Chapter 4. Manage Privileged Identities


Skills in this chapter:

Implement an Enhanced Security Administrative Environment administrative forest design approach
Implement Just-in-Time Administration Implement Just-Enough-Administration
Implement Privileged Access Workstations and User Rights Assignments
Implement Local Administrator Password Solution


The Enhanced Administrative Security Environment (ESAE)  collection of design principles that enables you to create a separate, single-domain forest that is dedicated to Active Directory management

This section covers how to:

Determine usage scenarios and requirements for implementing ESAE forest design architecture to create a dedicated administrative forest
Determine usage scenarios and requirements for implementing clean source principals in an Active Directory architecture


FIGURE 4-1 Trust relationships between administrative forest and a production forest

Note Limiting the Scope of the Administrative Forest

While it is possible to use the administrative forest for other management functions or applications, this is likely to increase the attack surface of the forest and reduce the effectiveness of the ESAE design. For maximum protection of the most privileged accounts in the enterprise, do not use the administrative forest for any other purposes.



FIGURE 4-2 Administrative tiers limit account access to servers in the same tier or those in lower tiers


FIGURE 4-3 An ESAE architecture in a tiered enterprise can protect the Tier 0 administrative accounts by placing them in a separate forest

Trusts between forests

By creating a one-way domain or forest trust, the production forest trusts the administrative accounts stored in the administrative forest, enabling those accounts to manage Active Directory assets in the production forest.

There is no need for the administrative forest to trust the production forest for this AD management to take place. Therefore, a security breach in the production forest would not affect the administrative forest.


ESAE best practices

  • Server hardware
  • Selective authentication
  • Multifactor authentication
  • Limited privileges

Accounts in the administrative forest used to manage production forest resources should not have administrative privileges to the administrative forest, or its domains and workstations. Administrative accounts should also have no access to user resources that provide attack vectors, such as email and the Internet.

    • Server updates
    • Clean source
    • Whitelisting

Computers accessed using administrative forest accounts should be restricted to safe applications using a whitelisting product such as AppLocker.

    • Intrusion detection and prevention

Systems in the administrative forest should be scanned regularly for potential security threats, using tools such as Attack Surface Analyzer or Advanced Threat Analytics.

Privileges Access Management (PAM) is designed for enterprise installations that want to make it more difficult for potential attackers to compromise administrative credentials

the PAM server must run the following software components:

  1. Microsoft Identity Manager 2016
  2. Microsoft SQL Server 2014
  3. Microsoft SharePoint 2013 Foundation

The primary goal of PAM is to limit the time during which groups with significant

Just-Enough-Administration (JEA, pronounced jee’-ah)

the purposes of the 70-744 exam, be sure that you are able to distinguish between the principles of Just-In-Time Administration and Just-Enough-Administration. You should also be familiar with the tools used to implement each of these principles on an enterprise network.

JEA components

To implement JEA on a computer running Windows Server 2016, you must create an endpoint. To do this, you must create and register two PowerShell script files, as follows:

  • Session configuration file Script with a .pssc file extension that specifies the name of the endpoint to be created and identifies the role capabilities that should be assigned to specific groups.
  • Role capability file Script with a .psrc file extension that specifies what cmdlets and other capabilities should be associated with a particular role.

The role capability file is essentially a whitelist

JEA is built into the Windows PowerPoint implementation in Windows Server 2016 and Windows 10. To use JEA on earlier Windows versions, including Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, and Windows 7 SP1, you must download and install Windows Management Framework (WMF) 5.0.


Privileged Access Workstation (PAW) is a designation that Microsoft uses to define the hardware and software configurations required to create dedicated administrative workstations

This includes creating an Active Directory (AD) substructure devoted to PAW users and Group Policy settings that enforce the administrators’ roles.

This section covers how to:

Implement a PAWS solution

Configure User Rights Assignment group policies

Configure security options settings in Group Policy

Enable and configure Remote Credential Guard for remote desktop access


The fundamental reasons for a PAW deployment are as follows:

  • to prevent users from performing privileged tasks using unsecured workstations
  • to prevent users from accessing vulnerable resources using administrative credentials


FIGURE 4-17 Administrative user with separate accounts and workstations for privileged and everyday use

PAW hardware profiles 3 Types

Dedicated hardware
Virtual machines The Client Hyper-V capability in Windows 10 makes it possible for a single computer to run two instances of the operating system
Remote desktop As an alternative to using client Hyper-V


Enable and configure Remote Credential Guard for remote desktop access

Credential Guard is a security feature first introduced in Windows 10 Enterprise and Windows Server 2016 that protects user credentials by storing them in a virtualized container that is separate from the operating system.

Local Administrator Password Solution (LAPS) is a free Microsoft product that enables workstations to automatically change the passwords on local accounts and store those passwords as attributes of the computer objects in Active Directory.

LAPS also includes a graphical client tool, which you can choose to install by selecting the Fat Client UI component in the Local Administrator Password Solution Setup Wizard.


Configuring password settings

When LAPS assigns passwords to the local Administrator account, it defaults to creating passwords that are 14 characters long and consist of a combination of capital and lowercase letters, numbers, and symbols. The default expiration date for each password is 30 days after its creation.

Chapter summary

  • Enhanced Administrative Security Environment (ESAE) is a reference model for a network security architecture that protects highly privileged accounts by storing them in a separate Active Directory forest, dedicated solely to that purpose.
  • The clean source principle defines the nature of the relationships between objects that require protection and subjects that control the object. In practical terms, this principle calls for highly privileged resources to be administered using workstations that are equally privileged, and software installations to be performed using source media that is securely obtained and stored.
  • Just-in-time administration is an administrative philosophy that calls for users to receive elevated privileges only when they are needed to perform certain tasks. The privileges are then revoked after a set time interval, protecting the credentials that provide those privileges.
  • Privileged Access Management (PAM) is an implementation of the just-in-time concept included in the Microsoft Identity Manager (MIM) 2016 product. PAM calls for the creation of a bastion forest, a separate, hardened Active Directory forest that is joined to the production forest by a one-way trust relationship.
  • The most highly-privileged administrative accounts are migrated to the bastion forest in the form of shadow principals, which are copies of the user and group objects that have the same security identifiers (SIDs) as the originals in the production forest.
  • In addition to MIM, a PAM server installation requires Microsoft SQL Server in order to store information about the bastion forest, and Microsoft SharePoint in order to provide a web portal that functions as the PAM administrative interface.
  • Once the PAM server and the bastion forest are in place, users can request privileges using Windows PowerShell cmdlets or the MIM web portal.
  • Just-enough administration (JEA) is a Windows PowerShell feature implemented in Windows Server 2016, Windows 10, and Windows Management Framework 5.0. It does not require any other additional software or hardware.
  • JEA is a server-based technology that provides users with elevated privileges on a temporary basis. Users employ a PowerShell cmdlet connect to a JEA endpoint with an unprivileged account and are assigned a temporary Run As account that provides them with elevated privileges for the duration of the session. When they disconnect from the endpoint, the users return to their unprivileged state.
  • To create a JEA endpoint, you must have a session configuration script file and a role capability script file. These files specify who is permitted to connect to the endpoint and what privileges they are eligible to receive. Registering the session configuration using a PowerShell cmdlet makes the endpoint available for use.
  • Each server to be administered must have its own endpoints, though users can connect to them from remote systems. Using Desired State Configuration (DSC), you can perform a mass deployment of JEA endpoints throughout the enterprise.
  • A Privileged Access Workstation (PAW) is a highly-secure computer that is intended for use only to manage secure resources. Based on the clean source principle, administrative credentials should not be exposed to systems that are insecure. A PAW provides a hardened software and hardware configuration that is not to be used for any activities that can potentially jeopardize the credentials, such as web browsing and email.
  • In addition to the configuration of the computer itself, a PAW deployment calls for user rights assignments and other policies that prevent the PAW from accessing
  • unprotected resources and protect sensitive resources from administrative access by any workstation other than a PAW.
  • Remote Credential Guard is a feature of Windows Server 2016 and Windows 10 that prevents sensitive credentials from being transmitted to host computers during Remote Desktop connections. The Kerberos authentication requests are redirected back to the connecting system instead.
  • LAPS is a tool that automatically assigns local Administrator passwords to client computers and stores the passwords in the Active Directory computer objects. (LAPS = Local Administrator Password Solution)
  • To deploy LAPS, you must install the client package, extend the AD schema using the PowerShell cmdlets provided, and set permissions granting access to the clients’ computer objects.
  • Extending the schema for LAPS creates two new attributes in the computer object, which LAPS users to store the local Administrator password and its expiration date.
  • To enable the installed LAPS clients, use the settings added to Group Policy by the
  • installer. You can also use the settings to control the length and complexity of the passwords and configure LAPS to protect a different local account.
  • Confirm that LAPS is operating on the client using the Get-AdmPwdPassword cmdlet or the graphical LAPS UI client tool.



Exam 744 – Securing Windows Server 2016

Facebook Comments

Leave a Reply

Scroll to top