The Road to PAM

How can an administrator introduce PAM? First, you need to wait for the final version of Windows Server 2016 (expected 2016Q3). Microsoft Identity Manager was released in August 2015. As of this writing, neither the PowerShell cmdlets nor the other administrative interfaces were fully available.

To implement PAM, you first need to define which groups you want to protect and what processes will be necessary to provide the required authorizations. For example, you could specify for the present members of the domain administrator group that privileges can be requested without an additional approval step, possibly insisting on multifactor authentication, whereas administrators of specialist applications will need to pass through an approval step, possibly involving change requests.

After defining these points, you need to put some thought into the infrastructure of the PAM forest. The principle here is that less is more; however, the infrastructure needs to be redundant and globally accessible. The same thing applies to your firewall configurations that need to allow communication with the PAM environment.

Finally, you need to set up the PAM environment, the trust relation, and the MIM, while ensuring that synchronization with MIM works as intended. This applies in particular to creating the Shadow Principals and their SIDs. You can then move on to testing the processes that allow users to request authorizations.

If all of this works, you can remove some initial memberships from the test group and ask the users to request these memberships by way of the PAM environment. You then repeat this step for other groups.

Conclusions

Privileged Access Management offers an interesting and secure alternative to the previous, static assignment of administrative privileges. To allow this to happen, underlying technologies such as Active Directory, the logon services (SAM), and Kerberos have been updated. Single- or multiple-step processes to receive privileges can be mapped using the Microsoft Identity Management Server.

Although this involves a minor obstacle for administrators who need authorizations on a daily basis, the question is whether every single active activity really needs to be performed with escalated privileges; perhaps you can enforce the use of a dedicated account, thanks to PAM.

If you use a non-administrative account for surfing the Internet and processing email, you can reduce the attack surface that you offer to malicious code such as viruses. Enterprises would thus do well to investigate the options that PAM offers.