PAM in MIM 2016 is a great tool with one caveat, the released documentation says you have to create another forest, install MIM and PAM in there. That is a best practice method and is something Microsoft has touted for years for an AD design. Put your privileged groups and accounts in a separate forest. Yet as far as I know, hardly anyone follows this design recommendation. For IT Admins, the less forests the better, each forest comes with its own overhead and cost of ownership that it is difficult to justify add a separate forest just for MIM/PAM to IT management. Auditors and IT security are ready to accept a work around control where you monitor membership entry to privileged groups with the single forest. So IT Management will provide these requirements to IAM group
- For all applications and systems, define the privileged groups. These groups must exist in AD. We do not want another forest to be setup.
- Remove all user accounts from these groups, you could have service accounts in the group, but ideally these groups should be empty. Unless it is hardcoded in an application that the application account is a member of the application group user ACL level to give the application account the necessary rights in AD or the application.
- All user accounts that need access to these groups must have a means to request access for a specific time duration.
- This access must be approved
- User is notified when access is given and removed.
What I have seen is that companies have a system where you submit a request ticket to security saying I want access to group XYZ for 2 hrs. This request goes to your manager and to security team for approval, once both approve, security team will manually add and remove you from/to the group. Companies also user CyberArk and other security vendor tools which offer PAM modules (with no requirement for another forest). We can use the PAM tool in MIM 2016 within the same forest to automate this process. The following blog article by Tracy Yu gives good direction on how to do it, I will add my own experience on how to do it. For the purpose of this post I will stay as much as possible with the OOB tools, in another post I have developed a tool in MIM that provides considerable enhancement to the OOB PAM tool. The enhanced PAM tool V1 is available on Github.
There are somethings to note about PAM in MIM 2016
- The approval is done by the owners of the Role, you cannot stagger the approval, so say Manager approves first then Security approves.
- PAM works directly in AD, it does the add/remove directly in AD, it does not do it in the MIM service and then wait for synchronization.
- You have to make a user a member of a Role before they can select access to a Role.
- There is no notification OOB for the requestor unless approval is required.
- The removal of the user from the SG is done by the MIM Component service which has a default polling time of the expired request queue every 10minutes. So it all depends on when your access request expires, the removal from the SG could take anywhere from 1-10 minutes. You can change this polling time in the C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\PAM\Services\ Microsoft.IdentityManagement.PrivilegeManagement.exe.config file.
We have already installed MIM in TLK’s forest, we already use MIM for provisioning and deprovisioning of user and group accounts. We now want to add PAM.
Use this article to add the PAM. There is the last section on the sample web application. There is a sample web application portal which very useful, it will give the advantage of
- Put justification to a request.
- You can request for less time that the Role Max
- You can specify the date for access.
- You can extend the time for Access.
It is a certainly a good tool to deploy. In setting it up take note about
- What section in the web config file that you will place the httpProtocol section. Put it in the system.webserver section
- Do this
Change the IIS configuration
There are two ways to change the IIS configuration to allow applications to use Windows Authentication mode. Make sure you are signed in as MIMAdmin and then follow one of these options.
If you want to use PowerShell:
- Right click on PowerShell and select Run as administrator.
- Stop IIS and unlock the application host settings using these commands
iisreset /STOP C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost iisreset /START
If you want to use a text editor such as Notepad:
- Open the file C:\Windows\System32\inetsrv\config\applicationHost.config
- Scroll down to line 82 of that file. The tag value of overrideModeDefault should be
- Change the value of overrideModeDefault to Allow
- Save the file, and restart IIS with the PowerShell command iisreset /START
Create a PAM group
Take an SG that is already created in AD. It should not to exist in FIM Service. Call that SG “ITAdmins”. If it already exists in MIM, the command below will fail. So if you are setting this up in your already existing MIM which has group synchronization with AD, there would be a problem. You will have to rename or filter out that group from MIM group synchronization. The way MIM PAM was designed is that you are to create a separate MIM just for PAM so there should be no group information in MIM.
Another alternative, and I would recommend this process for all SGs that you want to control access to when you use MIM PAM in an existing forest.
- Remove all user and group accounts in the SG that you want to control access to.
- Create an SG, place it in the “PAM Objects” OU that is created by MIM when you add the PAM feature.
- Place the SG you created in the PAM OU as a member in the regular SG that you want to control. So say you want to control “IT Admins” group, create “IT Admins PAM” and place in the PAM OU. Make “IT Admins PAM” a member of “IT Admins”.
- Make sure you run the command below before the MIM Group Sync job runs or you turn it off while you are creating PAM Groups.
Run this command from a PS window to create a PAM Group
New-PAMGroup -SourceDomain tlkenterprise.net -SourceGroupName ITAdmins –PrivOnly
So MIM PAM will look in the tlkenterprise domain for ITAdmins SG and then it will make a shadow copy in the MIM system, it will enable it for PAM. So if you look up the SG in AD you will see
If you look it up in the MIM Portal you will see a new SG has been created called “ITAdmins”
The Owners of the PAM group will be the approvers for any access request to this group.
Create a PAM Role
PAM Role -> PAM Group -> AD Group
Go to the MIM Portal click on PAM Roles
Under PAM Privileges, select the PAM Group that was just created. For PAM Role TTL enter the time in seconds for which a user can be member of a Role, it should be at least 180 so I would advise to make it 240 and above. Check Approval required if you want approval. If you want the group to only be available in a certain time frame enter check the availability window.
Click on the candidates tab and select which user has rights to request access to this Role.
After the Role is created you can go to the advanced view and add the time frame or Role approvers.
Submit a PAM access request
Submit Request from the MIM Portal
Go to the MIM Portal click on PAM Requests
Submit Request from the Sample PAM Portal
Go to the sample Portal url
Click Roles, this will show which roles the user is allowed to request access.
Enter the Justification and time if you want less than the maximum and put the date if you want the access on a specific day.
You can also extend the requested time. Click extend Activation
When you extend, the expiration time will start from the time of request. So say it was to end at 17:50pm, I put a request for an extension of 5 minutes at 17:48, then the new expiration time will be 17:53pm.
13 thoughts on “MIM 2016: Setting up Privileged Access Management (PAM) in an existing Forest using the built-in PAM Tool”
Pingback: MIM 2016 and PAM Goodness - Scott Eastin
Thanks for this beautifully written article.
Still one doubt , how did you choose the users. In your scenario i agree we are already using MIM for lot of other things like Provisioning. But if someone is not doing the same then we need to run new-pamuser cmd. Let me know if am right ?
That is correct
Thank you for a wonderful post.
I have a question , in my scenario i have a main forest abc.no and a child domain pqr.abc.no( this is where all the users are stored) as a part of PAM i created a bastian forest xyz.priv and have seperate MIM.
When establishing a trust do i need to establish between abc.no and xyz.priv or the child domain and xyz.priv?
I am actually confused here as if i do at forest level will the trust extend till child domain as all users are there and all the IT admins as well.
The solution is for use case of one forest no bastian
Hi Ike, I have set all this up, and while the groups are being updated, the component service removes the user before the expiration of the request. Any ideas?
checking polling time? check the server system clock matches MIM time? Check the TTL, its in seconds?
Wow thanks for coming back so quickly. The TTL is set to 3600 (1 Hour). I havent changed the default polling time, so should be 10 minutes. I will confirm the system clock, though I have been making the requests directly from the MIM server.
Do you know of any way to log the actions of the component service? Or how it determines when to remove the user?
Thanks for the pointer – I fell for the old gotcha in a Dev environment – I hadnt updated the Timezone in the MIM Portal. I have since tested, and its working as expected.
unfortunately there is no option to log the component service. Take a look at my Github tool it has more explanation. The component monitors the expiration time attribute of the PAM request, you have to see what the time stamp is on that attribute, that will give you an idea of how MIM is calculating the expiration time and if its what you expect.
LikeLiked by 1 person
Hi Ike…We have set up a greenfields environment for the PAM Bastion. We are not shadowing users from Corp…all Privileged accounts are created in the Bastion. To save privileged users logging in through jump servers to check if they have requests to approve or to see if their requests have been approved, how can PAM be configured to send notifications to the various actors. We are planning to implement an SMTP gateway in the Bastion.
I have a customized version of the PAM tool. The links are in the post. You can shape it anyway you like.
Thanks Ike 🙂