MIM 2016: Privileged Access Management (PAM) - FAQ
Applies To
- MIM 2016
General Questions
What is PAM?
Privileged Access Management (PAM) is a component of Microsoft Identity Manager 2016 (MIM) and is a technology solution that combined with IT best practices, helps mitigate unauthorized privilege escalation attacks. PAM utilizes a trusted, private forest that can control access in the existing corporate forest(s) without modifying the existing corporate forest(s). PAM utilizes MIM's request and approval workflow, SID history of Active Directory, and two new PAM services that control temporal membership and disable secondary accounts when its sourced accounts are disabled. The end result is an end-user requesting elevation of a secondary account via PowerShell or custom application and upon receiving approval, utilizing the elevated account for a pre-configured amount of time until access is automatically and transparently revoked.
What problems does PAM mitigate?
Privileged escalation attacks like pass-the-hash, pass-the-ticket, and spear phishing
Can you explain more about privileged escalation attacks?
PAM Component
What are the PAM system requirements?
* The management forest has to be Windows Server 2012 R2 with forest functional level set to 2012 R2
* The PAM client is supported under Windows 7, Windows 8, Windows 8.1, and Windows 10
* PowerShell version 2.0 or higher is needed if the PowerShell cmdlets will be used
Do I need to create a new forest if I already have a secured, management forest?
No. See this article for how you can use an existing management forest with PAM.
What are the PAM components?
PAM requires few components to work:
AD Management Forest: This could be an existing, secured management forest or a new forest.
DNS: Name resolution of the management forest from the corporate forest domain controllers and vice-versa.
One-way Trust: The corporate forest(s) must trust the management forest. SID History has to be enabled and SID filtering has to be disabled on the trust.
PAM Client: PowerShell cmdlets or a custom application that uses the PAM REST API that makes PAM request and, optionally via configuration, performs a PAM approval.
MIM Service: Responsible for processing PAM requests and approvals.
MIM Management Policy Rule (MPR): Specifies who can trigger PAM Authorization and Action Workflows.
PAM Component Service: Removes PRIV users from PRIV groups once the role request expires.
PAM Monitoring Service: Used to mirror the ACCOUNTDISABLE flag of the userAccountControl of sourced CORP accounts out to their corresponding PRIV accounts. Said simply, if CORP\JIngalls has a PAM user account named PRIV\PRIV.JIngalls, when the CORP\JIngalls Active Directory account is disabled, the PAM Monitor service account will disable PRIV\PRIV.JIngalls. We need to do this because anyone in CORP (or PRIV for that matter) could attempt to authenticate as PRIV\PRIV.Jingalls. The PAM Monitor service account will also automatically update a change of the sAMAccountName on the CORP account out to the MIM Service, but does not synchronize sAMAccountName, or other attributes, out to PRIV.
What does the user experience look like?
An auto-approved, high-level overview of the user experience via PowerShell can be thought of in four steps:
1. CORP\JIngalls performs a role request via PowerShell. The role request is for "CORPAdmins" which grants access to a file share for members of CORP\CORPAdmins group. Note that the CORP\CORPAdmins group is empty and remains empty throughout the process.
2. The MIM Service grants elevation and adds the PRIV\Jingalls account to the PRIV\CORP.CORPAdmins shadow group. Note that this shadow group has the SID of CORP\CORPAdmins in its SIDHistory.
3. CORP\JIngalls authenticates as PRIV\PRIV.Jingalls and accesses the file share that requires membership in CORP\CORPAdmins. If you were to look at CORP\CORPAdmins you would see the group as empty, however, if you were to look at PRIV\CORP.CORPAdmins you would find the PRIV\PRIV.JIngalls as a member. If the PRIV\PRIV.Jingalls account were to run a whois /groups it would show membership in the CORP\CORPAdmins group as well as PRIV\CORP.CORPAdmins
4. After the role expires, the service account running the PAM Component Service removes PRIV\PRIV.Jingalls from the PRIV\CORP.CORPAdmins group.
Are there any production limitations?
* You cannot use PAM for well-known SID groups (Enterprise Admins, Domain Admins, etc.) across the Windows 2012 R2 trust. This is not a PAM limitation, but a current Active Directory 2012 R2 and below constraint. There is no work around for this scenario for windows 2012 R2 Trust. But good news is in windows 2016 server released on 10/12/2016 there is new forest switch "/EnablePIMTrust" that removes this limitation. so for your environment, you would need in CORP windows 2012 R2 DC with the following patch http://go.microsoft.com/fwlink/?LinkId=808755 , Then in your PAM(PRIV) forest you would need to be running a windows server 2016 as a domain controller with 2016 functional level.
* PAM requires Kerberos-aware applications
* You cannot require multiple approvers; only one PAM approver is needed
* The approval process does not allow references. For example, you can not require an approval of the caller's manager.
* The PAM Monitoring service only synchronizes whether the CORP AD account is enabled or disabled out to PRIV AD. It does not synchronize sAMAccountName, userPrincipalName, description,or any other userAccountControl flags.
What types of groups are supported?
PAM allows you to take a "CORP" security group (domain local, global, or universal) and make a shadow group in the "PRIV" managed domain. The group has to be a universal or global security group in the PRIV domain. You can not use PAM to make a shadow group of a distribution group.
What should I do to secure my PAM service accounts?
On the PAM server specifies Logon as service to these accounts:
- PRIV\MIMMonitor
- PRIV\MIMService
- PRIV\SharePoint
- PRIV\MIMComponent
- PRIV\SQLServer
On the PAM server specify Deny access to this computer from the network to these accounts:
- PRIV\MIMMonitor
- PRIV\MIMService
- PRIV\MIMComponent
On the PAM server specify Deny log on locally to these accounts:
- PRIV\MIMMonitor
- PRIV\MIMService
- PRIV\MIMComponent
On the PRIV Default Domain Policy, specify Deny log on as batch job to these accounts:
- PRIV\MIMMonitor
- PRIV\MIMService
- PRIV\MIMComponent
On the PRIV Default Domain Policy, specify Deny log on through Remote Desktop Services
- PRIV\MIMMonitor
- PRIV\MIMService
- PRIV\MIMComponent
What high availability or disaster recovery considerations to I need to consider with PAM?
Look here.
PAM Troubleshooting
I am unable to run New-PAMGroup. The New-PAMGroup command does not work.
Make sure you are logged into the PAM server, not a corporate workstation, and enter:
Import-Module MIMPAM -verbose
You should see New-PAMGroup listed, assuming the PAM component has been installed on the server.
The New-PAMGroup command fails with a 'requestor's identity not found' error message.
On the PAM server, you need to be signed in as someone who has an account in the MIM service.
I am trying to remove the PAM group "Corp.CorpAdmins" with the command fails with the error message: Cannot bind parameter 'Group'. Cannot convert the "<group name>" value of type "System.String" to type "Microsoft.IdentityManagement.PamCmdlets.Model.PAMGroup".
Use the Remove-PAMGroup command like this: Remove-PAMGroup -Group (Get-PAMGroup -PrivDisplayname "Corp.CorpAdmins")
I am attempting to run New-PAMDomainConfiguration command and receiving a NotSpecified Exception error.
Cause is currently unknown, but you can try working around the error by using netdom to setup and configure the Trust directly. Then, create the special $$$ group.
netdom trust corp.com /domain:priv.local /userO:CORP\administrator /passwordo:password_here /add
netdom trust corp.com /domain:priv.local /EnableSIDHistory yes /userO:CORP\administrator /passwordO:password_here
netdom trust corp.com /domain:priv.local /Quarantine no /userO:CORP\administrator /passwordO:password_here
If the trust has been established then you do not have to enter the first netdom command.
Note the three netdom commands replace the single New-PAMTrust command. Once the trust is working, you can re-attempt the New-PAMDomainConfiguration command from the PAM server joined to the PRIV domain or manually create the CORP$$$ group in the CORP domain, replacing CORP with the NETBIOS name of your corporate domain.
I am running New-PAMGroup and receiving the error "System.Exception: Failed PAM group '<Group Name>' SID migration; Exception: System.ComponentModel.Win32Exception(0x80004005): The operation requires that destination domain auditing be enabled at Microsoft.IdentityManagement.WinTools.SidCloner.CloneSid(String sourceIdentity, String sourceDomain, StringsourceDC, String sourceUserName, SecureString sourcePassword, String targetIdentity, String targetDomain)” ".
Solution provided by David Steadman. The problem can be caused by the PRIV audit policy not being applied to the domain controller(s) even though the Group Policy editor shows it as set. Look in C:\Windows\SYSVOL\domain\Policies and move the audit.csv to the Desktop. Go back to the Group Policy editor and set the required settings. Run GPUPDATE /force, then reboot. After reboot the settings should be applied and the New-PAMGroup cmdlet should be successful.
PAM PowerShell Commands
What PAM PowerShell cmdlets are available on the PAM server?
| Close | Get | New | Remove | Set | Test |
| ------ | Get-PAMConfiguration | ------ | Set-PAMConfiguration | ------ | |
| ------ | ------ | New-PAMDomainConfiguration | Remove-PAMDomainConfiguration | ------ | Test-PAMDomainConfiguration |
| ------ | Get-PAMGroup | New-PAMGroup | Remove-PAMGroup | Set-PAMGroup | ------ |
| Close-PAMRequest | Get-PAMRequest | New-PAMRequest | ------ | ------ | ------ |
| Close-PAMRequestForControl | ------ | ------ | ------ | ------ | ------ |
| ------ | Get-PAMRequestForReview | ------ | ------ | ------ | ------ |
| ------ | Get-PAMRequestToApprove | ------ | ------ | Set-PAMRequestToApprove | ------ |
| ------ | Get-PAMRole | New-PAMRole | Remove-PAMRole | Set-PAMRole | ------ |
| ------ | Get-PAMRoleForRequest | ------ | ------ | ------ | ------ |
| ------ | ------ | New-PAMSession | ------ | ------ | ------ |
| ------ | ------ | New-PAMTrust | Remove-PAMTrust | ------ | Test-PAMTrust |
| ------ | Get-PAMUser | New-PAMUser | Remove-PAMUser | Set-PAMUser | ------ |
What PAM PowerShell cmdlets are available on the PAM client?
You initially have the following cmdlets available:
See Also
MIM 2016: PAM integration with existing Active Directory domains
High availability and disaster recovery considerations for the bastion environment
References
External sources will be here.
Note
To provide feedback about this article, create a post in the FIM TechNet Forum.