Hi everyone !
Today I will spotlight a very good article from Ahmed Malek; How to Provide Temporary and Secure Administrative Access to Critical Systems and Applications
This is an article that go very far in the subject to secure any system(s). As a system admin myselft, at some point in your career, it's the kind of question you come to ask yourself on the how to do.
It's very detailed, and very informative. Really good article !!
Active Directory provides an easy way to centrally manage accounts within an organization. It also provides an efficient way to delegate the administration and manage the accesses on AD-integrated Windows systems.
For critical systems and applications, some companies would like to restrict the accesses for changes as much as possible. This is feasible by creating AD groups to grant administrative access and then managing the users’ accesses by adding then when a change is required and then removing them once the change is completed. However, it might become a complicated and time consuming task if this is done manually.
This article shares a way that can be used to provide a temporary and secure administrative access to AD-integrated Critical Systems and Applications by combining the use of AD DS Fine-Grained Password Policies and Orchestrator . This is explained through a scenario detailed below.
CONTOSO is a company that provides services to their customers through SharePoint Web portals hosted on-premise. As these portals are Business-Critical for CONTOSO, the company decided to restrict the access to these servers by providing temporary and secure accesses to administrators when changes are required. The administrators should provide the reason for the access when they request for it and CONTOSO IT Governance team should be informed when an access is granted in order to keep a track of what is getting done.
CONTOSO have the following technical implementation to meet their requirements:
- An AD group named “Sharepoint_Admins” was created. Members of this group have Full Control access to the Sharepoint servers.
- All administrative accesses that were granted directly to the Sharepoint administrators were revoked
- A specific IT team was identified as eligible to have administrative access to Sharepoint servers. These team members need to contact AD administrators to provide them administrative access when required
- The AD administrators add the requestor AD account to “Sharepoint_Admins” group when an administrative access should be granted. The access is revoked once the changes are complete
- An AD DS Fine-Grained Password Policy was applied on an AD group that contains the members of the IT team that was identified as eligible to have administrative access in order to require a complex password and periodic password changes.
CONTOSO was able to provide a temporary and secure administrative access to their Sharepoint servers. However, the new process resulted in having a lot of interaction between the teams and delays when making changes. CONTOSO requested the assistance of a Microsoft Partner to support them in improving their implementation.
To improve the implementation of CONTOSO, an automation should be added to support the process. The temporary and secure administrative access could be granted by using the following:
- An AD generic account will be created and will be added as member of “Sharepoint_Admins” group
- An AD DS Fine-Grained Password Policy will be created (It will require a complex password that is periodically changed as required by CONTOSO) and will be applied on “Sharepoint_Admins” group
- Orchestrator will be used to send administrative access requests, validate the identity of the requestor and grant the required temporary access. A two Factor authentication will be implemented to enhance the security of the implementation
Below is the workflow for granting or rejecting an administrative access: