Active Directory received three major enhancements with the release of Windows Server 2016. This article will review Privileged Access Management, Azure AD Join, and Microsoft Passport.
Microsoft’s biggest focus for Windows Server 2016 is security. You can see this push across each server role. Hyper-V has shielded VMs, application servers have code integrity, and Active Directory Domain Services has Privileged Access Management.
However, the updates to Active Directory in Server 2016 are not completely related to security. Two big features stand out in particular. You should expect to hear a lot about Azure Active Directory Join over the next few months (especially if you support small/medium organizations). The second feature of note is Microsoft Passport. Though it is still a bit early to tell, Microsoft Passport has the potential to remove a lot of user frustrations (and IT concerns) with passwords. Enough with the exposition though. Let’s bite into some meat!
Privileged Access Management in Server 2016Privileged Access Management (PAM) is the Active Directory equivalent of Privileged Access Workstation (PAW). Where PAW focuses on desktop and server resources, PAM targets forest access, security groups, and membership.
At its core, PAM utilizes Microsoft Identity Manager (MIM) and does require an AD forest functional level of 2012R2+. Microsoft believes that an organization with a business use for PAM is an organization that should assume an already-breached AD environment. Because of this, MIM creates a new AD forest when PAM is configured. This AD forest is isolated for the use of privileged accounts. Because MIM creates it, it is free of any malicious activity.
With this secure forest, MIM can now provide the ability to manage and escalate permission requests. Similar to other permission flow applications, like AGPM, MIM provides workflows for administrative privileges through the use of approval requests. When a user is granted additional administrative privileges, he or she is made a member of shadow security groups in the new trusted forest.
Through the use of an expiring links feature, membership to the sensitive security groups is time-controlled. If a user is allotted an hour of additional permissions, the escalated membership is removed after an hour. This timed permission set is stored as a time-to-live value.
All of this is designed to be transparent to the user. By using a forest trust and secondary secure accounts in the new forest, users can receive these additional permissions without having to log off of their primary machines. The Kerberos Key Distribution Center (KDC) is aware of multiple time-bound group memberships. Users in multiple shadow security groups have their Kerberos ticket lifetime limited to the lowest time-to-live value.
What is Azure Active Directory Join?
Azure AD Join is to AD Domain Services as Intune is to SCCM. Azure AD Join is primarily aimed at smaller organizations that do not yet have an Active Directory infrastructure. Microsoft calls these organizations cloud-first/cloud-only organizations.
The core purpose of Azure AD Join is to provide the benefits of an on-premises AD environment without the accompanying complexity. Devices purchased with Windows 10 can be self-provisioned into Azure AD.
This allows an organization without full-time IT staff to manage many of its company resources in-house.
One big potential market for Azure AD Join is education. Currently, Google’s Chromebook is a dominant platform. While there isn’t any doubt that a traditional domain-joined mobile device is more customizable than a Chromebook, price and speed aren’t strong points for Windows devices. A very cheap device capable of joining Azure AD with access to a configurable store and Office 365 apps could do a lot to stop the jump to rival platforms.
Microsoft Passport may take the pain out of passwordsCredential recycling is one of the top security issues targeting users. I think every administrator knows someone who uses the same password across many services. When an employee uses the same username, such as an email address, exploiting a credential chain becomes much easier. Once you have one credential set, you have them all.
Microsoft Passport aims to change that. By utilizing two-factor authentication, Passport can provide more security than a simple password without the complexity of traditional solutions like physical smart cards. It is designed to be paired with Windows Hello (the built-in biometric sign-in for Windows 10 Pro/Enterprise).
Passport’s two-factor authentication is made up of the user’s existing credentials plus a credential specific to the device the user is using (which is linked to the user). Each user on a device has a specific authenticator (called a hello) or a PIN. This provides confirmation that the person entering the credentials is actually the user.
This technology can be deployed in a traditional on-premises AD environment or in Azure AD. In some configurations, you will need a domain controller running Windows Server 2016. By using Microsoft Passport, IT administrators do not have to worry about password recycling as the second authentication method is always required. Excessive password policies (such as longer lengths or shorter expirations) may be modified due to the increased security that Passport provides. An easier logon process can make users quite a bit happier with IT.
Each of these Active Directory improvements targets the ever-widening audience for Windows Server. PAM provides a way to mitigate privilege credential theft in highly secure environments. Azure AD Join provides the benefits of AD to small organizations that lack the funds and infrastructure for an on-premises solution. Finally, Microsoft Passport aims to change the way authentication occurs. By complying with the FIDO alliance, Microsoft Passport can work across a variety of platforms and devices (and hopefully see wide adoption).