agree to a big step.In all the cases where I point this out it is
possible to take a smaller step by limiting the scope by focusing solely on
AD.I have a different purpose for this
series of articles than the SPA roadmap itself.I want you to actually implement the guidance.That’s a shocking statement, I know.Despite all the guidance, I still walk into
environments that haven’t implemented a single piece of this guidance.Maybe they don’t know this guidance
exists.Maybe they think they aren’t a
target.Maybe they think the guidance
doesn’t apply to them.My hope with this
series is that a few more people know about the guidance, understand why they
should care and have an easier time convincing others in their organization
that the roadmap guidance should be implemented.Security is a journey.Through no fault of your own, the rules have
changed.What you did to secure your
environment yesterday is no longer sufficient for today’s reality.So, let’s get started.
Separate Admin Account for Admin Tasks
This is an easy one, right?Nothing about this guidance is new.It ranks right up there with not browsing the Internet from a
server.But I am constantly seeing environments
where normal user accounts, which have a mailbox and browse the Internet for
cat videos, are also in the Domain Admins group.Stop this.Stop this now.You need a
separate credential for administrative tasks.Come up with a naming convention and a process to get an admin account
for anyone who does admin work.
I know some of you are smiling and thinking to yourself ‘of
course we do this; the admins get their ADM_username accounts for performing
admin work’ (or their $username or their username.admin or whatever convention
you use).But, have you made the
correlation between tiering and admin
accounts?To fully implement the
guidance, a user with admin rights must have a separate admin account per tier!
Let that sink in for a minute. In a three-tier model, the AD
Admins may require four separate credentials: user (non-privileged), tier-2
(workstation) admin, tier-1 (server) admin and tier-0 (security infrastructure)
admin. This guidance is designed to avoid having a credential that has admin
rights in multiple tiers. This helps prevent a pass-the-hash
attack from elevating from a lower tier to a higher tier.
Now for the practical part.Yes, this gets hard to do.You
may have processes in place that will get a second credential to admin users,
but it wasn’t designed to get them four.Maybe you have clear separation between server admins and workstation
admins, so no one will need all four.We
want the guidance to be actionable and most importantly to protect tier-0.Guidance that isn’t followed because it is
too burdensome isn’t valuable. At a minimum, your AD Admins should have three
accounts: user, admin, tier-0 admin.And
your goal is to minimize the scope of tier-0.Tier-0 admin accounts should only be managed by other tier-0 admin
accounts and not by a tier-1 system.Please don’t have your normal Identity Management (IdM) system try to manage AD Admin accounts.Because you’ll either fight with AdminSDHolder or you’ll have to grant your IdM system Domain
Admin rights and neither of those is a good choice.
Tier 0 – Direct Control of enterprise identities
in the environment. Tier 0 includes accounts, groups, and other assets that
have direct or indirect administrative control of the Active Directory forest,
domains, or domain controllers, and all the assets in it. The security
sensitivity of all tier 0 assets is equivalent as they are all effectively in
control of each other.
Control of a
tier-0 system means control of the entire environment.The very nature of Active Directory means
there should be at least two tiers in the environment: AD itself, and
everything else.Splitting between tiers
isn’t a hard and fast line.The tiering
is there to provide a security boundary that is supposed to be difficult to
cross.You can certainly have user
workstations that might need to be treated more like a tier-1 system because of
the value they hold.The point is that
your organization must decide which security boundaries should exist that
define the tiers and the systems contained within those tiers.This is especially true of tier-0.
At a minimum
tier-0 will contain Active Directory; specifically, the writeable Domain
Controllers and the AD Admin credentials.Those credentials are any account that is a member of Domain Admins,
Enterprise Admins, Builtin Administrators, etc.These groups are all equivalent.Don’t think being Builtin Administrator is somehow more secure or
different than being Domain Admin.
What else is tier-0? Look in your AD Admin groups.Every account in them is a tier-0
credential.Ideally, they are
credentials only for people and they are unique to the management of AD
infrastructure, following a naming convention that distinguishes them from your
normal tier-1 admin accounts.In other
words, the tier-0 credentials that are members of the AD Admin groups must be
used for the sole purpose of managing AD infrastructure and for nothing else.
If you have service accounts in your AD Admin groups, those
service accounts are tier-0 credentials.The servers where those service accounts are used are tier-0
systems.Anyone who is administrator on
those servers has access to tier-0 credentials.Do you see how quickly this grows?While you may normally think of just AD as being tier-0, your tier-0
equivalency may be immense.In fact,
you may not have a tier-1 or tier-2 layer at all.It is possible that you are operating an
environment where everything is tier-0.
I will state again; the goal is to minimize tier-0.Your AD Admin groups should only have people
in them, not service accounts.Use the
delegation abilities within AD to grant those service accounts only the rights
they need.Yes, it may be hard work to
figure out what and where those rights are needed, but it’s the job that needs
to be done to keep things that should be tier-1 from being tier-0.
What else is tier-0? Are your DCs virtualized? If so your VM
admins are tier-0 admins.Your VM
platform is a tier-0 system. Your VM storage is a tier-0 system. Your storage
admins are tier-0 admins. Do you see how quickly this grows? Hyper-V in Windows
Server 2016 offers Shielded
VMs to mitigate this risk.
What else is tier-0? What additional services run on your
DCs? Which of those services are listening on the network and running as Local
System? Which of them report into some kind of management console to receive
instructions on what to do? Does that describe your SIEM agent, your anti-virus
agent, your asset management agent, your configuration management agent? Your SIEM
team has control over a tier-0 system.Your
SIEM is a tier-0 system.Your AV
platform is a tier-0 system. Your configuration platform is a tier-0 system. Do
you have a standard corporate image that you use for all servers, including the
servers that you will promote to become Domain Controllers? Everything added to
that image has the possibility of being a tier-0 system. Do you see how quickly
What else is
tier-0?Is your IdM system tier-0?
Maybe. By our definition it should be since it has direct control of the
enterprise identities.What if it is
only delegated rights to a specific set of OUs and it doesn’t use an AD Admin
account to manage the users?If that
system is compromised is tier-0 compromised?The integrity of the AD infrastructure is still intact.It may no longer contain the user data you
wanted it to contain but you still have administrative control over AD and can more
easily recover.It that a bad day? Absolutely.
But you can still point to a security boundary that wasn’t crossed.A defense in-depth mindset would have more
boundaries to cross when possible.
Control over your tier-0 equivalencies is likely the hardest
part of the roadmap; which is why it practically shows up later in the
roadmap.But I wanted to discuss it up
front, as understanding the true nature of your own tier-0 definition is
paramount to being able to have successfully implemented the roadmap at the end
of the journey.
Now that we all
understand the impact of tier-0 equivalencies, how many credentials in your
enterprise (from both humans and service accounts) are tier-0 admins?Is it 5 or 100?How many do you want at that tier?5 or 100?Personally, I’d vote for 5.Keep
in mind that we’re focusing on credentials.This shouldn’t be a discussion that we trust, for example, the VM Admin
team less than the AD one.It’s that the
more credentials and systems that exist at tier-0, the more surface area we
have to consider in an assumed-compromised state.
As a personal
story from my previous life many years ago, the first time we had to integrate
a non-AD workload into tier-0, we thought the sky was falling and it was the
destruction of our security posture because a different team was suddenly
involved.It took me a while to
recognize that tier-0 doesn’t exclusively mean AD.Every organization will have a unique
combination of workloads and roles that will be their tier-0, and that’s
OK.What’s important is define the
boundary then make every workload and every person in tier-0 operate to the
Once you and your
organization have made your decision about defining your intended tier-0
boundary, go make totally separate admin accounts for those that you want to
end up operating at tier-0.Yes,
managing three or four credentials is more difficult than one.But you’re the AD admin for your enterprise
and if you aren’t taking the lead in enabling this change, no one else will do so.If
you already have a separate admin account, but it’s crossing tier boundaries
(existing or planned), go get your third credential.Making use of the third is almost no
additional effort beyond a second credential.Here’s where you have one of those big step/small step decisions to
make.If having separate admin accounts
for everyone who does administration in your organization is too big of a
change to make all at once, start small with only those admins who manage
AD.Show everyone that the world doesn’t
end if you have to manage separate credentials for AD Admin purposes.
Ensure you have
proper procedures for creating and managing the new tier-0 admin
credentials.My first preference is to
manage them manually, outside of the scope of any IdM platform you have in
place, with proper, proactive scheduled reviews. Hopefully you’ve caught on to
the hints that managing tier-0 will be easier when it’s small.That allows manual management of tier-0
credentials to be successful.If you’re
in a more mature organization, then you can look to a dedicated tier-0 IdM
system that can manage these credentials.
To summarize this
post into a 30 second elevator speech:
Directory Domain Controllers are tier-0 systems.
Admin credentials are a tier-0 credentials.
that tier-0 credentials are used is a tier-0 system.
or anyone that has administrative control over any part of 1, 2 or 3 is also a
1, 2, 3 and 4 small makes tier-0 easier to manage and more secure.
That’s it for
now.The first step down the roadmap is
both incredibly simple and incredibly hard at the same time.I want to give you a break to allow the full
impact of the guidance to soak in.Check
back in next week, where we’ll continue our discussion of the roadmap.But please, go create your separate AD Admin
account right now.I shudder to think
you’ve been reading this with a browser running under AD Admin credentials, with
your cat videos playing in another tab.
On the TechNet Gallery I posted a script for reformatting the AADConnect Synchronization Rule Export file. WinDiff has a hard time showing the differences between two export files due to the similarity of the structure and the lack of rule sorting within the file. This script exports each rule into a separate file to allow one to perform a folder comparison.