tlktechidentitythoughts

Identity Management Thoughts from the field

Skip to content
  • Home
  • About
Search

Month: September 2016

MIM 2016: Setting up Privileged Access Management (PAM) in an existing Forest using the built-in PAM Tool

September 7, 2016April 24, 2019 / Ike Ugochuku / 13 Comments

PAM in MIM 2016 is a great tool with one caveat, the released documentation says you have to create another forest, install MIM and PAM in there. That is a best practice method and is something Microsoft has touted for years for an AD design. Put your privileged groups and accounts in a separate forest. Yet as far as I know, hardly anyone follows this design recommendation. For IT Admins, the less forests the better, each forest comes with its own overhead and cost of ownership that it is difficult to justify add a separate forest just for MIM/PAM to IT management. Auditors and IT security are ready to accept a work around control where you monitor membership entry to privileged groups with the single forest. So IT Management will provide these requirements to IAM group

  1. For all applications and systems, define the privileged groups. These groups must exist in AD. We do not want another forest to be setup.
  2. Remove all user accounts from these groups, you could have service accounts in the group, but ideally these groups should be empty. Unless it is hardcoded in an application that the application account is a member of the application group user ACL level to give the application account the necessary rights in AD or the application.
  3. All user accounts that need access to these groups must have a means to request access for a specific time duration.
  4. This access must be approved
  5. User is notified when access is given and removed.

What I have seen is that companies have a system where you submit a request ticket to security saying I want access to group XYZ for 2 hrs. This request goes to your manager and to security team for approval, once both approve, security team will manually add and remove you from/to the group. Companies also user CyberArk and other security vendor tools which offer PAM modules (with no requirement for another forest). We can use the PAM tool in MIM 2016 within the same forest to automate this process. The following blog article by Tracy Yu gives good direction on how to do it, I will add my own experience on how to do it. For the purpose of this post I will stay as much as possible with the OOB tools, in another post I have developed a tool in MIM that provides considerable enhancement to the OOB PAM tool. The enhanced PAM tool V1 is available on Github.

There are somethings to note about PAM in MIM 2016

  1. The approval is done by the owners of the Role, you cannot stagger the approval, so say Manager approves first then Security approves.
  2. PAM works directly in AD, it does the add/remove directly in AD, it does not do it in the MIM service and then wait for synchronization.
  3. You have to make a user a member of a Role before they can select access to a Role.
  4. There is no notification OOB for the requestor unless approval is required.
  5. The removal of the user from the SG is done by the MIM Component service which has a default polling time of the expired request queue every 10minutes. So it all depends on when your access request expires, the removal from the SG could take anywhere from 1-10 minutes. You can change this polling time in the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\Services\ Microsoft.IdentityManagement.PrivilegeManagement.exe.config file.

Configuration

We have already installed MIM in TLK’s forest, we already use MIM for provisioning and deprovisioning of user and group accounts. We now want to add PAM.

Use this article to add the PAM. There is the last section on the sample web application. There is a sample web application portal which very useful, it will give the advantage of

  1. Put justification to a request.
  2. You can request for less time that the Role Max
  3. You can specify the date for access.
  4. You can extend the time for Access.

It is a certainly a good tool to deploy. In setting it up take note about

  1. What section in the web config file that you will place the httpProtocol section. Put it in the system.webserver section
  2. Do this

Change the IIS configuration

There are two ways to change the IIS configuration to allow applications to use Windows Authentication mode. Make sure you are signed in as MIMAdmin and then follow one of these options.

If you want to use PowerShell:

  1. Right click on PowerShell and select Run as administrator.
  2. Stop IIS and unlock the application host settings using these commands
    iisreset /STOP C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost iisreset /START

If you want to use a text editor such as Notepad:

  1. Open the file C:\Windows\System32\inetsrv\config\applicationHost.config
  2. Scroll down to line 82 of that file. The tag value of overrideModeDefault should be
  3. Change the value of overrideModeDefault to Allow
  4. Save the file, and restart IIS with the PowerShell command iisreset /START

Create a PAM group

Take an SG that is already created in AD. It should not to exist in FIM Service. Call that SG “ITAdmins”. If it already exists in MIM, the command below will fail. So if you are setting this up in your already existing MIM which has group synchronization with AD, there would be a problem. You will have to rename or filter out that group from MIM group synchronization. The way MIM PAM was designed is that you are to create a separate MIM just for PAM so there should be no group information in MIM.

Another alternative, and I would recommend this process for all SGs that you want to control access to when you use MIM PAM in an existing forest.

  1. Remove all user and group accounts in the SG that you want to control access to.
  2. Create an SG, place it in the “PAM Objects” OU that is created by MIM when you add the PAM feature.

  1. Place the SG you created in the PAM OU as a member in the regular SG that you want to control. So say you want to control “IT Admins” group, create “IT Admins PAM” and place in the PAM OU. Make “IT Admins PAM” a member of “IT Admins”.
  2. Make sure you run the command below before the MIM Group Sync job runs or you turn it off while you are creating PAM Groups.

Run this command from a PS window to create a PAM Group

New-PAMGroup -SourceDomain tlkenterprise.net -SourceGroupName ITAdmins –PrivOnly

So MIM PAM will look in the tlkenterprise domain for ITAdmins SG and then it will make a shadow copy in the MIM system, it will enable it for PAM. So if you look up the SG in AD you will see

If you look it up in the MIM Portal you will see a new SG has been created called “ITAdmins”

The Owners of the PAM group will be the approvers for any access request to this group.

Create a PAM Role

PAM Role -> PAM Group -> AD Group

Go to the MIM Portal click on PAM Roles

Click New

Under PAM Privileges, select the PAM Group that was just created. For PAM Role TTL enter the time in seconds for which a user can be member of a Role, it should be at least 180 so I would advise to make it 240 and above. Check Approval required if you want approval. If you want the group to only be available in a certain time frame enter check the availability window.

Click on the candidates tab and select which user has rights to request access to this Role.

Click submit

After the Role is created you can go to the advanced view and add the time frame or Role approvers.

Submit a PAM access request

Submit Request from the MIM Portal

Go to the MIM Portal click on PAM Requests

Click New

Click Submit

Submit Request from the Sample PAM Portal

Go to the sample Portal url

http://tlkfimmgr:8090/html/Roles.html

Click Roles, this will show which roles the user is allowed to request access.

Click Activate

Enter the Justification and time if you want less than the maximum and put the date if you want the access on a specific day.

Click Submit

You can also extend the requested time. Click extend Activation

When you extend, the expiration time will start from the time of request. So say it was to end at 17:50pm, I put a request for an extension of 5 minutes at 17:48, then the new expiration time will be 17:53pm.

Recent Posts

  • Azure Logic Apps: Workday app post provision and deprovision AD tasks via PowerShell
  • Update secrets with Delinea/Thycotic api
  • Identity Administration: AD Identity operations and the link to the Identity cube
  • MIM 2016: Graph MA does not create external guest account
  • MIM 2016: MIMService DB has grown exponentially to a large size

Recent Comments

Ike Ugochuku on MIM 2016: Using the Joine…
Josh U on MIM 2016: Using the Joine…
mara on FIM 2010 Portal: Introduction…
Ike Ugochuku on Removing MIM/FIM Service after…
Abbas on Removing MIM/FIM Service after…

Archives

  • September 2022
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • March 2021
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015

Categories

  • active directory
  • AD Connect
  • azure
  • bulk
  • c#
  • client
  • connector
  • Delinea
  • dirsync
  • Dynamics
  • ecma2
  • exchange
  • fim 2010 r2
  • FIM Portal
  • FIM WAL
  • Galsync
  • Governance
  • Graph api
  • held
  • IDAM
  • IoT
  • Machine Learning
  • MFA
  • mim 2016
  • MIM WAL
  • PowerApps
  • PowerShell
  • privilege
  • RBAC
  • SailPoint
  • SalesForce
  • SAP
  • smtp
  • Speech
  • sql
  • Uncategorized
  • update
  • VPN
  • webservice
  • workflow

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.com

Recent Posts

  • Azure Logic Apps: Workday app post provision and deprovision AD tasks via PowerShell
  • Update secrets with Delinea/Thycotic api
  • Identity Administration: AD Identity operations and the link to the Identity cube
  • MIM 2016: Graph MA does not create external guest account
  • MIM 2016: MIMService DB has grown exponentially to a large size

Recent Comments

Ike Ugochuku on MIM 2016: Using the Joine…
Josh U on MIM 2016: Using the Joine…
mara on FIM 2010 Portal: Introduction…
Ike Ugochuku on Removing MIM/FIM Service after…
Abbas on Removing MIM/FIM Service after…

Archives

  • September 2022
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • March 2021
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015

Categories

  • active directory
  • AD Connect
  • azure
  • bulk
  • c#
  • client
  • connector
  • Delinea
  • dirsync
  • Dynamics
  • ecma2
  • exchange
  • fim 2010 r2
  • FIM Portal
  • FIM WAL
  • Galsync
  • Governance
  • Graph api
  • held
  • IDAM
  • IoT
  • Machine Learning
  • MFA
  • mim 2016
  • MIM WAL
  • PowerApps
  • PowerShell
  • privilege
  • RBAC
  • SailPoint
  • SalesForce
  • SAP
  • smtp
  • Speech
  • sql
  • Uncategorized
  • update
  • VPN
  • webservice
  • workflow

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.com
Blog at WordPress.com.
  • Follow Following
    • tlktechidentitythoughts
    • Join 25 other followers
    • Already have a WordPress.com account? Log in now.
    • tlktechidentitythoughts
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar