Code Library

The world of cyber threats becomes more complicated every day, and because it is such an invisible
threat in most cases, we need to apply security in layers on different levels to mitigate every feasible
possibility. PAM was introduced to help mitigate common credential theft threats like pass-the-hash, spear phishing, and so on. PAM requires that you deploy Microsoft Identify Manager (MIM).

Most Active Directory environments would like to believe that they are completely clean of malicious activity, but the truth is that we can’t be 100 percent sure. For this reason, one of the first things PAM implements is a new bastion forest where it can guarantee that it is free from malicious activity. A special type of trust is established called a PAM Trust. This bastion forest is provisioned by MIM during the initial deployment. Figure 4-6 shows the basic concept of the new forest and the PAM trust established.

PAM provides the ability to isolate the use of privileged accounts by storing them in this bastion forest and making it more difficult for attackers to gain privileged access. MIM is used to provide
methods for users to be able to securely request and obtain administrative privileges when they need
them. After being “approved” by MIM’s workflows, a shadow security principle is provisioned in the
bastion forest. These shadow security principals are “linked” via a reference that is stored in an Active Directory attribute that essentially points to a SID of a privileged group in the original forest.

Users can request the privileged access by the following methods:
 The MIM Services Web API
 A REST Endpoint
 Windows PowerShell (using the New-PAMRequest cmdlet)

These simple methods can be integrated into other tools like automation runbooks and ticketing
systems to provide further control on the overall process.

Earlier in this chapter, we mentioned the concepts and technology of JIT and JEA, PAM is a way of
implementing this for your environment. Like JIT and JEA, PAM provides time-bound privileges to the request account and, of course, link it to the privileged group that has the necessary permissions to perform the task.

You also can adjust the Kerberos ticket lifetime to ensure it has the lowest possible Time-to-Live (TTL) value. This way, if you sign in and receive a Kerberos ticket, its lifetime will be bound to the time remaining from the total amount of time PAM has granted you access to the privileged group.
PAM also comes with a variety of new monitoring features to provide greater insight with respect to
who requested access, what type of access was actually granted, and, more important, what activities
that person performed during the privileged-access assignment.

You can view this information MIM or in the Event Viewer, or if you already have System Center
Operations Manager 2012 provisioned and use the Audit Collection Services, you can create visualizations of the information. Other third-party tools and Operations Management Suite (OMS)
will be able to visualize the information in the future, as well.

Source of Information : Microsoft Introduction Windows Server 2016