Lead Image © Orlando Rosu, 123RF.com
Just-in-time administration in Active Directory
Time Is Running Out
Just-in-time (JIT) administration forms the basis for minimizing the administrator account attack vector in Microsoft's security strategy, combined with a precise definition of assigned authorizations (i.e., Just Enough Admin, JEA). Microsoft architects like Jeffrey Snover have been promoting this strategy since 2014. In Server 2016, it was put on an elegant technical base in Active Directory (AD) for use in an environment without too much overhead.
Like most rights allocation strategies in AD environments, JIT is based on groups: The account to be authorized is assigned to a group that either has direct access rights or is itself a member of groups that possess the desired access rights. The AGDLP (Account, Global, Domain Local, Permissions) principle [1] is a known variant of this authorization assignment and is therefore a question of interrupting the membership chain between users and permissions at a predetermined point in time.
JIT via PowerShell
The easiest way to terminate group memberships at a specified time is to remove the user account from the group with the usual AD administration tools. The corresponding process can be triggered in a time-controlled manner with the Task Scheduler or in an event-controlled manner in an orchestration or identity management system. The calling account must have the appropriate rights in AD. With PowerShell, all you need is the AD module, which is part of the Remote Server Management Tools (RSAT) for AD Domain Services. To add a user to a group, type:
> Add-ADGroupMember -Identity "Group" -Members "User"
To remove them again, type:
> Remove-ADGroupMember -Identity "Group" -Members "User" -Confirm:$false
An edit-protected SQL database or text file can serve as the data basis for the
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Delegate and restrict authorizations in Azure AD
Azure AD is one of the most important authentication services for cloud environments. We show you how to delegate authorizations in Azure AD to ensure better security. -
Manage Windows AD with PowerShell
PowerShell helpers let you automate searches in Active Directory and secure critical accounts. -
New administration options on Windows Server 2016
Redmond is set to launch the next-generation Windows Server 2016. Microsoft promises to make administration more secure, which is a good enough reason to take a closer look at the new Privileged Access Management feature. -
PowerShell scripts for managing Microsoft 365 components
Manage the various components of Microsoft 365 with PowerShell scripts that use modules culled from various Microsoft products. -
Protect privileged accounts in AD
Granular protection for highly privileged accounts is granted by the Protected Users group in Active Directory and Kerberos authentication policies.