Manage Privileged Identities Flashcards

Question

Which type of IIS authentication utilizes Kerberos or NTLM?

Answer 1

IIS integrated Windows Authentication.

Answer 2

- Both source and destination servers must be Server 2012 / Windows 8 for Workstations or later. - Restricted Admin Mode must be explicitly enabled on the target system's registry - Accounts connecting must be local admins on the destination server - Server 2012 systems may require an update to support RDP Restricted Admin

Answer 3

``` HKLM:\System\CurrentControlSet\Control\LSA - Name: DisableRestrictedAdmin - Type: REG_DWORD - Value: 0 Does not require a reboot. ```

Answer 4

Once it is enabled run the following command: | mstsc /v:$ServerName /RestrictedAdmin

Answer 5

1. GPO Managment 2. Create/Edit GPO 3. Computer Configuration \ Policies \ Administrative Templates \ System \ Credentials Delegation 4. Configure "Restrict delegation of credentials to remote servers" to Enabled 5. Gpupdate to apply the policy. NOTE: This does NOT enable Restricted Admin mode on target systems, it only requires its use for RDP. Make sure it is turned on before configuring this.

Answer 6

- Domain Admin needing to login to a member server to perform some task. RDP Restricted Admin would prevent DA credentials from landing on the member server in a way where they would be harvestable. - Help Desk staff who connect to workstations with T2 privileged accounts could use this so they wouldn't expose their logons or need to change passwords as often.

Answer 7

RDP Restricted Admin prevents your credentials from landing on the target system. Any connections outbound from that system will use the target computer account.

Answer 8

- Privileged Accounts with broad privileges | - VIP Accounts (Executives, HR, etc.) who may have access to confidential resources

Answer 9

Selective Authentication can be enabled on external forest trusts. It provides AD admins with more control over which groups of users in a trusted forest can access shared resources in the trusting forest.

Answer 10

PAM is a component of Microsoft Identity Manager (MIM) 2016 and is a solution that helps mitigate unauthorized privilege escalation attacks.

Answer 11

Server 2016 - Specifically the DCs must be Server 2016.

Answer 12

- Management forest must be server 2012 R2 or newer with FFL of 2012 R2 or newer. - PAM client is supported for Windows 7+ - Powershell 2.0 or greater is required for Powershell features

Answer 13

Principals in the admin forest that bear the SIDs of administrative groups in the production forest (e.g. Domain Admins). Users are added to shadow principals in the Admin forest and this is reflected in the production forest.

Answer 14

SID History must be enabled. | PIM trust must be enabled

Answer 15

No. Since the membership of the privileged groups is managed by the PAM forest, the groups in the production forest will never have any membership and thus cannot be enumerated.

Answer 16

- DCs must be Server 2016 or Newer - FFL/DFL must be Server 2012 R2 or newer - For integration with PAM forest - - Forest trust between Prod and Admin forest (prod trusts admin) - - Prod DCs must be Server 2012 R2 or newer with the May 2016 Update Rollup - - TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL (sidHistory) is set on the trust. - - TRUST_ATTRIBUTE_PIM_TRUST (enable PIM trust) is set on the forest - - Optional feature "Privileged Access Managment" feature is enabled on the admin forest.

Answer 17

Run the command: netdom trust /? | If /EnablePIMTrust appears, it is available

Answer 18

They are stored in the admin forest under the "Shadow Principal Configuration" container under the Services container CN=Shadow Principal Configuration,CN=Services,CN=Configuration,$DomainDN

Answer 19

The PAM monitoring service is used to mirror the ACCOUNTDISABLE flag in UAC of sourced production accounts to their corresponding admin accounts.

Answer 20

If the prod forest is Server 2012 R2, it is likely missing a patch that allows the /EnablePIMTrust attribute to be enabled.

Answer 21

No. PAM only supports single approvers.

Answer 22

Only the account enabled/disabled flag. All other information is not replicated.

Answer 23

- Ensure you are logged onto the PAM server, not a corporate workstation. - Ensure you have the MIMPAM Powershell module installed and enabled in your session.

Answer 24

Ensure you are signed in as someone who has an account in MIM.

Answer 25

Re-establish control over a compromised AD by maintaining a separate bastion forest that is known to be unaffected by the malicious attacks. Isolate use of privileged accounts to reduce the risk of credentials being stolen.

Answer 26

- Vulnerabilities - Unauthorized Privilege escalations - Pass-the-Hash - Pass-the-Ticket - Spear Phishing - Kerberos compromises

Answer 27

1. Prepare - Identity which groups have privileges. Recreate these groups in the bastion forest. 2. Protect - Setup lifecycle and authentication protection for when users require JIT administration. 3. Operate - After request and approval, accounts get added temporarily to privileged groups in the bastion forest. They have these rights for a pre-set amount of time. After, they are removed. 4. Monitor - Auditing, alerts, and reports of privileged access requests.

Answer 28

MFA helps prevent programmatic attacks from malicious software or following credential theft.

Answer 29

PAM depends on the time-limited group memberships which restrict a limited lifetime time-limited TGT.

Answer 30

Only privileged accounts. Regular accounts, machine accounts, etc. don't need moved.

Answer 31

- Isolation/scoping of privileges - Users do not hold privileges on the accounts that are also used for non-privileged tasks. Privileges need requesting. - Setup and proof-up - Additional Logging - Customizable Workflows

Answer 32

- MIM Services Web Services API - A REST Endpoint Windows Powershell (New-PamRequest)

Answer 33

- Servers should not be joined to the domain or leverage settings distribution from the existing prod environment. - Bastion forest should contain its own AD DS and the essential functions of that service itself (Kerb, LDAP, DNS, Time, etc.) - MIM should not use an existing SQL DB from production - Bastion forest requires Server 2016 or newer - Backups and media for bastion must be kept separate from backups and media of existing forests - prevents subversion of the bastion. - Management of bastion should take place from workstations not otherwise exposed to production.

Answer 34

- Least privilege should be used where ever possible - Accounts in the admin forest that are used to administer production should not have permissions to the admin forest - Admin privileges over the admin forest should be controlled by an offline process - Admin forest should follow MS Security Compliance Manager configurations for the domain, including strong configurations for authentication protocols

Answer 35

Break glass accounts are emergency accounts that are able to bypass many security restrictsion in case of an outage or incident to regain access to an environment. These accounts should be limited to logon only to systems they are configured on, nothing more.

Answer 36

Red Card Administrators provision other accounts and perform unscheduled maintenance. They should have no access to existing, non-admin forest systems outside the bastion environment. Their credentials, ideally a smart card, should be physically secured and use of the account logged and audited.

Answer 37

- Desktops which the credentials of administrative accounts are typed or entered. - Administrative "jump" servers on which administrative sessions/tools are run. - All hosts where administrative actions are performed, including standard user desktops running RDP - Servers hosting apps that need to be administered and are not accessed via RDP with Restricted Admin mode or PS Remoting

Answer 38

- Verify the media build is clean - Use security baselines (Microsoft Security Compliance Manager) - Enable SecureBoot - Enable AppLocker (software restrictions) - Enable Full Volume Encryption (BitLocker) - Restrict USB - Network Isolation via Windows Firewall - Configure EMET (Exploit Mitigations) - Perform Attack Surface Analsysis - Administrative privileges should not be given to users on the systems. - RestrictedAdmin should be used for outgoing RDP sessions

Answer 39

- Test-PAMTrust - Test-PAMDomainConfiguration - Remove-PAMTrust - Remove-PAMDomainConfiguration

Answer 40

GPO should be used with newer versions of Windows Registry for older: HKLM:\System\CurrentControlSet\Control\LSA - TcpipClientSupport - Value: 1

Answer 41

- Tier 0 - Servers and resources that have direct control over enterprise identities in the environment. Includes groups, accounts, or assets with direct control of AD. - Tier 1 - Control over enterprise servers and applications. Includes other server OSes, Cloud, and enterprise applications. Admins with T1 will have control over a large segment of the business - Tier 2 - Control of user workstations and devices

Answer 42

Tier model prevents privilege escalation by restricting what administrators can control and where they can log in.

Answer 43

- Control is the same throughout the tier - Control to lower tiers is possible but only as needed - Control to higher tiers is restricted and blocked

Answer 44

- Manage the identity store and small number of systems responsible for the identity store. - Manage and control assets at any level as required - Can logon interactively or access assets trusted at the T0 Level.

Answer 45

- Manage enterprise servers, services, and apps. - Manage and control assets in T1 and T2 - Can only access assets (via network logon) trusted at T1 or T0 levels - Can only interactively logon to T1 assets.

Answer 46

- Manage enterprise end-user systems (desktops, laptops, printers, etc.). - Can only manage and control assets at T2 level - Can access any assets (via network logon) at any level - Can only interactively logon to assets trusted at T2 level.

Answer 47

- T0 Users are unable to login to devices at lower tiers - T1 users are unable to login to devices at lower tiers and may, if so needed, have logons to higher tiers. - T2 users are able to logon to devices at T2 and T1 if needed.

Answer 48

Clean source requires all security dependencies to be as trustworthy as the object being secured.

Answer 49

Control is transitive. If I control asset C with asset B, then anything that has control over asset B has indirect control over asset C. By ensuring the entire control chain is secured, I can ensure that I maintain the integrity of Asset C.

Answer 50

To ensure that installation media is secured, you must ensure it has not been tampered with since it was released by the manufacturer. You should validate the software integrity of the install media throughout the cycle in which it is possessed.

Answer 51

- Software obtained from physical media is known to come from the manufacturer or a reputable source is considered valid. - Software obtained from the internet and validated with vendor-provided hashes is considered valid. - Software obtained from the internet and validated by downloading and comparing two independent copies are valid - - Download on two hosts with no security relationship (not in the same domain or managed by the same tools) - preferably from separate internet connections. - - Compare downloaded files using hashing utility.

Answer 52

- Certutil -hashfile $FileName | - Get-FileHash $FileName

Answer 53

You should ensure that a system is not dependent on lower trust systems.

Answer 54

- ACLs - Group Memberships - Agents - Logon

Answer 55

When a user logs into a system, they expose their credentials to that system thus putting any resources managed by that system under the account with logon rights.

Answer 56

- Servers and workstations should be joined to AD - All servers and workstations should use a current OS - All servers should have RDP RestrictedAdmin enabled - Smart cards should be used and issued to all administrators - The Builtin\Administrator account in each domain is considered an emergency access account. - An enterprise identity management solution should be implemented - LAPS should be deployed to servers and workstations - A privileged access management solution should be in place or being deployed. - Personnel should be assigned to monitor security alerts and respond to them. - The ability to rapidly apply Microsoft Update should be available. - Baseboard management controllers on servers will not be sued or adhere to strict security controls. - Administrator's accounts for servers and workstations will be managed by Domain Admins - A CAB or another security authority is in place for approving AD changes.

Answer 57

- Administrators must be vetted via a background check and a skill check prior to assigning privileges - Administrative privileges should be reviewed periodically (quarterly) to determine which personnel have a legitimate need for administrative access. - Administrators should be receiving regular training on the their role, risks and vulnerabilities affecting their systems, and other specific practices specific to the organization.

Answer 58

Administrative accounts must be approved by an approving authority - Admins should only gain access based on legitimate business need - Approval for privileges should not exceed six months Administrative accounts should be deprovisioned if the following conditions apply - If there is a personnel change - If there is a role change Disabled accounts should be deleted within 6 months and record of their deletion documented All privileged account memberships should be reviewed monthly to ensure no unauthorized permissions have been granted.

Answer 59

All personnel should have separate accounts for administrative functions that are distinct from user functions

Answer 60

At least quarterly

Answer 61

- Primary support option should be used if possible - Secondary should only be used if primary is unavailable - Forbidden support methods should never be used. - No internet browsing or email from the administrative account, ever.

Answer 62

Remote Server Support - Primary - Remote tools that use network logons (type 3) - Primary Interactive - Use RDP RestrictedAdmin or Standard RDP from a secure workstation Physical Server Support - When at the console, the accounts do not have any tool restrictions beyond forbidden tools.

Answer 63

T0 assets already have direct or indirect control over all assets. If an attack were to compromise a DC, for example, there is not a need for lateral movement or privilege escalation, they have access to the credential store (database) and can compromise from there.

Answer 64

Remote Server Support - Primary - Remote tools using network logons (type 3) - Primary interactive - RDP Restricted admin from an admin workstation with an account that uses JIT - Secondary - Logon using local admin (LAPS) - Forbidden - Standard RDP - Forbidden - Using credentials while in session (Runas/share authentication) - This exposes credentials Physical Server Support - Primary - Retrieve local admin password while using admin workstation - Forbidden - Using domain account via console - Forbidden - Using domain credentials while in session (RunAs)

Answer 65

Desk Side Support - Primary - Over-the-shoulder support is provided with no tools - Forbidden - Logging on with domain accounts is not allowed. Switch to a desk-side workstation if admin privileges are required Remote User Support - Primary - Remote assist, screen share, etc. - Forbidden - Logging in with domain account administrative credentials is not allowed. Switch to workstation support if admin privileges are needed. Workstation Support - Desk-Side - - Primary - Retrieve LAPS password and use local admin - - Forbidden - Logging in with domain accounts is not allowed - Remote - - Primary - Use RDP Restricted Admin with JIT - - Secondary - Use LAPS - - Forbidden - Standard RDP

Answer 66

Internet browsing | Email Access

Answer 67

- Lock service account passwords in a physical safe - Ensure that only personnel trusted a tier above the account have access to the password. - Limit number of people with access to the passwords to a minimum to ensure accountability - Ensure all access is logged, tracked, and monitored by a disinterested party

Answer 68

Administrative users should use smart cards for logins. Not passwords, except with break-glass accounts. MFA should be used with all Cloud Admin Accounts.

Answer 69

Security controls that aren't available to traditional flat forests are available to ESAE. Accounts can be provisioned that are standard users in the ESAE forest but also privileged in the down-stream forests.

Answer 70

Some applications are not compatible with being administered from a separate forest or over an external trust with selective authentication.

Answer 71

- Limited Scope - One-way Trusts with Select Authentication - Privileges and Hardening - Least Privilege - Workstation Hardening - PAWs - Server and DC Hardening - Clean source, last OS, Updates - Account Hardening - MFA, No NTLM - Detective Controls

Answer 72

ESAE gains its power from limited access and a small attack surface. Any additional management functions and applications introduced to an ESAE forest increase the attack surface and limit the effectiveness of the forest.

Answer 73

One-way trusts should be used between the production forest and the ESAE forest. - Trust can be either a domain or a forest trust - Some apps require a two-way trust, but generally the admin forest doesn't need to trust the production forest. Selective Authentication should be enabled for all trusts between the ESAE and production forests - Selective Auth restricts accounts that can login to production hosts - Selective Auth requires accounts be granted the "Allowed to Logon" right in the production forest.

Answer 74

- Only admin forest accounts in Bulitin\Administrators should be able to administer the domain controllers and add users to BA - Alter default permissions in the schema to grant Builtin Admin's GPO rights. - Accounts in the admin forest should only be able to manage the production forest, not the admin forest. - Any admin rights to the admin forest should be tightly locked down. - Admin forest should follow Security Compliance Baselines - Admin forest should use the SCB strong recommendations for authentication - Admin forest should automatically be updated with security updates - Only PAWs should be used as workstations in the Admin forest and should only be joined to the admin forest. - Detective controls should be designed to alert on anomalies.

Answer 75

- Media should be validated via the clean source principle - Only the latest operating systems should be used - Hosts in admin forest should automatically update - Security Baselines should be used as starting configurations - Secure Boot should be enabled - Full Volume encryption should be used to protect against physical attacks. - USB restrictions should be in place in the Admin Forest - Network Isolation should be incorporated into the design of the admin with firewalls set to block incoming connections - Antimalware should be configured - Rune the Attack Surface Analyzer to determine which configurations may be at risk.

Answer 76

- MFA should be used for all accounts in the Admin forest except the Builtin\Administrator - MFA protected accounts should be set to rotate their NTLM hash periodically.

Answer 77

``` Enterprise Admins Domain Admins Schema Admins Builtin Admins Account Operators Backup Operators Server Operators Print Operators Domain Controllers Read-Only Domain Controllers Group Policy Creator Owners Cryptographic Owners Distributed COM Users Any other groups delegated access similar to the functions or greater than the functions of any of these groups ```

Answer 78

Interactive Logons (Console, RunAs, etc.) Remote Interactive (RDP) - Failures do not transmit NewtorkClearText (New-PSSession -Authetication CredSSP / New-PSSession -Credential cred) Network+Interactive (PSExect with explicit) Batch / Service

Answer 79

``` Interactive - Logon Type 2 Network - Logon Type 3 Batch - Logon Type 4 Service - Logon Type 5 NetworkClearText - Logon Type 8 NewCredentials - Logon Type 9 RemoteInteractive - Logon Type 10 ```

Answer 80

Selective authentication allows for restricting logons (thus credential exposure) to only authorized hosts.

Answer 81

Dedicated administrative forests are allowed to have wider breadth of security measures due to their limited use case. Furthermore, compromise of a down-level forest limits the compromise of the administrative forest.

Answer 82

Corp forest should trust PRIV Forest. | This trust is one-way with selective authentication. Two-way could be used but its not necessary in this scenario.

Answer 83

If malware ends up on that system inadvertently, keystroke loggers and other malicious vectors may be used to capture credentials as they are put into the system.

Answer 84

- AD Management Forest - DNS - MIM Service - MIM Management Policy Rule (MPR) - MIM Portal - MIM Service Database - PAM Monitoring Service - PAM Component Service - PAM REST API

Answer 85

PAM cannot be used for well-known SID Groups (DA, EA, etc.) across a Server 2012 R2 trust. PAM requires Kerberos aware applications PAM only supports a single approver, not mutliples PAM monitoring service synchronizes whether the corp AD account is enabled or disabled out to privileged AD> The sAMAccountName, UPN, description, and other UAC flags are not synched.

Answer 86

"Logon on as a Service" on the PAM Server "Deny access this computer from the network" on the PAM server "Deny Logon Locally" on the PAM server "Deny Logon as Batch Job" on the PAM server "Deny Logon through RDP" on the PAM server

Answer 87

"Logon as a Service" on the PAM Server "Deny access to this computer from the network" on the PAM Server "Deny Logon Locally" on the PAM Server "Deny Logon as a Batch Job" on the PAM Server "Deny Logon through RDP" on the PAM Server

Answer 88

"Logon as Service" on the PAM Server

Answer 89

"Logon as Service" on the PAM Server "Deny Access to this computer from the network" on the PAM Server "Deny Logon Locally" on the PAM Server "Deny Logon as Batch Job" on the PAM Server "Deny Logon through RDP" on the PAM Server

Answer 90

"Logon as Service" on the PAM Server

Answer 91

MIM replaces Forefront Identity Manager (FIM)

Answer 92

MIM is used to manage users, credentials, policies, and access within an organization MIM also adds hybrid experience, PAM capabilities, and support for new platforms.

Answer 93

Automatic identity and group provisioning based on business policy and workflow-driven provisioning Integration of the contents of directories with HR systems and other sources of authority. Synching identities between directories, databases, and on-premises applications through common APIs and protocols, MS delivered connectors, and partner-delivered connectors.

Manage Privileged Identities Flashcards

JIT JEA PAWs LAPS