Manage Privileged Identities

Question 1

What are some avenues of attack that lead to credential theft?

Answer 1

• Logging into unsecured systems with privileged accounts
• Browsing the internet with privileged accounts
• Configuring local privileged accounts with the same creds across many systems
• Overuse/overpopulation of privileged groups
• Insufficient management of Domain Controller Security.

Question 2

What kinds of accounts are often targeted in credential theft or privilege escalation attacks?

Answer 2

• Permanently privileged accounts
• VIP Accounts (CEO, CFO, etc.)
• “Privileged-attached” directory accounts
• Domain Controllers
• Other identity servers (PKI, Management, etc.)

Question 3

In which version of Windows were Audit Subcategories introduced?

Answer 3

Server 2008

Question 4

In which version of Windows were Advanced Audit Policies introduced?

Answer 4

Server 2008 R2

Question 5

In which scenarios would you want to most commonly disable User Account Control (UAC)?

Answer 5

Server Core installations (it is disabled by default for Server Core)

Question 6

On a member server, if the local administrator account is disabled, does that prevent the account from being used in a break-glass/failsafe scenario?

Answer 6

No. If a system is booted into safe mode, the built-in administrator may be used even if disabled.

Question 7

In which version of Windows was RDP Restricted Admin Mode Introduced?

Answer 7

Server 2012 R / Windows 8.1

Question 8

What does RDP RestrictedAdmin mode do?

Answer 8

RestrictedAdmin mode does not transmit the user’s credentials to the host by the RDP client. The RDP client attempts to do an interactive logon with the host. The host verifies the credentials and assures that the account has administrative rights and supports RDP RestrictedAdmin and connects.

Credentials are not sent in plain-text or any other reusable forms to remote systems with RDP RestrictedAdmin.

Question 9

What is a Pass The Hash (PtH) attack?

Answer 9

PtH is a technique where an attacker captures account credentials on one system and then uses them to authenticate to another computer on the network.

Question 10

What are some fundamental requirements for a Pass-the-Hash attack to be successful?

Answer 10

• Access to a system
• Local administrative rights on a system
• Access to a second, or more, system to use the discovered credentials.

Question 11

What is the simplest way to prevent a Pass-the-Hash attack from occurring on a system?

Answer 11

Never logon to the system with privileged credentials.

Question 12

What is Lateral Movement?

Answer 12

An attacker user credentials obtained from a compromised system to gain access to another system of the same value in the organization.

Question 13

What is privilege escalation?

Answer 13

Attacker uses credentials obtained from a compromised computer to gain access to another computer of higher value in the organization.

Question 14

What are some locations where credentials are stored on a Windows computer?

Answer 14

• SAM Database
• Lsass Process
• Active Directory Database
• Credential Manager (CredMan)
• LSA Secrets stored in the registry

Question 15

What behaviors on the network could result in a Pass-the-Hash being successful?

Answer 15

• High privilege domain accounts used to logon to systems
• Applications running with high privileges
• Scheduled tasks running with high privileges
• Local Admin rights given to ordinary accounts
• Privileged accounts used to browse the internet
• Same password used for all built-in Admin accounts
• Account termination is not enforced in Domain Admin, EA, or other highly privileged accounts.
• Poor update strategy
• Shared accounts
• Overprivileged and high privileged service accounts
• Too many administrators

Question 16

What are some common mitigations for Pass-the-Hash?

Answer 16

• Restrict and protect highly privileged domain accounts
• Restrict and protect local accounts with admin rights
• Restrict inbound traffic via Windows Firewall
• Restrict software on systems.

Question 17

When considering Pass-the-Hash, what is meant by “Restrict and protect highly privileged domain accounts?

Answer 17

• Limit number of admins
• No email for administrative accounts
• Limit logon servers
• Use Smart Cards
• Use Jump Servers / PAWs

Question 18

When considering Pass-the-Hash, what is meant by “Restrict and protect local accounts with admin rights”?

Answer 18

• Remove standard users from Local Admins

- Do not reuse built-in admin account passwords (LAPS)

Question 19

When considering Pass-the-Hash, what is meant by “Restrict inbound traffic via the Windows Firewall”?

Answer 19

• Deny internet access for privileged accounts

- Limit where logons can come from

Question 20

When considering Pass-the-Hash, what is meant by “Restrict software on systems”?

Answer 20

• Windows Updates should be installed regularly
• Restrict which management tools that can be used and how
• Remove LM and NTLM usage

Question 21

What is a Pass-the-Ticket attack?

Answer 21

Similar to PtH except the Kerberos TGT is acquired and reused

Question 22

What is the default lifespan of a Kerberos ticket?

Answer 22

10 hours before renewal. 7 days before needing to be requested entirely

Question 23

How are Pass-the-Ticket attacks less useful than Pass-the-Hash attacks?

Answer 23

Pass-the-Hash is valid until a user changes their password (30-90 days in most orgs; sometimes never)

Due to the nature of how Kerberos works, PtT tickets expire after a period of time limiting how long an attacker can store and use the tickets.

Question 24

Why is it bad to allow sensitive domain accounts to be trusted for delegation?

Answer 24

If the service or server being authenticated is trusted for unconstrained delegation, the client sends a TGT and session key. The attacker could use this information ti impersonate clients using the captured TGT.

Question 25

Which type of IIS authentication utilizes Kerberos or NTLM?

Answer 25

IIS integrated Windows Authentication.

Question 26

What are the requirements for RDP RestrictedAdmin Mode?

Answer 26

• Both source and destination servers must be Server 2012 / Windows 8 for Workstations or later.
• Restricted Admin Mode must be explicitly enabled on the target system’s registry
• Accounts connecting must be local admins on the destination server
• Server 2012 systems may require an update to support RDP Restricted Admin

Question 27

How do you enable use of RDP Restricted Admin for destination systems?

Answer 27

HKLM:\System\CurrentControlSet\Control\LSA
- Name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0
Does not require a reboot.

Question 28

What is the process of using RDP Restricted Admin Mode?

Answer 28

Once it is enabled run the following command:

mstsc /v:$ServerName /RestrictedAdmin

Question 29

How can you enforce all RDP connections to use Restricted Admin?

Answer 29

1. GPO Managment
2. Create/Edit GPO
3. Computer Configuration \ Policies \ Administrative Templates \ System \ Credentials Delegation
4. Configure “Restrict delegation of credentials to remote servers” to Enabled
5. Gpupdate to apply the policy.

NOTE: This does NOT enable Restricted Admin mode on target systems, it only requires its use for RDP. Make sure it is turned on before configuring this.

Question 30

What is a good use case for RDP Restricted Admin?

Answer 30

• Domain Admin needing to login to a member server to perform some task. RDP Restricted Admin would prevent DA credentials from landing on the member server in a way where they would be harvestable.
• Help Desk staff who connect to workstations with T2 privileged accounts could use this so they wouldn’t expose their logons or need to change passwords as often.

Question 31

When RDP Restricted Admin is used to connect to one system and an attempt is made to RDP to another system, which credentials are used?

Answer 31

RDP Restricted Admin prevents your credentials from landing on the target system. Any connections outbound from that system will use the target computer account.

Question 32

What types of accounts are most at risk in Windows?

Answer 32

• Privileged Accounts with broad privileges

- VIP Accounts (Executives, HR, etc.) who may have access to confidential resources

Question 33

What is selective authentication?

Answer 33

Selective Authentication can be enabled on external forest trusts. It provides AD admins with more control over which groups of users in a trusted forest can access shared resources in the trusting forest.

Question 34

What is Privileged Access Management?

Answer 34

PAM is a component of Microsoft Identity Manager (MIM) 2016 and is a solution that helps mitigate unauthorized privilege escalation attacks.

Question 35

In which version of Windows was the optional feature “Privileged Access Management” introduced?

Answer 35

Server 2016 - Specifically the DCs must be Server 2016.

Question 36

What are PAM’s system requirements?

Answer 36

• Management forest must be server 2012 R2 or newer with FFL of 2012 R2 or newer.
• PAM client is supported for Windows 7+
• Powershell 2.0 or greater is required for Powershell features

Question 37

What are Shadow Principals?

Answer 37

Principals in the admin forest that bear the SIDs of administrative groups in the production forest (e.g. Domain Admins).

Users are added to shadow principals in the Admin forest and this is reflected in the production forest.

Question 38

What is required on the trust between the Admin Forest and the production forest for PAM to work?

Answer 38

SID History must be enabled.

PIM trust must be enabled

Question 39

Can an attacker enumerate the members of domain admins in the production forest if the forest is being managed with PAM?

Answer 39

No. Since the membership of the privileged groups is managed by the PAM forest, the groups in the production forest will never have any membership and thus cannot be enumerated.

Question 40

What are the requirements for the Privileged Access Management Feature?

Answer 40

• DCs must be Server 2016 or Newer
• FFL/DFL must be Server 2012 R2 or newer
• For integration with PAM forest
• • Forest trust between Prod and Admin forest (prod trusts admin)
• • Prod DCs must be Server 2012 R2 or newer with the May 2016 Update Rollup
• • TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL (sidHistory) is set on the trust.
• • TRUST_ATTRIBUTE_PIM_TRUST (enable PIM trust) is set on the forest
• • Optional feature “Privileged Access Managment” feature is enabled on the admin forest.

Question 41

How do you verify a trust can be configured with the PIM trust feature?

Answer 41

Run the command: netdom trust /?

If /EnablePIMTrust appears, it is available

Question 42

Where are shadow principals stored?

Answer 42

They are stored in the admin forest under the “Shadow Principal Configuration” container under the Services container
CN=Shadow Principal Configuration,CN=Services,CN=Configuration,$DomainDN

Question 43

What is the PAM Monitoring Service?

Answer 43

The PAM monitoring service is used to mirror the ACCOUNTDISABLE flag in UAC of sourced production accounts to their corresponding admin accounts.

Question 44

When utilizing PAM you realize you are unable to effectively manage the well-known SID groups in the production forest. What could be the cause?

Answer 44

If the prod forest is Server 2012 R2, it is likely missing a patch that allows the /EnablePIMTrust attribute to be enabled.

Question 45

Can you have multiple approvers in PAM?

Answer 45

No. PAM only supports single approvers.

Question 46

What all information is replicated between the two forests using the PAM Monitoring Service?

Answer 46

Only the account enabled/disabled flag. All other information is not replicated.

Question 47

You receive an error when you attempt to run New-PAMGroup. What could be the issue?

Answer 47

• Ensure you are logged onto the PAM server, not a corporate workstation.
• Ensure you have the MIMPAM Powershell module installed and enabled in your session.

Question 48

When running the New-PAMGroup cmdlet you receive an error “requestor’s identity is not found”. What do you do?

Answer 48

Ensure you are signed in as someone who has an account in MIM.

Question 49

What are the goals of Privileged Access Management?

Answer 49

Re-establish control over a compromised AD by maintaining a separate bastion forest that is known to be unaffected by the malicious attacks.

Isolate use of privileged accounts to reduce the risk of credentials being stolen.

Question 50

What different kinds of attacks can PAM help protect against?

Answer 50

• Vulnerabilities
• Unauthorized Privilege escalations
• Pass-the-Hash
• Pass-the-Ticket
• Spear Phishing
• Kerberos compromises

Question 51

What are the four steps of PAM setup and operation?

Answer 51

1. Prepare - Identity which groups have privileges. Recreate these groups in the bastion forest.
2. Protect - Setup lifecycle and authentication protection for when users require JIT administration.
3. Operate - After request and approval, accounts get added temporarily to privileged groups in the bastion forest. They have these rights for a pre-set amount of time. After, they are removed.
4. Monitor - Auditing, alerts, and reports of privileged access requests.

Question 52

How does Multi-Factor Authentication (MFA) play into PAM?

Answer 52

MFA helps prevent programmatic attacks from malicious software or following credential theft.

Question 53

How does the bastion forest limit the amount of time a user has permissions?

Answer 53

PAM depends on the time-limited group memberships which restrict a limited lifetime time-limited TGT.

Question 54

Which accounts need moved to the new secure forest?

Answer 54

Only privileged accounts. Regular accounts, machine accounts, etc. don’t need moved.

Question 55

What are some advantages of using Privileged Access Management?

Answer 55

• Isolation/scoping of privileges - Users do not hold privileges on the accounts that are also used for non-privileged tasks. Privileges need requesting.
• Setup and proof-up
• Additional Logging
• Customizable Workflows

Question 56

What different methods can users use to request access via Privileged Access Management?

Answer 56

• MIM Services Web Services API
• A REST Endpoint
  Windows Powershell (New-PamRequest)

Question 57

What is the best way to ensure a bastion forest is logically separated from the prod forest?

Answer 57

• Servers should not be joined to the domain or leverage settings distribution from the existing prod environment.
• Bastion forest should contain its own AD DS and the essential functions of that service itself (Kerb, LDAP, DNS, Time, etc.)
• MIM should not use an existing SQL DB from production
• Bastion forest requires Server 2016 or newer
• Backups and media for bastion must be kept separate from backups and media of existing forests - prevents subversion of the bastion.
• Management of bastion should take place from workstations not otherwise exposed to production.

Question 58

How should accounts be setup for the bastion forest?

Answer 58

• Least privilege should be used where ever possible
• Accounts in the admin forest that are used to administer production should not have permissions to the admin forest
• Admin privileges over the admin forest should be controlled by an offline process
• Admin forest should follow MS Security Compliance Manager configurations for the domain, including strong configurations for authentication protocols

Question 59

What are break glass accounts and how are they secured?

Answer 59

Break glass accounts are emergency accounts that are able to bypass many security restrictsion in case of an outage or incident to regain access to an environment. These accounts should be limited to logon only to systems they are configured on, nothing more.

Question 60

What are “Red Card Administrators” and how should they be secured?

Answer 60

Red Card Administrators provision other accounts and perform unscheduled maintenance. They should have no access to existing, non-admin forest systems outside the bastion environment. Their credentials, ideally a smart card, should be physically secured and use of the account logged and audited.

Question 61

What systems qualify as administrative hosts?

Answer 61

• Desktops which the credentials of administrative accounts are typed or entered.
• Administrative “jump” servers on which administrative sessions/tools are run.
• All hosts where administrative actions are performed, including standard user desktops running RDP
• Servers hosting apps that need to be administered and are not accessed via RDP with Restricted Admin mode or PS Remoting

Question 62

What considerations are needed when considering deploying administrative workstations (PAWs) for a bastion forest?

Answer 62

• Verify the media build is clean
• Use security baselines (Microsoft Security Compliance Manager)
• Enable SecureBoot
• Enable AppLocker (software restrictions)
• Enable Full Volume Encryption (BitLocker)
• Restrict USB
• Network Isolation via Windows Firewall
• Configure EMET (Exploit Mitigations)
• Perform Attack Surface Analsysis
• Administrative privileges should not be given to users on the systems.
• RestrictedAdmin should be used for outgoing RDP sessions

Question 63

What cmdlets can be used to update trust relationships with the PAM forest in the event the AD topology changes?

Answer 63

• Test-PAMTrust
• Test-PAMDomainConfiguration
• Remove-PAMTrust
• Remove-PAMDomainConfiguration

Question 64

How do you enable RPC over TCP/IP for the Local Security Authority in the Bastion Forest?

Answer 64

GPO should be used with newer versions of Windows

Registry for older: HKLM:\System\CurrentControlSet\Control\LSA

• TcpipClientSupport
• Value: 1

Question 65

What are the three levels of the AD Administrative Tier Model?

Answer 65

• Tier 0 - Servers and resources that have direct control over enterprise identities in the environment. Includes groups, accounts, or assets with direct control of AD.
• Tier 1 - Control over enterprise servers and applications. Includes other server OSes, Cloud, and enterprise applications. Admins with T1 will have control over a large segment of the business
• Tier 2 - Control of user workstations and devices

Question 66

How does the tier model help reduce chances of privilege escalation?

Answer 66

Tier model prevents privilege escalation by restricting what administrators can control and where they can log in.

Question 67

What kind of control restrictions are incorporated into the Tier Model?

Answer 67

• Control is the same throughout the tier
• Control to lower tiers is possible but only as needed
• Control to higher tiers is restricted and blocked

Question 68

What are the responsibilities/restrictions of a T0 Admin?

Answer 68

• Manage the identity store and small number of systems responsible for the identity store.
• Manage and control assets at any level as required
• Can logon interactively or access assets trusted at the T0 Level.

Question 69

What are the responsibilities/restrictions of a T1 Admin?

Answer 69

• Manage enterprise servers, services, and apps.
• Manage and control assets in T1 and T2
• Can only access assets (via network logon) trusted at T1 or T0 levels
• Can only interactively logon to T1 assets.

Question 70

What are the responsibilities/restrictions of a T2 Admin?

Answer 70

• Manage enterprise end-user systems (desktops, laptops, printers, etc.).
• Can only manage and control assets at T2 level
• Can access any assets (via network logon) at any level
• Can only interactively logon to assets trusted at T2 level.

Question 71

What are the logon restrictions of the Tier Model?

Answer 71

• T0 Users are unable to login to devices at lower tiers
• T1 users are unable to login to devices at lower tiers and may, if so needed, have logons to higher tiers.
• T2 users are able to logon to devices at T2 and T1 if needed.

Question 72

What is the clean source principle?

Answer 72

Clean source requires all security dependencies to be as trustworthy as the object being secured.

Question 73

How does the Clean Source principle protect the environment?

Answer 73

Control is transitive. If I control asset C with asset B, then anything that has control over asset B has indirect control over asset C.

By ensuring the entire control chain is secured, I can ensure that I maintain the integrity of Asset C.

Question 74

How does the clean source principle apply to installation media?

Answer 74

To ensure that installation media is secured, you must ensure it has not been tampered with since it was released by the manufacturer. You should validate the software integrity of the install media throughout the cycle in which it is possessed.

Question 75

What are the methods of validating software as it applies to the Clean Source principle?

Answer 75

• Software obtained from physical media is known to come from the manufacturer or a reputable source is considered valid.
• Software obtained from the internet and validated with vendor-provided hashes is considered valid.
• Software obtained from the internet and validated by downloading and comparing two independent copies are valid
• • Download on two hosts with no security relationship (not in the same domain or managed by the same tools) - preferably from separate internet connections.
• • Compare downloaded files using hashing utility.

Question 76

What are tools that can be used to generate hashes to ensure their integrity?

Answer 76

• Certutil -hashfile $FileName

- Get-FileHash $FileName

Question 77

How does the clean source principle apply to architecture and design?

Answer 77

You should ensure that a system is not dependent on lower trust systems.

Question 78

What different architectural control relationships manifest in an enterprise?

Answer 78

• ACLs
• Group Memberships
• Agents
• Logon

Question 79

Why are logons a control relationship?

Answer 79

When a user logs into a system, they expose their credentials to that system thus putting any resources managed by that system under the account with logon rights.

Question 80

What are some of the operational standards that can be applied to an organization?

Answer 80

• Servers and workstations should be joined to AD
• All servers and workstations should use a current OS
• All servers should have RDP RestrictedAdmin enabled
• Smart cards should be used and issued to all administrators
• The Builtin\Administrator account in each domain is considered an emergency access account.
• An enterprise identity management solution should be implemented
• LAPS should be deployed to servers and workstations
• A privileged access management solution should be in place or being deployed.
• Personnel should be assigned to monitor security alerts and respond to them.
• The ability to rapidly apply Microsoft Update should be available.
• Baseboard management controllers on servers will not be sued or adhere to strict security controls.
• Administrator’s accounts for servers and workstations will be managed by Domain Admins
• A CAB or another security authority is in place for approving AD changes.

Question 81

What are some operational standards that can be applied to Administrator enablement and accountability?

Answer 81

• Administrators must be vetted via a background check and a skill check prior to assigning privileges
• Administrative privileges should be reviewed periodically (quarterly) to determine which personnel have a legitimate need for administrative access.
• Administrators should be receiving regular training on the their role, risks and vulnerabilities affecting their systems, and other specific practices specific to the organization.

Question 82

How should administrator accounts be provisioned and deprovisioned?

Answer 82

Administrative accounts must be approved by an approving authority

• Admins should only gain access based on legitimate business need
• Approval for privileges should not exceed six months

Administrative accounts should be deprovisioned if the following conditions apply

• If there is a personnel change
• If there is a role change

Disabled accounts should be deleted within 6 months and record of their deletion documented

All privileged account memberships should be reviewed monthly to ensure no unauthorized permissions have been granted.

Question 83

How should accounts be separated to manage the risk of credential exposure?

Answer 83

All personnel should have separate accounts for administrative functions that are distinct from user functions

Question 84

How often should Administrative Permissions be reviewed?

Answer 84

At least quarterly

Question 85

In general what guidelines should an administrator follow before logging into a system?

Answer 85

• Primary support option should be used if possible
• Secondary should only be used if primary is unavailable
• Forbidden support methods should never be used.
• No internet browsing or email from the administrative account, ever.

Question 86

What guidelines should a T0 Administrator follow when logging into a system?

Answer 86

Remote Server Support

• Primary - Remote tools that use network logons (type 3)
• Primary Interactive - Use RDP RestrictedAdmin or Standard RDP from a secure workstation

Physical Server Support
- When at the console, the accounts do not have any tool restrictions beyond forbidden tools.

Question 87

Why is protecting T0 critical?

Answer 87

T0 assets already have direct or indirect control over all assets. If an attack were to compromise a DC, for example, there is not a need for lateral movement or privilege escalation, they have access to the credential store (database) and can compromise from there.

Question 88

What guidlines sh ould a T1 Admin use when logging into T1 systems?

Answer 88

Remote Server Support

• Primary - Remote tools using network logons (type 3)
• Primary interactive - RDP Restricted admin from an admin workstation with an account that uses JIT
• Secondary - Logon using local admin (LAPS)
• Forbidden - Standard RDP
• Forbidden - Using credentials while in session (Runas/share authentication) - This exposes credentials

Physical Server Support

• Primary - Retrieve local admin password while using admin workstation
• Forbidden - Using domain account via console
• Forbidden - Using domain credentials while in session (RunAs)

Question 89

What guidelines should a T2 Admin use when logging into T2 systems?

Answer 89

Desk Side Support

• Primary - Over-the-shoulder support is provided with no tools
• Forbidden - Logging on with domain accounts is not allowed. Switch to a desk-side workstation if admin privileges are required

Remote User Support

• Primary - Remote assist, screen share, etc.
• Forbidden - Logging in with domain account administrative credentials is not allowed. Switch to workstation support if admin privileges are needed.

Workstation Support

• Desk-Side
• • Primary - Retrieve LAPS password and use local admin
• • Forbidden - Logging in with domain accounts is not allowed
• Remote
• • Primary - Use RDP Restricted Admin with JIT
• • Secondary - Use LAPS
• • Forbidden - Standard RDP

Question 90

What activities should never be performed from an admin workstation?

Answer 90

Internet browsing

Email Access

Question 91

How should service account and application passwords be protected?

Answer 91

• Lock service account passwords in a physical safe
• Ensure that only personnel trusted a tier above the account have access to the password.
• Limit number of people with access to the passwords to a minimum to ensure accountability
• Ensure all access is logged, tracked, and monitored by a disinterested party

Question 92

What kinds of authentication should be used with privileged accounts?

Answer 92

Administrative users should use smart cards for logins. Not passwords, except with break-glass accounts.

MFA should be used with all Cloud Admin Accounts.

Question 93

What is the main idea behind an Enhanced Security Administrative Environment (ESAE)?

Answer 93

Security controls that aren’t available to traditional flat forests are available to ESAE.

Accounts can be provisioned that are standard users in the ESAE forest but also privileged in the down-stream forests.

Question 94

What is the major draw back of ESAE forests?

Answer 94

Some applications are not compatible with being administered from a separate forest or over an external trust with selective authentication.

Question 95

What are the overall design considerations associated with ESAE forests?

Answer 95

• Limited Scope
• One-way Trusts with Select Authentication
• Privileges and Hardening - Least Privilege
• Workstation Hardening - PAWs
• Server and DC Hardening - Clean source, last OS, Updates
• Account Hardening - MFA, No NTLM
• Detective Controls

Question 96

When discussing ESAE, what is meant by limited scope?

Answer 96

ESAE gains its power from limited access and a small attack surface. Any additional management functions and applications introduced to an ESAE forest increase the attack surface and limit the effectiveness of the forest.

Question 97

What kind of inter-forest trust model should be used with an ESAE Forest?

Answer 97

One-way trusts should be used between the production forest and the ESAE forest.

• Trust can be either a domain or a forest trust
• Some apps require a two-way trust, but generally the admin forest doesn’t need to trust the production forest.

Selective Authentication should be enabled for all trusts between the ESAE and production forests

• Selective Auth restricts accounts that can login to production hosts
• Selective Auth requires accounts be granted the “Allowed to Logon” right in the production forest.

Question 98

What steps can be taken with an ESAE forest to ensure privileges are secure and the domain is hardened?

Answer 98

• Only admin forest accounts in Bulitin\Administrators should be able to administer the domain controllers and add users to BA
• Alter default permissions in the schema to grant Builtin Admin’s GPO rights.
• Accounts in the admin forest should only be able to manage the production forest, not the admin forest.
• Any admin rights to the admin forest should be tightly locked down.
• Admin forest should follow Security Compliance Baselines
• Admin forest should use the SCB strong recommendations for authentication
• Admin forest should automatically be updated with security updates
• Only PAWs should be used as workstations in the Admin forest and should only be joined to the admin forest.
• Detective controls should be designed to alert on anomalies.

Question 99

What steps should be taken for hardening servers in the ESAE forest?

Answer 99

• Media should be validated via the clean source principle
• Only the latest operating systems should be used
• Hosts in admin forest should automatically update
• Security Baselines should be used as starting configurations
• Secure Boot should be enabled
• Full Volume encryption should be used to protect against physical attacks.
• USB restrictions should be in place in the Admin Forest
• Network Isolation should be incorporated into the design of the admin with firewalls set to block incoming connections
• Antimalware should be configured
• Rune the Attack Surface Analyzer to determine which configurations may be at risk.

Question 100

What steps should be taken to harden accounts in an ESAE forest?

Answer 100

• MFA should be used for all accounts in the Admin forest except the Builtin\Administrator
• MFA protected accounts should be set to rotate their NTLM hash periodically.

Question 101

What groups are considered T0 Groups by default?

Answer 101

Enterprise Admins
Domain Admins
Schema Admins
Builtin Admins
Account Operators
Backup Operators
Server Operators
Print Operators
Domain Controllers
Read-Only Domain Controllers
Group Policy Creator Owners
Cryptographic Owners
Distributed COM Users
Any other groups delegated access similar to the functions or greater than the functions of any of these groups

Question 102

What different types of logons expose credentials?

Answer 102

Interactive Logons (Console, RunAs, etc.)

Remote Interactive (RDP) - Failures do not transmit

NewtorkClearText (New-PSSession -Authetication CredSSP / New-PSSession -Credential cred)

Network+Interactive (PSExect with explicit)

Batch / Service

Question 103

What are the different logon types that show up in Windows logs?

Answer 103

Interactive - Logon Type 2
Network - Logon Type 3
Batch - Logon Type 4
Service - Logon Type 5
NetworkClearText - Logon Type 8
NewCredentials - Logon Type 9
RemoteInteractive - Logon Type 10

Question 104

How is selective authentication used in a Bastion/ESAE forest?

Answer 104

Selective authentication allows for restricting logons (thus credential exposure) to only authorized hosts.

Question 105

How is it that dedicated administrative forests can be more secure over traditional forest architectures?

Answer 105

Dedicated administrative forests are allowed to have wider breadth of security measures due to their limited use case.

Furthermore, compromise of a down-level forest limits the compromise of the administrative forest.

Question 106

For an administrative forest to be most secure, how should the trust be setup between it, PRIV, and a Production forest, CORP?

Answer 106

Corp forest should trust PRIV Forest.

This trust is one-way with selective authentication. Two-way could be used but its not necessary in this scenario.

Question 107

Why is having a separate account for administering the domain and one for day-to-day work still not effective at preventing credential theft if you are an admin on the workstation?

Answer 107

If malware ends up on that system inadvertently, keystroke loggers and other malicious vectors may be used to capture credentials as they are put into the system.

Question 108

What are the different components of Privileged Access Management?

Answer 108

• AD Management Forest
• DNS
• MIM Service
• MIM Management Policy Rule (MPR)
• MIM Portal
• MIM Service Database
• PAM Monitoring Service
• PAM Component Service
• PAM REST API

Question 109

Are there any restrictions or challenges to deploying PAM with Server 2012 R2?

Answer 109

PAM cannot be used for well-known SID Groups (DA, EA, etc.) across a Server 2012 R2 trust.

PAM requires Kerberos aware applications

PAM only supports a single approver, not mutliples

PAM monitoring service synchronizes whether the corp AD account is enabled or disabled out to privileged AD> The sAMAccountName, UPN, description, and other UAC flags are not synched.

Question 110

What can be done to lock down the MIMMonitor account?

Answer 110

“Logon on as a Service” on the PAM Server
“Deny access this computer from the network” on the PAM server
“Deny Logon Locally” on the PAM server
“Deny Logon as Batch Job” on the PAM server
“Deny Logon through RDP” on the PAM server

Question 111

What can be done to secure the MIMService account?

Answer 111

“Logon as a Service” on the PAM Server
“Deny access to this computer from the network” on the PAM Server
“Deny Logon Locally” on the PAM Server
“Deny Logon as a Batch Job” on the PAM Server
“Deny Logon through RDP” on the PAM Server

Question 112

What can be done to lock down the MIM SharePoint Account?

Answer 112

“Logon as Service” on the PAM Server

Question 113

What can be done to lock down the MIMComponent account?

Answer 113

“Logon as Service” on the PAM Server
“Deny Access to this computer from the network” on the PAM Server
“Deny Logon Locally” on the PAM Server
“Deny Logon as Batch Job” on the PAM Server
“Deny Logon through RDP” on the PAM Server

Question 114

What can be done to lock down the MIM SQLServer Account?

Answer 114

“Logon as Service” on the PAM Server

Question 115

Which product does Microsoft Identity Manager replace?

Answer 115

MIM replaces Forefront Identity Manager (FIM)

Question 116

What is Microsoft Identity Manager (MIM) used for?

Answer 116

MIM is used to manage users, credentials, policies, and access within an organization

MIM also adds hybrid experience, PAM capabilities, and support for new platforms.

Question 117

What are some common MIM scenarios?

Answer 117

Automatic identity and group provisioning based on business policy and workflow-driven provisioning

Integration of the contents of directories with HR systems and other sources of authority.

Synching identities between directories, databases, and on-premises applications through common APIs and protocols, MS delivered connectors, and partner-delivered connectors.