PAW & PAM - How to manage AD Tasks? - Need advice

Posted by MadHackerTV@reddit | sysadmin | View on Reddit | 3 comments

Hello, Today I'm using CyberArk PAM to manage all my privileged accounts and to access my servers. The thing is, I'm not quite sure what is the right approach regarding managing the domain admin password, and administrating the domain controllers / Daily AD Tasks ( GPO, DNS, AD, LAPS ). I was thinking about two options: **1.** Manage the domain admin password with PAM, access to domain controllers will be through PAM as well, so it's monitored. But I don't like the idea that I will be using the domain admin for daily tasks, even though it's "managed" and monitored. **2.** Create a PAW ( I actually already created a virtual VM as PAW ), that is non-domain joined & no internet access. Then, I manage a local admin account on the PAW with my PAM solution. Connections to the PAW is also going through PAM so it's monitored. The thing is, I faced a few issues when I'm using a non-domain joined VM. for example, I couldn't open the LAPS UI because I can't select a remote domain controller.. maybe I can do it in a different way? through CLI? I also couldn't manage GPO on the domain controller, for some reason I always get "Access Denied" even though I made sure I have delegation and the right permissions. What do you guys think? I would love you hear your opinions on this. Thank you!

3 Comments

[-]

greenwas@reddit

I agree with the general recommendations of u/ewileycoy. Also - That's what PAM is for so I'm not sure what the issue\\concern is. I would also suggest\\caution you to think about why PAM was implemented in the first place. Was it implemented for compliance? Did your company say it was implemented on their cyber insurance (see: made a representation\\warranty). If a higher power is the reason PAM is in place you should seek guidance from management as creating crafty ways to effectively sidestep PAM could come back to bite you\\the company.

randombsforreddit@reddit

We have ours setup in the following: Physical PAW and account that can login has no other rights except for some RDS VM’s. Admin to the PAW is handled separately and most of the techs don’t have access. The VM’s are accessed from the PAW. One VM is to manage desktops. The account has admin access that is configured only for desktops and can’t be used on servers or domain controllers. This account is only used if LAPs isn’t working. Another VM is used for servers. The account is an admin for the servers but not for desktops or domain controllers. Another VM for domain controllers and the account is a da. It cannot log into desktops or the other servers. Finally we have a VDI for regular non-privileged work like checking email, teams collaboration, etc the PAW can reach so techs can do the normal business communications. All the accounts besides the non-privileged VDI is monitored for all activity and alerts configured for non-standard activity. How far you want to go with this is up to your company. Separation of accounts like above helps in the case of pass the hash attacks and ensures if a PC or server is compromised it doesn’t necessarily affect the other accounts and their access is limited in scope of what they can access.

ewileycoy@reddit

Try to delegate the permissions required for daily tasks to lesser privileged accounts that are managed through the PAM. GPOs should be managed with AGPM, LAPS permissions can be delegated, etc. DA should be reserved for AD structure and core DNS changes. On the other hand, If you’ve hardened cyberark it should be fine to use a DA account through it. Just pay attention to how it can be backdoored or how you manage break glass accounts

Reply to Post

3 Comments