Secure Your
Privilege Account by using Authentication Policy and Silo
As discussed, previous post the
protected user group is one of the great features in 2012 R2, to improve
privilege account security and provide better protection against legacy
protocol and enforce privilege accounts to use newer Kerberos protocol and play
well against credentials caching. Protected Users group has a pre-defined scope,
what if I wanted to change the configuration.
for example, the default TGT
lifetime about 4 hours, what if we wanted to customize them based on my company
policy. Adding Service Accounts & Computer Accounts in protected user group
is not advisable and it may lead the authentication failure, what if I wanted
to improve security for service and computer account.
Authentication Policy and
Authentication Silo is another way to secure an Active Directory based
environment. This provides a more robust method, beyond configuring logon
restrictions, and
restricting which accounts can access specific servers
in your environment. Protected Users group has a Pre-defined scope, where as
authentication policy and silo do not.
Authentication
Policy and Silos:
Authentication Polices and
authentication policies Silo leverage the existing Windows authentication
infrastructure and the use of the NTLM protocol is rejected, and the Kerberos
protocol with newer encryption types is used.
In contrast to the limited Log on to: previous versions of Windows.
By using Authentication Policies and Authentication Policy Silos you can create
a group of computers to which a (group of) user(s) can log on to.
Authentication policies allow you
to configure settings, such as TGT lifetime and access control conditions,
which specify conditions that must be met before a user can sign in to a
computer. For example, you might configure an authentication policy that
specifies a TGT lifetime of 120 minutes and limit a user account so that users
can only use it with specific devices.
Authentication policies are
enforced during the Kerberos protocol authentication service (AS) or
ticket-granting service (TGS) exchange.
The cool thing about Authentication
Policies and Authentication Policy Silos, is that unless computer or user account
objects meet the criteria in the rules, a Ticket Granting Ticket (TGT) will not
be issued. At all.
The combination of Authentication
policies and the Protected Users security group by providing a way to apply
configurable restrictions to user, services and computers accounts.
You configure Authentication Policies and Authentication
Policy Silos using
Active Directory Administrative Center or powershell.
How the Kerberos
protocol is used with authentication policy silos and policies
I referred the below article to understand this new
feature, please read them, it would help us to understand how the policy will
enforce while login user account into device.
When a domain account is linked to an authentication policy silo,
and the user signs in, the Security Accounts Manager adds the claim type of Authentication
Policy Silo that includes the silo as the value. This claim on the account
provides the access to the targeted silo.
When an authentication policy is enforced and the authentication
service request for a domain account is received on the domain controller, the
domain controller returns a non-renewable TGT with the configured lifetime.
When
an authentication policy is enforced and the authentication service is armored,
the authentication service request for a domain account is received on the domain
controller, the domain controller checks if authentication is allowed for the
device. If it fails, the domain controller returns an error message and logs an
event.
You
can use a single authentication policy for all members of a silo, or you can
use separate policies for users, computers, and managed service accounts.
Prerequisites:
Ø All domain controllers in the
domain must be based on Windows Server 2012 R2 and above.
Ø The domain functional level must be
Windows Server 2012 R2 and above.
Ø Domain controllers must be
configured to support Dynamic Access Control.
Ø Windows 8, Windows 8.1, Windows
Server 2012, and Windows Server 2012 R2 domain members must be configured to
support DAC, including Kerberos compound claims (device claims)
Let’s Setup Policy
for Domain Admins and Enforce them to use only domain controllers.
Prerequires to
setup Authentication Policy and Authentication Silo.
Step 1: Before Authentication policy
creation, our domain controller should support claims and compound authentication for Dynamic Access Control and
Kerberos armoring, do this by enabling the following group policy setting on
“Default Domain Controller” policy.
Expand out
the following location, Computer Configuration\Policies\Administrative
Templates\System\KDC and Enable the
below policy.
Step 2:
Configure the client computers to request claims, provide information required
to create compounded authentication and armor Kerberos messages.
This setting will
need to be enabled on the client systems in the domain, hence I
enabled this policy on “Default Domain Policy” on following location, Computer
Configuration\Policies\Administrative Templates\System\Kerberos
So, all the prerequisites are set, now we will setup Authentication Policy and Authentication
policy Silo.
Setup Authentication Policy and Silo
Step 1:
Open Active
Directory Administration Center and you could see there is two new
containers Authentication Polices and Authentication policy Silo.
Note: You can create Authentication Policy without Silo; however,
you cannot create Authentication policy Silo without Authentication Policy.
Authentication Policy: An Authentication Policy defines TGT Lifetime,
and Authentication Access Control Conditions.
Authentication Policy Silo: An authentication policy silo controls which
accounts can be restricted by the silo and defines the authentication policies
to apply to the members.
Step 2: Create Authentication Polices
Use appropriate name while configuring Policy Name which you want to set
and update description fields and define the rules.
I have restricted my Domain Admins TGT value 120
minutes.
Step 3: Create Authentication Policy Silos
Use appropriate Name while configuring Policy Name with respective of
their role and fill the description.
Apply the Authentication Policy, which we created in a previous step 2.
OK now time to add our domain admins accounts and domain controller we
wish to allow them for access.
We added our domain admins and domain controllers, however the policy not
yet assigned to those objects. See the above screenshot Assigned and we don’t see any policy pushed yet.
Select each object and double click and assign Authentication Policy
Silos which we create now.
And repeat the same step for Computer Account also.
Good to see now our policy has been assigned to both objects.
Step 5: Enable Access Control conditions
Ok
now all set, there is final step to complete the configuration. Create Access
Control condition, where we created our authentication policy “Restrict DomainAdmins” under the User
Sign on section, specify access control conditions that restrict devices
that can request a Ticket Granting Ticket for the user accounts assigned to
this policy.
Specify Access Control condition below.
Validate the Configuration.
1)
Login domain controller by using PA-User1 and check TGT Lifetime.
By using PA-User1,
I can login Domain Controller DC1 and my TGT life time is default 10 hours.
2)
Login domain controller by using PA-User2 and check TGT Lifetime.
In contrast, when I
login the DC1, by using PA-User2, my TGT lifetime is shorter and it only 2
hours.
3)
Login PA-User2 one of the member server.
When a user assigned an authentication policy attempts to log on to a
machine to which he/she is
not allowed access,
the attempt fails with the following error will occur.
The DC will register corresponding event log below.
*************Happy
Learning*******************
Enthusiastic words written in this blog helped me to enhance my skills as well as helped me to know how I can help myself on my own. I am really glad to come at this platform. Activate windows 10 home product key
ReplyDeleteMany thanks for the detailed article. This topic was raised at my work, and I have a much better understanding now of it.
ReplyDeleteIf my target computer is a linux machine administrated through a windows wks, how to manage the access restrictions to the linux server?
ReplyDeleteGreat and that i have a tremendous supply: Is It Good To Buy Old House And Renovate residential renovation contractor
ReplyDeleteThank You and that i have a keen supply: What To Expect When Renovating A House house renovation on a budget
ReplyDelete