Windows Server vNext Privileged Access Management

In this article, I’ll describe how Microsoft’s new Just-In-Time Administration feature works in Windows Server vNext.

Managing privileged access in Active Directory (AD) has always been somewhat of a dilemma for IT. Although AD has granular access controls, many server administration tasks still require users to hold domain admin rights or local administrator rights. In small IT shops, it’s not unusual to find IT staff that are permanently assigned domain admin privileges, significantly increasing the risk that an organization’s systems can be compromised. This is frequently seen as the accounts get used for everyday Internet browsing and non-IT related tasks, or for administering end users’ PCs, which are more susceptible to malware than servers or management workstations.

Adhering to best practices helps minimize the risks, such as never using domain administrator accounts to join user workstations to the domain, to manage PCs, and using AD Protected Groups, which include authentication policies and policy silos to restrict how privileged credentials can be used. But these best practices don’t address the needs of users who manage domain controllers, or require privileged credentials to manage other servers on a regular basis.

Just-In-Time Administration

Many third-party privilege management solutions issue passwords to generic administrative accounts, after approval is received according to a pre-defined workflow. As a result, there’s a record of who was using an account, at what time, and for what reason. But Microsoft has designed its new Just-In-Time (JIT) Privileged Access Management (PAM) solution to work differently. Instead of relying on users to use their own named accounts, the new JIT solution works by adding privileges only when necessary and for a limited period of time.

JIT administration builds on Microsoft’s Just-Enough-Administration (JEA), which is partially already present in Windows Server today in the form of PowerShell constrained endpoints, which restrict users to running a pre-defined list of cmdlets on given servers and don’t necessarily require users to have administrative privileges. JEA capabilities will be expanded in Windows Server vNext.

The JIT model aims to ensure that organizations have a minimum of users who are permanently assigned administrative credentials. Other goals for JIT administration are to isolate privileged accounts in a trusted forest that’s built from scratch. In addition, JIT administration allows businesses to enforce stronger authentication for privileged accounts if required, along with the ability to perform better monitoring.

A Trusted Forest

Although adding a forest may seem contrary to the advice Microsoft currently gives about keeping the AD hierarchy as simple as possible, JIT administration has been designed this way for two reasons. Adding a new forest means organizations can leverage JIT administration without upgrading existing forest schemas to a new Active Directory functional level to support the new group membership time-to-live feature, an operation that many are reluctant to carry out. Secondly, adding a new forest for privileged accounts ensures companies are starting with a clean plate, and not exposing JIT administration to a forest that could already be compromised.

To enable JIT administration, Microsoft is introducing a new kind of cross-forest trust. The new forest will be able to have AD security groups with the same Security Identifier (SID) as groups in the existing forest, so that applications won’t need to be changed to work with JIT administration.

Active Directory and Microsoft Identity Manager (MIM) vNext

The base JIT administration functionality will be included in Active Directory in Windows Server vNext, and to implement workflows, IT will be able to use REST APIs or PowerShell. For complete account lifecycle control out-of-the-box, Microsoft Identity Manager (MIM) vNext will include workflows and GUI administration, allowing IT to get up and running with JIT administration faster.

Short-Lived AD Group Membership

However IT decides to implement workflows for issuing privileged credentials, users’ temporary elevated access will be based on short-lived AD group membership, or a time-to-live (TTL). Users can be defined as candidates for membership to groups, and if permitted based on criteria defined in workflows, are made a member of the group(s) for a limited time.

Workflows can include conditions such as requiring certain kinds of authentication, like a virtual smart card and PIN, to perform specific tasks; necessitate that a second entity give permission for an action to occur, or specific tasks can be tied to helpdesk tickets. Once the permitted time is up, the users’ security tokens are stripped of any added privileges and they are transitioned back to being a standard user.

JIT administration will be coming to the Windows Server Technical Preview soon, so look out for a how-to on the Petri IT Knowledgebase. JIT admin will also be extended to the cloud by means of Azure Active Directory (AAD).