• Donald Ashdown

Identity Access Management With Windows Server

Updated: Sep 14, 2020


What I intend to write about

The powers and capabilities of Windows Server Identity Access Management can be easily overlooked with so many third parties selling a custom solution with a heavy price tag. Although you can argue that third party software may at time have more capabilities, it is equally important to know what options are readily available and built into Windows Server.


Theory

  1. Identity

  2. Authentication

  3. Authorization

Where to start

  1. Where to start?

  2. What the bad guys want

Application


Identification and Authentication

  1. Azure Multi-Factor Authentication

  2. Microsoft Identity Management

  3. Federated Identity Management System

  4. SSO Single Sign-On

  5. RADIUS - Remote Access Dial-In User Service

Authorization

  1. Privilleged access management

  2. Privilleged access work stations

  3. Just-In-Time Administration

  4. Just-Enough Administration


Theory

A high level overview of the theory behind Identity Access Management rests on namely three pillars:

  • Identification

  • Authentication

  • Authorization


Identification

Identification is the process by which a method is established of ensuring that a user, object, or service is who they claim to be. Identification is a declaration of a unique identity and is the cornerstone of access controls. If identification has not been established it is impossible to provide attestation to whom or what a person or object may be, and their associated access levels or permissions.


Implementing proper identification process proofs accountability and non repudiation through the use of auditing and log collection. The provisioning of rights, privileges, profiles, applications, and services can then follow. with the end objective of binding a user to the appropriate controls and access throughout an environment.


Authentication

Authentication is concerned with verifying the identity of users. When the user requests access they provide their unique identification along with a set of private information that only the user would know such as a passphrase or MFA token response. The system is then able to verify the user is who they say they are and a trust relationship is formed between user and system. This opens the door for allocating privileges and resources.


Authorization

The final step Authorization, whereby resources and access levels are clearly defined, monitored and attested for. Access management is also largely referenced when looking at authorization. Access management is considered a security operation that prevents unauthorized users from gaining access to restricted areas of the network. This aids in addressing business objectives concerning confidentiality, integrity, availability and non-repudiation.


Where to start?

Identity Access Management is a huge subject with allot of content. With that being said we can start by going after some low hanging fruit such as Multifactor authentication, web access management, and privileged account management.


Multifactor authentication

Multifactor authentication or MFA establishes non repudiation which is defined as the assurance that someone cannot deny something. Or to proof someone is who they say they are. MFA has been around for a while but can be neglected by users if it is not simple or in a convenient form factor such as a phone app.


Must haves:

a. Should be user friendly

b. Has to be scaleable

c. Must be a convenient form factor


Web access management

Is the process of how people get to your web resources securely and safely while providing auditing and access control.


Must haves:

a. Flexible SSO

b. Secure remote access

c. Audit trail

d. Adaptive


Privileged account management

Is the process and policy of locking down accounts with privileged access as these are often hot targets for attackers and are commonly considered a priority by attacks as a post exploitation step.


Must haves:

a. Password vaulting

b. Session audit

c. Delegation


What do the bad guys want?

Malicious actors are not generally sophisticated and complex but rather display a proficiency in looking for low hanging fruit such as misconfigurations, unpatched machines or lack of monitoring/auditing in an environment. Some of the starting points for bad actors are following:

  • Steal credentials - Bad actors seek to steal passwords or password hashes with post exploit tools like meme katz. Or buying user credentials off the dark web. But if we have MFA then the credentials are not as useful.

  • Elevate to privileged access - Bad actors seek to elevate and acquire additional privileges. This can be prevented my utilizing managed or group managed service accounts, just enough access, just in time administration or privileged access work stations.

  • Compromise contractor, partner or employee access - Bad actors will go after vendors or contractors, so if we have proper Governance in place then those external entities will not have the access or privilege an attacker needs.

  • Brute force web portals - Running dictionary attacks or manually guessing passwords based of leaked information. This can be avoided with password/lock out policies and auditing combined with intrusion prevention and detection.

Protect your applications and data at the front gate with Microsoft identity and access management solutions. Defend against malicious login attempts and safeguard credentials with risk-based access controls, identity protection tools, and strong authentication options—without disrupting productivity.


Application


Identification and Authentication

  1. Azure Multi-Factor Authentication

  2. Microsoft Identity Management

  3. Federated Identity Management System

  4. SSO Single Sign-On

  5. RADIUS - Remote Access Dial-In User Service


Account password resets are an easy way to social engineer your way into a company. The only information needed is a user name, and the contact information of the IT department. In most cases the IT staff typically will reset a password if you phone and ask with no identity verification process.

Azure Multi-Factor Authentication

There are several options for setting up MFA with Azure such as:

  • Call to phone

  • SMS message to phone

  • Authentication app

  • Hardware Token

MFA can be configured quite easily from the portal after the initial set up by simply selecting users and enabling a specific MFA status. You can also do a bulk update which makes this process scaleable.


Microsoft Identity Management

Microsoft identity management is a stand alone feature that can also be paired with the Azure AD self-service password reset in order to provide the end user a seamless experience for when they forget their password. This also frees up time on the service desk and mitigates one of the easiest social engineering attacks.


Microsoft allows users to unlock or reset their account in two ways. One is simply through the login screen seen below where the user can click "problems logging in" and they will be prompted for a password reset that utilizes MFA to verify identity via phone.




Below is the screen that follows if a user is having troubles logging in and successfully answers the MFA request sent to their phone, from the "problems logging in" at the login page.



Here the user is then able to verify who they say they are and reset their password.

Another way to go about this process is to have a client facing web portal that allows users to actually self register for MFA and like wise initiate a MFA password reset from the web portal as seen below.




Federated Identity Management System

FIMS for short allows a user to login and have multiple authenticated sessions with different resources across an organization and has a high scalability score providing an efficient solution and less administrative work for users by removing the need to login constantly.

This can be configured in three ways.

  1. A federated server farm

  2. Federated server proxies

  3. Azure active directory connect


SSO Single Sign-On

This is another solution that like Federated Identity Management it transfers the burden of repeatedly authenticating to various applications, hosts or portals by creating a centralized login is architect and is a simple and transparent solution widely adopted by organizations.


RADIUS - Remote Access Dial-In User Service

A RADIUS server provides a centralized location for account management and allows authentication over a variety of protocols, technologies and hardware. This can be configured by deploying a network policy server to perform the authentication, authorization, and accounting for connection requests. The network policy server allows you to configure either password or certificate based authentication methods. For example, you may want to have a wireless and a VPN solution in your environment but with different authentication methods.


A network access protection server can also be paired along side Radius server to monitor and enforce health policies of clients through the use of system health validators. This allows us to enforce several things such as windows updates, having up to date malware software and an enabled firewall. If any of these or other specified conditions are not satisfied, the user can be granted a connection to a locked down network known as a remediation network, where they will remain until those system health validators are satisfied.


Authorization

This will look at the authorization a user has and ways to limit and secure user authorization to avoid excessive privilege granting.

  1. Privileged access management

  2. Privileged access work stations

  3. Just-In-Time Administration

  4. Just-Enough Administration


Privileged access management

Privilege access management or PAM deals with user access and managing that access in a secure and flexible way. This is targeted towards standard user accounts as well as administrative accounts which are the gold mine to any attacker.


PAM deals with and helps to mitigate the following threats.

  • Public vulnerabilities

  • Unauthorized privilege escalations

  • Pass the hash

  • Pass the ticket

  • Spear Phising

  • Kerberos attacks


How does Pam work?

In short, the use of a privileges is granted and not assumed. For example, if you configured a PAM account with the user creation role then any administrator who wishes to create a new AD user has to request this privilege and upon approval the permissions are granted. The duration of the granted privilege is based off the Ticket Granting Service and will need to be re-requested when the ticket expires.


The below chart is provided by Windows regarding the Pam service. The big thing to note here is the use of a Bastion forest totally separate from the regular forest. This is where all administrator or privileged accounts are moved to, in order to create a secure wall between the bastion and production AD environment.



Privileged access work stations

Privileged access work stations or PAWs provide an operating system for performing sensitive tasks in an environment while reducing the attack and threat vector. The division of these sensitive delegations and accounts provides a high level of security from credential theft, vulnerabilities, phishing emails, application vulnerabilities, and Kerberos attacks.


A paw in short is a secure and hardened workstation designed around security assurance for performing highly privileged tasks. This allows administrators to perform mundane tasks on one computer and sensitive tasks on another through a remote connection.


In the below image the administrator is using his Desktop to access the internet, facebook and outlook. But if he would like to perform sensitive tasks he will have to request access to the PAW workstation which will be filtered through a Host Guardian Server who's job it is to prove the Hosts identity, and allow access based on a request from a particular Desktop or VM as opposed to a specific set of credentials. The client computer has to install the attestation key which will be used to prove its Host identity to the Host Guardian Server. Thus if an attacker has my credentials they will not have full access of an administrator unless they RDP into the PAW machine with my specific computer.


Just-In-Time Administration

When do we need Just in Time Administration?

If there are to many people with too many rights we can actually limit the amount of time that users or administrators have said rights for as long as they need. This is setup and configured with Microsoft Identity Management and a Bastion Forest. This is where all administrators are placed removing them from the production environment.


Requirements:

Bastion AD Forest

SQL Server

Microsoft Identity Management installation


The user would then request access to a server from the web portal.

It is also possible to enable JIT on a VM allowing you to delegate a specific VM to have elevated privileges for just a period of time, while a system administrator uses that VM to perform any critical tasks. Just in Time Administration also allows in depth auditing and logging to provide assurance and transparency into the use of assigned privileges.


Just Enough Administration

Just enough administration or JEA is a technology that allows a system admin to delegate administration for anything that is managed by powershell.


Requirements:

Powershell 5.0 or higher


Role Capabilities

When configuring JEA we will create a .psrc file that delineates the cmdlets, functions, and programs that are available to the user. We can do this from the powershell command line.


New-PSRoleCapabilityFile -Path .\MyFirstJEARole.psrc

We then allow certain commands to be utilized with the VisibleCmdlet function adding this to the .psrc file.


VisibleCmdlets =  'Add-LocalGroupMember', 'Restart-Computer', 'Get-NetIPAddress'

Session Configuration

Once you have established your .psrc file we will have to create a session configuration file. This will be the process of determining who has access, and what roles and identity the users will take on. This process is performed by utilizing a .pssc file known as a session configuration file. The following powershell command will generate a pssc file.


New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -Path .\MyJEAEndpoint.pssc


From here we can specify the users and groups that will be granted access to JEA endpoints in the below example.


RoleDefinitions = @{

'CONTOSO\JEA_DNS_ADMINS' = @{ RoleCapabilities = 'DnsAdmin', 'DnsOperator', 'DnsAuditor' } 'CONTOSO\JEA_DNS_OPERATORS' = @{ RoleCapabilities = 'DnsOperator', 'DnsAuditor' } 'CONTOSO\JEA_DNS_AUDITORS' = @{ RoleCapabilities = 'DnsAuditor' } }


Register your JEA

Registering your powershell session file has to be done after the configuration stage. This can be accomplished from the powershell command line. Keep in mind that if the -Force switch is not used, you may have issues after the fact that can be hard to troubleshoot as a JEA registration does not provide in depth verbose output. Therefore it is always recommended to -Force this operation.


Register-PSSessionConfiguration -Path .\MyJEAConfig.pssc -Name'JEAMaintenance' -Force

Using JEA

Withe the psrc and pssc files configured in which we determine who and what access our JEA endpoints will have its time to implement these tools.

We will start a new JEA session with the following command

Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential$nonAdminCred

Your power shell prompt will change to local host to indicate you have a established session as seen in the image below.






12 views0 comments