MIM 2016: Setting up Privileged Access Management (PAM) in an existing Forest using the built-in PAM Tool

PAM in MIM 2016 is a great tool with one caveat, the released documentation says you have to create another forest, install MIM and PAM in there. That is a best practice method and is something Microsoft has touted for years for an AD design. Put your privileged groups and accounts in a separate forest. Yet as far as I know, hardly anyone follows this design recommendation. For IT Admins, the less forests the better, each forest comes with its own overhead and cost of ownership that it is difficult to justify add a separate forest just for MIM/PAM to IT management. Auditors and IT security are ready to accept a work around control where you monitor membership entry to privileged groups with the single forest. So IT Management will provide these requirements to IAM group

1. For all applications and systems, define the privileged groups. These groups must exist in AD. We do not want another forest to be setup.
2. Remove all user accounts from these groups, you could have service accounts in the group, but ideally these groups should be empty. Unless it is hardcoded in an application that the application account is a member of the application group user ACL level to give the application account the necessary rights in AD or the application.
3. All user accounts that need access to these groups must have a means to request access for a specific time duration.
4. This access must be approved
5. User is notified when access is given and removed.

What I have seen is that companies have a system where you submit a request ticket to security saying I want access to group XYZ for 2 hrs. This request goes to your manager and to security team for approval, once both approve, security team will manually add and remove you from/to the group. Companies also user CyberArk and other security vendor tools which offer PAM modules (with no requirement for another forest). We can use the PAM tool in MIM 2016 within the same forest to automate this process. The following blog article by Tracy Yu gives good direction on how to do it, I will add my own experience on how to do it. For the purpose of this post I will stay as much as possible with the OOB tools, in another post I have developed a tool in MIM that provides considerable enhancement to the OOB PAM tool. The enhanced PAM tool V1 is available on Github.

There are somethings to note about PAM in MIM 2016

1. The approval is done by the owners of the Role, you cannot stagger the approval, so say Manager approves first then Security approves.
2. PAM works directly in AD, it does the add/remove directly in AD, it does not do it in the MIM service and then wait for synchronization.
3. You have to make a user a member of a Role before they can select access to a Role.
4. There is no notification OOB for the requestor unless approval is required.
5. The removal of the user from the SG is done by the MIM Component service which has a default polling time of the expired request queue every 10minutes. So it all depends on when your access request expires, the removal from the SG could take anywhere from 1-10 minutes. You can change this polling time in the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\Services\ Microsoft.IdentityManagement.PrivilegeManagement.exe.config file.

Configuration

We have already installed MIM in TLK’s forest, we already use MIM for provisioning and deprovisioning of user and group accounts. We now want to add PAM.

Use this article to add the PAM. There is the last section on the sample web application. There is a sample web application portal which very useful, it will give the advantage of

1. Put justification to a request.
2. You can request for less time that the Role Max
3. You can specify the date for access.
4. You can extend the time for Access.

It is a certainly a good tool to deploy. In setting it up take note about

1. What section in the web config file that you will place the httpProtocol section. Put it in the system.webserver section
2. Do this

Change the IIS configuration

There are two ways to change the IIS configuration to allow applications to use Windows Authentication mode. Make sure you are signed in as MIMAdmin and then follow one of these options.

If you want to use PowerShell:

1. Right click on PowerShell and select Run as administrator.
   
2. Stop IIS and unlock the application host settings using these commands
   iisreset /STOP C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost iisreset /START
   

If you want to use a text editor such as Notepad:

1. Open the file C:\Windows\System32\inetsrv\config\applicationHost.config
   
2. Scroll down to line 82 of that file. The tag value of overrideModeDefault should be
   
3. Change the value of overrideModeDefault to Allow
   
4. Save the file, and restart IIS with the PowerShell command iisreset /START
   

Create a PAM group

Take an SG that is already created in AD. It should not to exist in FIM Service. Call that SG “ITAdmins”. If it already exists in MIM, the command below will fail. So if you are setting this up in your already existing MIM which has group synchronization with AD, there would be a problem. You will have to rename or filter out that group from MIM group synchronization. The way MIM PAM was designed is that you are to create a separate MIM just for PAM so there should be no group information in MIM.

Another alternative, and I would recommend this process for all SGs that you want to control access to when you use MIM PAM in an existing forest.

1. Remove all user and group accounts in the SG that you want to control access to.
2. Create an SG, place it in the “PAM Objects” OU that is created by MIM when you add the PAM feature.

1. Place the SG you created in the PAM OU as a member in the regular SG that you want to control. So say you want to control “IT Admins” group, create “IT Admins PAM” and place in the PAM OU. Make “IT Admins PAM” a member of “IT Admins”.
2. Make sure you run the command below before the MIM Group Sync job runs or you turn it off while you are creating PAM Groups.

Run this command from a PS window to create a PAM Group

New-PAMGroup -SourceDomain tlkenterprise.net -SourceGroupName ITAdmins –PrivOnly

So MIM PAM will look in the tlkenterprise domain for ITAdmins SG and then it will make a shadow copy in the MIM system, it will enable it for PAM. So if you look up the SG in AD you will see

If you look it up in the MIM Portal you will see a new SG has been created called “ITAdmins”

The Owners of the PAM group will be the approvers for any access request to this group.

Create a PAM Role

PAM Role -> PAM Group -> AD Group

Go to the MIM Portal click on PAM Roles

Click New

Under PAM Privileges, select the PAM Group that was just created. For PAM Role TTL enter the time in seconds for which a user can be member of a Role, it should be at least 180 so I would advise to make it 240 and above. Check Approval required if you want approval. If you want the group to only be available in a certain time frame enter check the availability window.

Click on the candidates tab and select which user has rights to request access to this Role.

Click submit

After the Role is created you can go to the advanced view and add the time frame or Role approvers.

Submit a PAM access request

Submit Request from the MIM Portal

Go to the MIM Portal click on PAM Requests

Click New

Click Submit

Submit Request from the Sample PAM Portal

Go to the sample Portal url

http://tlkfimmgr:8090/html/Roles.html

Click Roles, this will show which roles the user is allowed to request access.

Click Activate

Enter the Justification and time if you want less than the maximum and put the date if you want the access on a specific day.

Click Submit

You can also extend the requested time. Click extend Activation

When you extend, the expiration time will start from the time of request. So say it was to end at 17:50pm, I put a request for an extension of 5 minutes at 17:48, then the new expiration time will be 17:53pm.