Secure Your Privilege Account by using Authentication Policy and Silo

Secure Your Privilege Account by using Authentication Policy and Silo

As discussed, previous post the protected user group is one of the great features in 2012 R2, to improve privilege account security and provide better protection against legacy protocol and enforce privilege accounts to use newer Kerberos protocol and play well against credentials caching. Protected Users group has a pre-defined scope, what if I wanted to change the configuration.  

for example, the default TGT lifetime about 4 hours, what if we wanted to customize them based on my company policy. Adding Service Accounts & Computer Accounts in protected user group is not advisable and it may lead the authentication failure, what if I wanted to improve security for service and computer account.

Authentication Policy and Authentication Silo is another way to secure an Active Directory based environment. This provides a more robust method, beyond configuring logon restrictions, and

restricting which accounts can access specific servers in your environment. Protected Users group has a Pre-defined scope, where as authentication policy and silo do not.

Authentication Policy and Silos:

Authentication Polices and authentication policies Silo leverage the existing Windows authentication infrastructure and the use of the NTLM protocol is rejected, and the Kerberos protocol with newer encryption types is used.

In contrast to the limited Log on to: previous versions of Windows. By using Authentication Policies and Authentication Policy Silos you can create a group of computers to which a (group of) user(s) can log on to.

Authentication policies allow you to configure settings, such as TGT lifetime and access control conditions, which specify conditions that must be met before a user can sign in to a computer. For example, you might configure an authentication policy that specifies a TGT lifetime of 120 minutes and limit a user account so that users can only use it with specific devices.

Authentication policies are enforced during the Kerberos protocol authentication service (AS) or ticket-granting service (TGS) exchange.

The cool thing about Authentication Policies and Authentication Policy Silos, is that unless computer or user account objects meet the criteria in the rules, a Ticket Granting Ticket (TGT) will not be issued. At all.

The combination of Authentication policies and the Protected Users security group by providing a way to apply configurable restrictions to user, services and computers accounts.

You configure Authentication Policies and Authentication Policy Silos using

Active Directory Administrative Center or powershell.

How the Kerberos protocol is used with authentication policy silos and policies

I referred the below article to understand this new feature, please read them, it would help us to understand how the policy will enforce while login user account into device.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/manage/How-to-Configure-Protected-Accounts.md

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos

https://dirteam.com/sander/2014/12/23/new-features-in-active-directory-domain-services-in-windows-server-2012-r2-part-3-authentication-policies-and-authentication-policy-silos/

When a domain account is linked to an authentication policy silo, and the user signs in, the Security Accounts Manager adds the claim type of Authentication Policy Silo that includes the silo as the value. This claim on the account provides the access to the targeted silo.

When an authentication policy is enforced and the authentication service request for a domain account is received on the domain controller, the domain controller returns a non-renewable TGT with the configured lifetime.

When an authentication policy is enforced and the authentication service is armored, the authentication service request for a domain account is received on the domain controller, the domain controller checks if authentication is allowed for the device. If it fails, the domain controller returns an error message and logs an event.

You can use a single authentication policy for all members of a silo, or you can use separate policies for users, computers, and managed service accounts.

Prerequisites:

Ø  All domain controllers in the domain must be based on Windows Server 2012 R2 and above.

Ø  The domain functional level must be Windows Server 2012 R2 and above.

Ø  Domain controllers must be configured to support Dynamic Access Control.

Ø  Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 domain members must be configured to support DAC, including Kerberos compound claims (device claims)

Let’s Setup Policy for Domain Admins and Enforce them to use only domain controllers.

Prerequires to setup Authentication Policy and Authentication Silo.

Step 1: Before Authentication policy creation, our domain controller should support claims and compound authentication for Dynamic Access Control and Kerberos armoring, do this by enabling the following group policy setting on “Default Domain Controller” policy.

Expand out the following location, Computer Configuration\Policies\Administrative Templates\System\KDC and Enable the below policy.

Step 2: Configure the client computers to request claims, provide information required to create compounded authentication and armor Kerberos messages.

This setting will need to be enabled on the client systems in the domain, hence I enabled this policy on “Default Domain Policy” on following location, Computer Configuration\Policies\Administrative Templates\System\Kerberos

So, all the prerequisites are set, now we will setup Authentication Policy and Authentication policy Silo.

Setup Authentication Policy and Silo

Step 1:

Open Active Directory Administration Center and you could see there is two new containers Authentication Polices and Authentication policy Silo.

Note: You can create Authentication Policy without Silo; however, you cannot create Authentication policy Silo without Authentication Policy.

Authentication Policy: An Authentication Policy defines TGT Lifetime, and Authentication Access Control Conditions.

Authentication Policy Silo: An authentication policy silo controls which accounts can be restricted by the silo and defines the authentication policies to apply to the members.

Step 2:  Create Authentication Polices

     Use appropriate name while configuring Policy Name which you want to set and update description fields and define the rules. 

I have restricted my Domain Admins TGT value 120 minutes.

Step 3: Create Authentication Policy Silos

Use appropriate Name while configuring Policy Name with respective of their role and fill the description.

Apply the Authentication Policy, which we created in a previous step 2.

OK now time to add our domain admins accounts and domain controller we wish to allow them for access.

We added our domain admins and domain controllers, however the policy not yet assigned to those objects. See the above screenshot Assigned and we don’t see any policy pushed yet.

Step 4: Let’s push the policy:

Select each object and double click and assign Authentication Policy Silos which we create now.

And repeat the same step for Computer Account also.

Good to see now our policy has been assigned to both objects.

Step 5: Enable Access Control conditions

                              Ok now all set, there is final step to complete the configuration. Create Access Control condition, where we created our authentication policy “Restrict DomainAdmins” under the User Sign on section, specify access control conditions that restrict devices that can request a Ticket Granting Ticket for the user accounts assigned to this policy.

Specify Access Control condition below.

Validate the Configuration.

1)     Login domain controller by using PA-User1 and check TGT Lifetime.

By using PA-User1, I can login Domain Controller DC1 and my TGT life time is default 10 hours.

2)     Login domain controller by using PA-User2 and check TGT Lifetime.

In contrast, when I login the DC1, by using PA-User2, my TGT lifetime is shorter and it only 2 hours. 

3)     Login PA-User2 one of the member server.

When a user assigned an authentication policy attempts to log on to a machine to which he/she is

not allowed access, the attempt fails with the following error will occur.

The DC will register corresponding event log below.

*************Happy Learning*******************