Windows Server 2012 R2 introduced new features that are becoming more and more important to implement in order to protect admin credentials from the bad guys. Authentication Policies and Authentication Silos. Authentication policy silos are containers to which you can assign user accounts, computer accounts, and service accounts. You can then assign authentication policies for this container to limit where privileged accounts can be used in the domain. When accounts are in the Protected Users security group, additional controls are applied, such as the exclusive use of the Kerberos protocol. With these capabilities, you can limit high-value account usage to high-value hosts.
Why is this important? As you know your persistent bad guys try to follow a horizontal kill chain, jumping from system to system, collecting user credentials as they go. They have been very successful exploiting various credential artifacts left behind by users who may have only logged on once – that includes admins.
Just logon once to some PC out there and you leave behind artifacts that bad guys can use. So it's super important if you have higher levels of access to be careful and limit which PCs you logon to. You especially don't want to logon with a privileged account (like Domain Administrator) to a PC that end users logon to or that comes into contact with Internet content such as through web browsing, email or opening documents and other files downloaded from the web.
How do you lock down larger environments with many systems and many admins? Written policy isn't enough. Authentication Silos give you this control and silos provide protection even if the credentials of a silo-ed user are stolen despite your best efforts.
In this real training for free ™ webinar I will take you on a deep dive of these fairly recent features in Windows Server 2012 R2. I'll show you Authentication Silos and how they relate to Authentication Policy objects and the Protected Users group. I'll show you the new event IDs associated with these features and discuss ways to use these features to protect privileged credentials in your environment.
You'll see how computer, user and service accounts are involved with silos and authentication policies. You can manage silos and related objects in Active Directory Administrative Console or Windows PowerShell. I'll focus mostly on using ADAC but point you to the PowerShell cmdlets as well.
Silos, authentication policies and Protected Users are all objects used to control and apply features in Kerberos. So get ready for a very technical session.
But protecting Active Directory and privileged users requires a lot more than just silos. Dell Software provides a comprehensive solution for enterprise management of privileged account credentials and sessions and Wayne Smiley who's been using this technology for fifteen years in the real world will briefly show it to you.
Don't miss this real technical training for free ™ event. Please register now!