Identity Access Hardening: 5-days implementation

With Identity Access Services Hardening the goal is to prepare your most mission-critical workloads by configuring either your identity management service (Active Directory) through best practices to reduce the attack surface and protect your business assets. In fact, this consultant service will allow you to sync Active Directory with Azure Active Directory in a safe way. We think that the Identity Access Services is the foundation for Microsoft 365 services, and for this reason, is very important to create the identity and access services healthy to manage efficiently the Microsoft 365 ecosystem.

The tools available to protect these resources are the implementation of the Active Directory Tier Model and Local Admin Password Solution (LAPS).

LAPS - Local Admin Password Solution:

Microsoft Local Administrator Password Solution (LAPS) supports local administrator account password management capabilities for domain-joined computers. Passwords are set randomly and stored in Active Directory (AD), protected by ACLs, so that only eligible users can read them or request a reset. Often companies use device imaging products and clone computers with the same local administrative password. This involves having a multitude of devices with the same local administrative credentials that, once intercepted, automatically make administrators of all the machines that have those credentials thus opening the way to the lateral movement of any attacker/threat.

Why is the implementation of LAPS important?

Because through LAPS these processes are integrated and automated and, not to be underestimated, they are supported by Microsoft contrary to what was done in the past (scripts and custom solutions).

Local Administrator Password Solution (LAPS) allows you to:

• Have a unique and therefore different password on each computer that LAPS manages
• Change your local administrator password regularly
• Keep passwords in a computer attribute in Active Directory
• Configure and control password access
• Securely transmit passwords to managed computers

LAPS - Local Admin Password Solution:

The Active Directory Tier Model improves threat containment within a security zone, where network isolation is not effective or sufficient. To understand how important, it is to manage administrative levels, it is enough to mention the credential theft techniques such as "Pass the Hash" or "Pass the ticket" which often have as their origin, precisely access with administrative privileges of level 0 and 1 from a PC of a standard user. Such access involves exposing these credentials on the PC, potentially allowing a hacker, who has access to it, to make lateral movements and escalation with administrative privileges to Active Directory. Therefore, implementing the tiered model helps significantly mitigate the credential theft that is driving the most frequent security breaches.

Agenda:

• Kick-off call to define the deployment scope, expectations, and requirements
• Active Directory Overview
• Check Privileged Accounts
• Creation of OU Tiering structure
• Account creation t0, t1 and t2
• Edit Schema for LAPS
• LAPS GPO​ creation
• Client LAPS Deployment
• Test functionality LAPS​
• Tiering GPO creation​
• Testing GPO on three Tier​
• Creating LocalAdmin Groups
• Total Tier 2 policy deployment
• Validation of the Tier 2 configuration
• Comparison and indications regarding Tier 1 and 0
• Implementation of some Tier 1 servers (max 5)
• Documentation production
• Training on the job​

The total Tiering activity (all 3 levels) is difficult to quantify as it involves the administrative department with continuous changes to have the least possible impact on productivity. For this reason, we will complete the whole tier2 in collaboration with the customer to make it autonomous in the continuation of the higher levels.