Microsoft Azure AZ-801 — Section 4: Secure a hybrid Active Directory (AD) infrastructure Part 3
34. Configure authentication policies silos
Let’s talk about the concept of authentication policy silos.
So, these are basically an authentication policy style is basically a container that allows administrators to assign specific user accounts, computer accounts, or even service accounts. And then using a policy, the admin can control that, that those user accounts can only authenticate to certain devices like certain other servers. For example, imagine if I had a user that is like, maybe, it’s like a service account or something that’s associated with Microsoft Exchange, and I only want that user ever authenticating with Microsoft Exchange.
If somehow I don’t know, a hacker got access to the password to it or something, some kind of identity theft scenario where they’ve gotten the admins password, they’ve compromised it somehow that account is only going to authenticate against that, that server, that exchange server. So, this is going to prevent that account from being used for anything else unless that account is removed from the, the authentication silo, you’re basically linking it to this thing called the authentication silo. Once it’s linked to that, whatever the policy says that you can authenticate with is the only thing you can authenticate with at that point. So, that’s the idea.
Let’s see how we can create an authentication policy silo. So, here we are on NYC-DC1 and I am going to open up Server Manager, go Tools and we’re going to go to Group Policy Management once we’re in Group Policy Management. All right, we’ll go over here and let’s just create a GPO. I’ll call this auth silo demo. All right. And I’m going to edit that GPO. From there, I’m going to go under Computer Configuration Policies, Administrative Templates. All right. And then we will go underneath system. And move this over just a little bit here and we’re going to go down to KDS. That’s the key distribution center. All right. And under the KDS, there is a policy called KDS support ticket. Support for claims, compound authentication and Kerberos or armoring. This gets into giving out Kerberos tickets, essentially. And in order to support the authentication policy silo feature, you have to enable this support for claims because it’s going to use the system known as claims in order to do that. And we’re going to configure this to always provide claims. So, that’s what it needs to be set to. All right. Then we’re going to go ahead and click Okay to that. We’ve turned that little policy on now. All right. And now what we’ll do is we’re going to go into Administrative Templates. All right. So, Administrative Templates right here. And then we’re going to go under system again, and this time we’re going to go to Kerberos. All right? So if you got lost, that’s how you get there. All right. And the policy we’re looking for here is called Kerberos client support for claims. So, we’re going to turn that on. This is going to allow us to allow clients to support this client machines to support these claims. So, we’ll turn that on. All right. And then at that point, we’ll click Okay and we’ll close out of that. All right.
So, from there, we can associate this with our servers if we want. And this is going to allow the servers to support client claim authentication. If you’re dealing with servers, if it’s servers that you’re wanting to manage this on. And then also our domain controllers so we can attach it to those two things.
Now, I’m going to minimize this and I’m going to go to Server Manager. We’re going to go Tools and we’re going to open up attack Active Directory Administrative Center, because this is not something you can do through Active Directory Users and Computers, which is the old system. I have to use the newer and I say it’s old but I mean, ADAC has been around now for what, 15 years, I think. So, it’s kind of old itself, to be honest with you. But anyway, here we are. And so looking here, we’re going to click on authentication. All right. And then from there you’ll see we have authentication policy, right? And then there’s a new option. If I right click that and I say new and I’ll say authentication policy. All right. And then it wants to give a display name. All right. So, I’m going to call this Exchange AP. All right. And we’ll leave that to enforce policy restriction. Okay, so that’s all fine and dandy. Let’s see if there’s anything else here I need to do. Yeah. Enforce policy restriction. All right. So, we’ve got that set correctly.
Now, I’m going to go to the left here. We’re going to click on User sign in or sign on, and then we’re going to go right here where it says specify a ticket draining ticket lifetime for user account. So, we’ll just set that to 240 minutes. All right. So, that’s going to be the ticket lifetime that will allow them to utilize this when they make their authentication request. All right. So, from there, I am going to click Okay. And I should see that the policy is available right here if I double click on it. So, as you can see, it is available.
Now let’s go for the silo. So, back here in Server Manager clicking on authentication, you’ll see we have authentication silos. We’re going to right click that say new authentication policy silo. All right. And then at that point. All right. If we’re going to create an authentication policy silo, let’s just call this restricted. Exchange administrators. And we will, let’s see, we’ll set that to Enforce. So, this is not going to be auditing. It’s going to be turned on. It’s going to be officially enforced. Let’s see. Let me just double, double check everything else here. All right.
So, underneath here where it says authentication policy. We’re going to change this to use a single policy for all principles that belong to the authentication policy silos. This is just all accounts that are associated with it, and we’re going to select our exchange API here. All right. From there, we will click Okay. And let’s just double click on it and make sure it was created. Yep. Looks like it is officially there. All right. And so we can see that it is available. All right.
So, now let’s go through and we will take a look at our users. So, I’m going to jump right here on exam lab practice and click on users. And I can see all my users. Now, what I’m going to do is I am going to create a user. You know, we’ll just call this, let’s say exchange, user1. All right. A username will just be exchanged. User1. Give it a password. And now most important, we’re going to go over to silo. All right. And we’re going to assign our policy side silo here. So, we’ll click a sign. And there it is, restrict exchange admin. So, we’ll click Okay. And that’s been a sign of granted. If the account had already existed, I could have just done that ahead of time. I could have just done that by double clicking on the user and then going to silo. And then there it is. So, that is how we do it.
So, now, based on what we’ve done, if we go back over our GPO, the GPO is attached to. So, whatever servers are associated with this container, that user can authenticate with those servers, but that user cannot authenticate with anything else. That’s it. So, we’ve created this restricted user account that can only authenticate with those servers, and that is the idea of using the authentication policy silo.
35. Restrict access to domain controllers
Let’s go over the concepts now of restricting access to a domain controller.
Now, to do that, we’re going to use group policies. So, here we are on NYC-DC1 and we’re going to open up the Server Manager, We’re going to go Tools and then we’re going to go into Group Policy Management. Once you’re in Group Policy Management, here is our domain controllers. Oh, you we’re just going to expand that out. We have a GPO already attached here called Default Domain Controllers Policy. Now, that is automatic. Again, when you install a microsoft domain, you are always going to have that GPO automatically. So, I just right click. Edit. Now I’m going to go under Computer Configuration Policies, Windows settings and then security settings, and then I’m looking at where it says local policies and then we’re going to go to user write assignment.
Now, you can see the default policy settings for domain controllers right out of the gates here. So, the main thing is access this computer from the network. All right. You will notice that everyone can actually access this computer from the network, including accessing shares and all that. So, normally what you’d want to do is get rid of the everyone group and only allow admins and all of that.
Now, you do want to allow you do need to consider the fact that for authentication you’ll have the authenticated users group, but you don’t need the everyone group. Okay. The next thing would be the log on locally. That’s a big one. So, you’ll notice that regular users cannot log on locally to domain control. So, that’s fine. But look at all these other groups that can print operator, server operators, backup operators.
Now, backup operators and administrators are really the two that are recommended in or in a high security environment. Now, backup. The reason backup operators are recommended is because backup operators need to be able to back up data in Active Directory. So, backing up the Active Directory database, which is the AD DS file that’s located on your operating system, not that I’m getting into backing up Active Directory in this video, but just throwing that out there so administrators and backup operators, those are the two big ones that you would want to keep in mind. All right. Lastly, you also have a deny log on locally capability, which if you combine the two, allow log on locally and then deny, deny will overrule the allow.
So, this is sort of like a guarantee scenario. Like, for example, let’s say I had a user named John Smith who’s a member of backup operators, but John Smith is it’s a backup operator for a bunch of our other servers. But we never want John Smith being able to back up domain controllers for whatever reason. Well, what we could do is we could allow backup operators and then we’d go in here and we could deny John Smith, and that would explicitly deny John Smith from being able to back up domain controllers, but it wouldn’t deny John Smith from backing up other stuff. Whereas if you denied the backup operators group, it would deny all backup operators. So, anybody that’s a member of that group. All right. And so that is how that works.
The last thing is Allow log on through remote desktop services. This is going to allow somebody to remote desktop into this machine. Right now, there’s no restrictions on that at all. So, pretty much anybody who is a member of that has the ability to do the allow log on locally and all that. They can also connect into remote desktop. So, you can be explicit about that if you want, or you can deny explicitly who you don’t want to be able to connect in the remote desktop. All right.
So, those are your different policies for that. Keep in mind that these policies are assigned to the domain controllers. You. If you if you needed to have different policies for different domain controllers, you would need to create a sub, maybe, a sub U of some kind and have different GPUs assigned to the to the subcategory o use. All right. But those are the policies you’d want to keep in mind if you wanted to restrict access to domain controllers.
36. Configure account security
Now, when it comes to account security for your users, there’s a couple of considerations there.
Number one is if I go to Server Manager, all my domain controller and I go Tools, Active Directory Users and Computers, from there, I can choose a specific user, maybe, that I’m wanting to restrict here or manage. All right. I’ll just I’ll just create a user real quick here. I’m just going to right click users and create a user named John Smith. All right. And we’ll do a. Just type the name out straight like that. Give it a password. All right.
So, the first thing you’ll see here are these check boxes right here. Number one is user must change password and next log on. So, when they log on, they’re going to have to change their password. All right. You probably are already familiar with that. One user cannot change password This make it where the user cannot change password. You can’t have that checkbox checked. It’ll throw an error like you just saw. This is usually going to be used in a situation whenever there’s like a shared account between multiple users. But most importantly, it’s used. If you use a user account as a service account that is associated with the service like SQL and you don’t want it changing the password, although there are better ways to do that to deal with that. But not getting into that right now, there’s password never expires. This makes it where the password will never expire. That’s another example of if you were using this as a service account and then account is disabled, this would be used if, maybe, you wanted to create the account, but the user isn’t really starting yet. So, you’ll enable the account later down the road. All right. So, we’ll just click Next and finish.
Now, we’re going to edit John Smith. I’m just going to double click on John Smith. And you can see our various Tabs here. But the main things I want to look at here is the account Tab. So, the account tab is going to have log on hours. You can set the hours, you’re probably familiar with that one and then log on to you can set specific machines that the user can log on to by putting the names in right here. Probably familiar with that one as well. And then here’s those same four checkboxes. The other thing is account expires if I want to, maybe, this is a consultant and the consultant is only going to be working for the company for a certain amount of time, like a three-month contract. I can have the account where it deactivates after, let’s say, three months, right? So, I could set that up. The other thing involving account security is going to be the member of tab. This is going to involve the groups that the user is a member of. So, I can go here and I can add the user to whatever groups give them authority if I want. For example, if I click that advance find now, I can see the various groups that are available.
For example, if this user, maybe, this user is going to be doing backups, I can make this user a backup operator. At that point, that user now has those privileges. Now, on the flip side of that, you want to go the other direction with it. You could make this user a domain guest, which is a restricted account. The user can log on to machines, but they don’t get to keep a profile when they log on to the machine and they’re restricted on that machine. What they can do, they can’t install anything. They can’t they can only run applications that are on that machine and they can use the web browser, but they don’t actually even get a user profile. So, that’s the idea there. I am going to make John Smith a backup operator, so we’ll go here, back up. Operator Click. Okay, click. Okay. And there you go. All right.
What we’ll do last thing here would be, of course, group policies. As always, group policies are going to be another way for restricting accounts and or providing access to accounts. And of course, I can do that by going into Server Manager tools, Group Policy Management. Okay, bring that up. And if we want to create a GPO, I’ll call this account Security. All right. And then I’ll just edit that GPO. And then I can go under user config policies and then do Administrative Templates. And I have all these items here that would allow me to lock down what users can and cannot do through things like control panel, desktop network. You’re probably familiar with this already. Like I could set wallpaper settings for the person here if I want control network settings, shared folder, start menu, manage the operating system settings.
So, that’s a great way to restrict what somebody can do. Right. And then you just need to associate this GPO with whatever organizational unit, if you want it to be the whole domain, I could throw it to the whole domain. If you had a particular you want this to be associated to, maybe, I want to associate this to the workstation. So, you or in this case, if it’s for users, you would want an OU that contained user accounts. But that is the other side of this. All right. Of course there are like over 4000 something policies.
So, there’s obviously a lot of policies you need to think about what it is you want to do as far as restricting your users go. And then you can look into the different policies that can achieve that. All right. So, those are going to be your main ways that you can manage that. You can secure accounts in the Active Directory environment.