What's new in Active Directory in Windows Server 2016
Recently, a lot has been said about the innovations of Windows Server 2016 related to virtualization, data storages and remote desktop services. However, these are not the only Microsoft server operating system components that have received major updates. The most unfair, in my opinion, is overlooked by Active Directory. Therefore, below you will be presented a translation of the article by Joseph Moody dedicated to this service.
With the release of Windows Server 2016, Active Directory gained three important new features. In this article we will discuss Access Management, Azure AD Join, and Microsoft Passport.
The leitmotif of most innovations in Windows Server 2016 is security. You can see this in all roles and services. Shielded VM in Hyper-V, code integrity in the application server and Privileged Access Management in Active Directory Domain Services.
')
However, not everything new in Active Directory is security related. Especially distinguished two new features. You will hear a lot more about the first of them - Azure Active Directory Join in the coming months (especially if you support small / medium organizations). The second important feature we mention is Microsoft Passport. Although it is too early to assert that Microsoft Passport could potentially save users from their headaches (and IT specialists from their problems) associated with passwords. Enough introductions. Get down to business!
Privileged Access Management (PAM) is the Active Directory equivalent for Privileged Access Workstation (PAW) . While PAW is used for workstations and servers, PAM is intended for managing forests, security groups and group memberships.
As a core, PAM uses Microsoft Identity Manager (MIM) and requires that your forest’s functional level is not lower than Windows Server 2012 R2. Microsoft believes that if an organization needs PAM, then its Active Directory forest is already compromised. Therefore, when you configure PAM, a new AD forest is created. It is isolated to work with privileged accounts and, since MIM has just created it, is free from any third-party actions.
Configure AD DS with notes about Azure Active Directory
With this secure forest, MIM can manage requests for access rights. Like other applications for managing permissions, such as, for example, AGPM , MIM implements the process of managing administrative access rights based on approval of requests. When a user gains additional administrative rights, he or she becomes a member of shadow security groups in a new trusted forest.
Through the use of expiring links, membership in significant groups is limited in time. If the user is approved to request additional access rights for one hour, then an hour later these rights are automatically removed from him.
All this happens completely unnoticed by the user. Through the use of trust relationships between forests and additional secure accounts in the new forest, users can receive elevated access rights without having to log in. The Key Distribution Center (KDC) takes into account these multiple temporary groups and a user who is in several shadow groups receives a Kerberos ticket for a period corresponding to the minimum time limit.
Azure AD Join performs the same role for AD Domain Services as Intune for SCCM — Azure AD Join is mainly intended for small organizations that do not yet have an Active Directory infrastructure. Microsoft calls these organizations cloud-first / cloud-only.
The main purpose of Azure AD Join is to provide the benefits of a local Active Directory environment without the attendant complexity of ownership and management. Devices shipped with Windows 10 can be included in Azure AD and this allows companies without a full-fledged IT department to manage their corporate resources.
Microsoft Azure Administration Portal
The companies that already use Office 365 will be able to benefit the most from Azure AD Join. From their device, with Windows 10 installed, the user can log in, check email, synchronize Windows settings, etc. with the same account. If necessary, IT support staff can customize MDM policies and the Windows Store for their company. And all this without a locally deployed AD domain.
One of the important potential markets for Azure AD Join is education. Today, Google's Chromebook is the dominant product in this market. Despite the fact that the mobile device included in the AD domain provides more customization options than the Chromebook, the price and performance of Windows devices played against them. Now, a very cheap device included in Azure AD with access to a custom app store and Office 365 can significantly strengthen Microsoft’s position and allow it to catch up with competitors.
Updating passwords is one of the main security issues that arise when working with users. I think that every administrator knows those who use the same password for multiple services. When they use the same username, such as their email address, exploiting this vulnerability becomes quite simple. As soon as the attacker received data from one account, he received them all.
Microsoft Passport has to change everything. Using two-factor authentication, Passport can offer increased security compared to regular passwords, without the complexity of traditional solutions such as smart cards. It is designed for use with Windows Hello (integrated biometric authorization system in Windows 10 Pro / Enterprise).
Authorization Settings
Microsoft Passport's two-factor authentication consists of a user account and special credentials for the device used (which is associated with the user). Each device user has a special authenticator (called hello) or PIN. This allows you to make sure that the person entering the credentials is their owner.
This technology can work both in the traditional local Active Directory environment and in Azure AD. In some installation options, you will need a domain controller with Windows Server 2016 installed. When using Microsoft Passport, the IT administrator may no longer worry about changing user passwords, since you still need a second authentication method. Strong password policies (requiring long passwords or setting a short duration) can be relaxed, since Microsoft Passport will now provide additional protection. A simpler authentication process can significantly increase user satisfaction with corporate IT.
Each of these Active Directory innovations is targeted at the ever-growing audience of the Windows Server. PAM allows you to protect user accounts. Azure AD Join gives you the opportunity to take advantage of AD small companies that do not have the money or infrastructure for a full-fledged local solution. Finally, Microsoft Passport should change how authentication occurs. By working with the FIDO alliance, Microsoft Passport can be used on many different devices and platforms (and may be more widely used).
With the release of Windows Server 2016, Active Directory gained three important new features. In this article we will discuss Access Management, Azure AD Join, and Microsoft Passport.
The leitmotif of most innovations in Windows Server 2016 is security. You can see this in all roles and services. Shielded VM in Hyper-V, code integrity in the application server and Privileged Access Management in Active Directory Domain Services.
')
However, not everything new in Active Directory is security related. Especially distinguished two new features. You will hear a lot more about the first of them - Azure Active Directory Join in the coming months (especially if you support small / medium organizations). The second important feature we mention is Microsoft Passport. Although it is too early to assert that Microsoft Passport could potentially save users from their headaches (and IT specialists from their problems) associated with passwords. Enough introductions. Get down to business!
Privileged Access Management
Privileged Access Management (PAM) is the Active Directory equivalent for Privileged Access Workstation (PAW) . While PAW is used for workstations and servers, PAM is intended for managing forests, security groups and group memberships.
As a core, PAM uses Microsoft Identity Manager (MIM) and requires that your forest’s functional level is not lower than Windows Server 2012 R2. Microsoft believes that if an organization needs PAM, then its Active Directory forest is already compromised. Therefore, when you configure PAM, a new AD forest is created. It is isolated to work with privileged accounts and, since MIM has just created it, is free from any third-party actions.
Configure AD DS with notes about Azure Active Directory
With this secure forest, MIM can manage requests for access rights. Like other applications for managing permissions, such as, for example, AGPM , MIM implements the process of managing administrative access rights based on approval of requests. When a user gains additional administrative rights, he or she becomes a member of shadow security groups in a new trusted forest.
Through the use of expiring links, membership in significant groups is limited in time. If the user is approved to request additional access rights for one hour, then an hour later these rights are automatically removed from him.
All this happens completely unnoticed by the user. Through the use of trust relationships between forests and additional secure accounts in the new forest, users can receive elevated access rights without having to log in. The Key Distribution Center (KDC) takes into account these multiple temporary groups and a user who is in several shadow groups receives a Kerberos ticket for a period corresponding to the minimum time limit.
What is Azure Active Directory Join?
Azure AD Join performs the same role for AD Domain Services as Intune for SCCM — Azure AD Join is mainly intended for small organizations that do not yet have an Active Directory infrastructure. Microsoft calls these organizations cloud-first / cloud-only.
The main purpose of Azure AD Join is to provide the benefits of a local Active Directory environment without the attendant complexity of ownership and management. Devices shipped with Windows 10 can be included in Azure AD and this allows companies without a full-fledged IT department to manage their corporate resources.
Microsoft Azure Administration Portal
The companies that already use Office 365 will be able to benefit the most from Azure AD Join. From their device, with Windows 10 installed, the user can log in, check email, synchronize Windows settings, etc. with the same account. If necessary, IT support staff can customize MDM policies and the Windows Store for their company. And all this without a locally deployed AD domain.
One of the important potential markets for Azure AD Join is education. Today, Google's Chromebook is the dominant product in this market. Despite the fact that the mobile device included in the AD domain provides more customization options than the Chromebook, the price and performance of Windows devices played against them. Now, a very cheap device included in Azure AD with access to a custom app store and Office 365 can significantly strengthen Microsoft’s position and allow it to catch up with competitors.
Microsoft Passport can help solve password problems.
Updating passwords is one of the main security issues that arise when working with users. I think that every administrator knows those who use the same password for multiple services. When they use the same username, such as their email address, exploiting this vulnerability becomes quite simple. As soon as the attacker received data from one account, he received them all.
Microsoft Passport has to change everything. Using two-factor authentication, Passport can offer increased security compared to regular passwords, without the complexity of traditional solutions such as smart cards. It is designed for use with Windows Hello (integrated biometric authorization system in Windows 10 Pro / Enterprise).
Authorization Settings
Microsoft Passport's two-factor authentication consists of a user account and special credentials for the device used (which is associated with the user). Each device user has a special authenticator (called hello) or PIN. This allows you to make sure that the person entering the credentials is their owner.
This technology can work both in the traditional local Active Directory environment and in Azure AD. In some installation options, you will need a domain controller with Windows Server 2016 installed. When using Microsoft Passport, the IT administrator may no longer worry about changing user passwords, since you still need a second authentication method. Strong password policies (requiring long passwords or setting a short duration) can be relaxed, since Microsoft Passport will now provide additional protection. A simpler authentication process can significantly increase user satisfaction with corporate IT.
Each of these Active Directory innovations is targeted at the ever-growing audience of the Windows Server. PAM allows you to protect user accounts. Azure AD Join gives you the opportunity to take advantage of AD small companies that do not have the money or infrastructure for a full-fledged local solution. Finally, Microsoft Passport should change how authentication occurs. By working with the FIDO alliance, Microsoft Passport can be used on many different devices and platforms (and may be more widely used).
Source: https://habr.com/ru/post/319010/
All Articles