PAM in Server 2016
No, she's not that girl who was head cheerleader back in high school - and don't confuse her with IPAM (IP Address Management), which is also a feature in Windows Server 2016. PAM stands for Privileged Access Management, which is also not to be confused with PIM, which stands for Privileged Identity Management. Note that PAM pertains to Active Directory Domain Services (AD DS) in Windows Server 2016, whereas PIM pertains to Microsoft Azure Active Directory (AAD).
Both PAM and PIM are all about protecting resources from administrators. What? Who, me? Well, of course you're trustworthy, but what about all those other people who have admin privileges for one reason or another? An administrative account wields a lot of power, and can be deliberately misused or just used carelessly, putting your network at risk.
In this article, we’re focusing on Windows Server, so we’ll be talking about PAM, which works with Microsoft Identity Manager (MIM) and introduces security enhancements and new monitoring capabilities. Server 2016 also helps you secure privileged access with technologies such as Just in Time (JIT) administration and Just Enough Administration (JEA), which give you far more control over the scope and duration of administrative privileges. Since we IT pros are all control freaks (it's a job requirement), that's a good thing.
PAM and ADDS
Active Directory (AD) was introduced back in Windows 2000 Server, as an LDAP (Lightweight Directory Access Protocol) solution to compete with the then-popular NetWare server OS that appealed to enterprises with its global directory service called NDS (NetWare Directory Services). AD morphed into AD DS (Active Directory Domain Services) in later versions of Windows Server. AD DS provides centralization of security policies for Windows domain-based networks.
AD DS has evolved over the years, gaining new capabilities in each iteration. PAM is based on new features in Windows Server 2016 AD DS, that are designed to enable more control over administrative accounts.
The admin account dilemma
Microsoft has been attempting to rein in the misuse and overuse of administrative accounts for a long time. User Account Control (UAC), introduced in Windows Vista, was one such attempt that was intended to prevent unnecessary use of admin accounts on the desktop OS. However, its “in your face” implementation caused many users to disable it, thus defeating the purpose.
The use of administrative privileges on the server has even more serious ramifications. Admins – depending on the particular administrative privileges their accounts are granted - can install programs, change configuration settings, create and delete user accounts, assign and change permissions on files, and more. In the wrong hands, such capabilities can be disastrous. And no matter how trustworthy your administrators might be, whenever an admin account is being used, it’s vulnerable to attack.
Yet many organizations have admin privileges assigned to many different users, for different reasons. Those privileges might have been necessary for the performance of job duties at some point, but no longer are. In some orgs, IT might not even know exactly who has administrative privileges and the scope of those privileges. This can put the entire network at risk.
Getting privileged access under control
Privileged access management in Windows Server 2016 is built on a pair of concepts:
- Just in Time (JIT) administration
- Just Enough Administration (JEA)
(Don’t ask me why the second acronym includes the word “administration” and the other doesn’t, because I don’t know. Maybe just to keep us on our toes).
In any event, JIT and JEA give you much more fine-grained control over those pesky admin accounts that seem to multiply like rabbits. It takes a little work, but it can be well worth it since when it comes to abuse of administrative privileges, an ounce of prevention really is worth the proverbial pound of cure. We’ll talk about each of these in more detail later in this article, but first let’s get back to PAM and how it works.
PAM works with AD DS domain account authentication and authorization capabilities in conjunction with new capabilities in Microsoft Identity Manager (MIM). PAM involves setting up a bastion environment that’s separate from the rest of your Active Directory. A bastion environment is a dedicated Active Directory administrative forest that is isolated from the production environment and has strong security protections, and does not trust the other existing forests in the organization. There is a one-way trust only, with the corporate forest trusting the admin forest but not the other way around.
This administrative forest is used for Active Directory management. Due to its limited scope, it presents a smaller attack surface. The bastion environment has its own separate AD DS and its backup software and media are separate, as well. MIM 2016 with PAM components need to be deployed in the bastion environment. MIM uses PowerShell to prepare your existing domains to be managed by the bastion environment and create the PAM domain configuration. You can read about this process in detail in the Microsoft document Planning a Bastion Environment.
Understanding JIT and JEA
Just in Time administration is a means of controlling when administrators have administrative privileges. Most admins don’t need admin privileges for everything they do; many of the tasks that they perform throughout the day can be accomplished with standard user privileges.
In the olden days, we were told that administrators should have two different accounts, one with admin privileges and one that’s set up as a standard user, and that they should switch back and forth between accounts, depending on what they’re doing. It sounds good in theory, but in practice human beings tend to do things the easy way if possible. For an administrator, the easy way is to just use the admin account for everything, all the time, so as not to have to take the trouble to switch when those privileges are needed. You might call this “Just in Case Administration” (JICA?).
JIT makes things easier, by adding admin privileges only when they’re actually needed to get the job done, and then only for the limited period of time that they’re actually necessary. This is also called time-bound privileges. Instead of having dozens or more permanent administrators, you have users who have admin privileges just for the times that they need them. Restricting the timeframes in which these privileges are activated obviously decreases exposure and security risk.
Whereas JIT limits the time that a user has administrative privileges, Just Enough Administration limits the scope of those privileges when the user does have them. JEA takes a role-based approach so that you can allow specific users to perform specific administrative tasks on specific servers, instead of giving everyone full administrative rights that they don’t need. The level of risk, when it comes to admin accounts, correlates to the scope of privileges; an account with more limited privileges presents a lesser risk (insofar as the amount of damage that can be done) if it becomes compromised.
JEA works by creating a role based access control (RBAC) platform so that you can restrict users to performing only the tasks they’re authorized to do, and they can perform those tasks without being made permanent administrators. This reduces the overall number of administrators.
Find out more about JIT and JEA in Server 2016 in this slideshow presentation on Microsoft’s MSDN Channel 9 web site titled Just Enough Administration with Windows Server 2016.
Windows Server 2016, like each preceding version of the Windows Server operating system, adds support for new security enhancements to help organizations make their on-premises servers and networks more secure. Because of the greater risk posed by the powers that go along with administrative accounts, Server 2016 has a big focus on reducing that risk by helping you reduce the number of permanent administrators and limit both the time duration of admin privileges and the scope of those privileges to just what is needed for the performance of the job duties, and no more.
PAM with JIT and JEA is a powerful new defense mechanism to safeguard against potentially disastrous ramifications of an administrative account compromise, and fits into Microsoft’s current “assume breach” security strategy that combines preventative measures with those that mitigate the amount of damage if and when an attacker does manage to break through the front line defenses. PAM makes it less likely that an admin account will be misused in the first place, but also – by limiting the duration and scope of the administrative privileges – helps to limit the extent of the damage.