none
MIM PAM Questions RRS feed

Answers

  • Hi,

    1. yes "currently" you need to deploy a seperate forest, and also a seperate MIM that will be installed in that forest, you only need MIMService and PAM components, Portal and Sync are not needed. There is currently a MIM TP on connect which previews a current, single forest PAM scenario but that is for testing only.

    2+3. There are all docs available to setup a pam environment, but you are right that could be much more in detail.

    https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam

    4. Since currently all documentation in going to new location I guess that will be more in detail in the future.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Shim Kwan Tuesday, September 20, 2016 1:56 AM
    Monday, July 25, 2016 8:05 AM
  • Looking at this thread and the few MS URLs - they seem to point to a separate forest where another instance of MIM needs to be hosted for PAM.

    However, we came across this article which claims a single forest solution will also work with PAM: https://blogs.technet.microsoft.com/identityjourney/2016/05/01/configure-privileged-access-managementpam-in-an-existing-domain/

    Could someone at Microsoft please clarify? Do you need a separate forest? Do you need a separate MIM instance?

    Thank you


    • Edited by T Zukowski Tuesday, July 26, 2016 2:01 AM
    • Marked as answer by Shim Kwan Tuesday, September 20, 2016 1:56 AM
    Tuesday, July 26, 2016 1:59 AM
  • Based on the article MIM 2016: PAM integration with existing Active Directory domains, the product group recommends using either a newly, tightly-managed bastion forest or to use a well-managed bastion forest. I would stay with that advice.

    In regards to the article you mention, yes, the PAM components are being shown to be installed on a single domain for a test lab. Although not spinning up a new forest sounds appealing, consider what you are sacrificing.  The entire purpose of using a bastion forest is to regain control of a forest that may be compromised in some way.  If a forest is compromised, adding PAM to it won't help you regain control.

    Best,

    Jeff Ingalls

    • Marked as answer by Shim Kwan Tuesday, September 20, 2016 1:56 AM
    Saturday, July 30, 2016 2:14 PM

All replies

  • Hi,

    1. yes "currently" you need to deploy a seperate forest, and also a seperate MIM that will be installed in that forest, you only need MIMService and PAM components, Portal and Sync are not needed. There is currently a MIM TP on connect which previews a current, single forest PAM scenario but that is for testing only.

    2+3. There are all docs available to setup a pam environment, but you are right that could be much more in detail.

    https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam

    4. Since currently all documentation in going to new location I guess that will be more in detail in the future.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Shim Kwan Tuesday, September 20, 2016 1:56 AM
    Monday, July 25, 2016 8:05 AM
  • Looking at this thread and the few MS URLs - they seem to point to a separate forest where another instance of MIM needs to be hosted for PAM.

    However, we came across this article which claims a single forest solution will also work with PAM: https://blogs.technet.microsoft.com/identityjourney/2016/05/01/configure-privileged-access-managementpam-in-an-existing-domain/

    Could someone at Microsoft please clarify? Do you need a separate forest? Do you need a separate MIM instance?

    Thank you


    • Edited by T Zukowski Tuesday, July 26, 2016 2:01 AM
    • Marked as answer by Shim Kwan Tuesday, September 20, 2016 1:56 AM
    Tuesday, July 26, 2016 1:59 AM
  • Based on the article MIM 2016: PAM integration with existing Active Directory domains, the product group recommends using either a newly, tightly-managed bastion forest or to use a well-managed bastion forest. I would stay with that advice.

    In regards to the article you mention, yes, the PAM components are being shown to be installed on a single domain for a test lab. Although not spinning up a new forest sounds appealing, consider what you are sacrificing.  The entire purpose of using a bastion forest is to regain control of a forest that may be compromised in some way.  If a forest is compromised, adding PAM to it won't help you regain control.

    Best,

    Jeff Ingalls

    • Marked as answer by Shim Kwan Tuesday, September 20, 2016 1:56 AM
    Saturday, July 30, 2016 2:14 PM
  • Thanks Jeff. 

    In the 2 separate (recommended) scenario where CORP is the already existing AD forest with our users in it and the BASTION forest where the MIM PAM server is deployed in, I'd like to ask another question.

    I understand we are to recreate the AD Groups and privileged user accounts in the new BASTION forest...however do we then delete these same privileged user accounts in the CORP forest? As leaving them behind, IMHO, defeats the purpose of having a BASTION forest and PAM altogether? As in, if we dont delete the privileged user accounts in CORP, we might as well deploy PAM in the CORP forest and completely forget the BASTION forest.

    thanks,

    SK



    • Edited by Shim Kwan Sunday, July 31, 2016 9:37 PM
    Sunday, July 31, 2016 9:35 PM
  • PAM solves the problem of the permanent membership of security groups.  End-users and administrators do not need elevation via group membership when they are asleep or not working -- only when they need it.  I talk through the end-user experience in the MIM PAM FAQ, but to get to your question, no, you would not need to delete anything in the CORP forest because that is how your end-users would make the request. Once PAM is configured, you would remove the CORP user out of the CORP security group and it would never be re-added. PAM would effectively make the corresponding PRIV user account a member of the group and remove that membership when the configured timer expires. Thus, the CORP user is more of a "requesting" user account to ask for its PRIV account to be added to a security group and the end-user does its elevated tasks via the PRIV account.  Does that help?

    Best,

    Jeff Ingalls

    Monday, August 1, 2016 4:13 PM
  • Thanks Jeff, still wrapping my head around this...


    Wednesday, August 3, 2016 1:49 AM
  • Hi Shim

    Perhaps my blogpost would be useful to you

    https://tlktechidentitythoughts.wordpress.com/2016/09/07/mim-2016-setting-up-privileged-access-management-pam-in-an-existing-domain-using-the-built-in-pam-tool/

    Best

    Ike


    Thursday, September 8, 2016 12:29 PM
  • Thanks Ike.

    Yep, can be done... as long as people understand what they are sacrificing. :-)

    Best,

    Jeff Ingalls

    Friday, September 9, 2016 12:09 AM
  • Jeff, would you mind elaborating pls?
    Friday, September 9, 2016 2:05 AM
  • If you have lost control of your CORP forest/if the forest is compromised, then setting up PAM in that same forest isn't going to help you regain control.  That's why there is the recommendation for the bastion forest.  Assume the worst kind of thing.

    Best,

    Jeff Ingalls


    Friday, September 9, 2016 2:54 AM
  • I must be missing some BIG thing here, as I still dont quite get the need for a separate forest.

    The user requesting PAM exists in BOTH forests, can log unto BOTH forests.

    The Group membership request is for a Group that exists in BOTH forests.

    what am I missing here?


    Monday, September 12, 2016 4:46 AM
  • Hi Shim,

    Recall that we have a one-way trust: the CORP forest trusts the management PRIV forest.  This means PRIV can access resources in CORP but not the other way around.

    Recall CORP\user1 makes a request as PRIV\user1. PRIV\user1 is added to a shadow group PRIV\group1 which has SID of CORP\group1 in its sidHistory.  That allows you to keep CORP\group1 completely empty (people in CORP can query CORP\group1 and see an empty group!) yet the PRIV\user1 will have the permissions CORP\group1 grants via that PRIV\group1 shadow group.

    By having a management forest that you've securely locked down, you can secure your CORP.

    Another real world example. Consider the situation where you have a CORP group that has grants access to all the desktop systems in the enterprise and there are several groups nested in that group and several groups nested in those groups.  Unwinding that mess can take a long time.  Instead, determine which people should have access to the group, make it a PAM group and remove all the membership of the CORP group.  You've now simplified and secured that group.  A malicious person on the CORP domain may see a group called "CORP Desktop Administrators", but since it is empty wouldn't know who to target.

    Best,

    Jeff Ingalls

    Wednesday, September 14, 2016 1:57 AM
  • thank you for taking the time to write this up Jeff.

    So the only reason for a separate PAM forest is for that Corp\Group1 to be empty and yet controlling access to resources?

    • Edited by Shim Kwan Thursday, September 15, 2016 4:16 AM
    Thursday, September 15, 2016 4:15 AM
  • Showing empty group in CORP helps against internal targeting attacks.  A separate forest means you are using highly-secured forest to provide access group membership of CORP.  A separate forest "isolates the administrative accounts and services from any potential backdoor users that might have been latent in an existing AD forest" [1].

    I believe the initial questions have been answered.  If you have additional questions please create another thread so that we don't turn this into a blog.  :-)

    Best,

    Jeff Ingalls

    [1] MIM 2016: PAM integration with existing AD domains.

    Saturday, September 17, 2016 1:49 AM
  • Thank you Jeff, will close this off.
    Tuesday, September 20, 2016 1:55 AM