INF220x Security Practical Exercises Overview This course comes with a virtual lab environment where you can practice what you learn. In most cases, the userid is Adatum\Administrator and the password is Pa55w.rd, but read the instructions carefully. Remember in the lab environment you can copy information to the virtual machines by using the Actions > Paste Content window. Before you paste the content, be sure your cursor is where you want the copied data. And, be sure to check the hyphens (dashes) in PowerShell code. Those characters may not copy correctly. NOTE: These practical exercises are designed to provide you experience as a working System Administrator. The lab steps are not written to be prescriptive, because as part of your day to day tasks you will need to troubleshoot and test different configurations. No one set of steps will be applicable in all cases, you will need to adjust for your situation. These steps were tested when the course was released. You may find changes to the interface as well as changes in how procedures are implemented.
3 Configure Privileged Access Management This is a very important lab to understanding how PAM and MIM work together. Review the tasks that are completed in the different forests on the different servers. Production Forest MEL-DC1 (Domain Controller) Delegate control to the bastion forest Create a new AD Group (ProdAdmins) Add a new user (Chuck) to ProdAdmins Holds the privileged PAM Objects MEL-SVR1 (PAM Client) Install the PAM client Login to SYD-MIM and request privileges Bastion Forest SYD-MIM (MIM Server) Has MIM installed Create the PAM trust Create the PAM domain configuration Create a privileged user (Chuck) Create a privileged group (ProdAdmins) Create a privileged role (ProdAdmins) Hosts the MIM Portal SYD-DC1 (Domain Controller) Holds the privileged PAM Objects
Configure PAM trust and shadow principals In this exercise, you will configure a PAM trust between the production and bastion forests, create the privileged accounts in the production forest, and finally create the shadow principals in the bastion forest. Create PAM trust 1. Sign in to SYD-MIM by using the account Adatumadmin\MIMAdmin with the password Pa$$w0rd. 2. Open a Windows PowerShell window. 3. In the Windows PowerShell window, execute the following command: $cred = get-credential -UserName Adatum\Administrator - Message "Production forest Administrator credentials" 4. At the prompt, sign in by using Pa$$w0rd as the password, and then click OK. 5. In the Windows PowerShell window, execute the following command: New-PAMTrust -SourceForest "adatum.com" -Credentials $cred New-PAMDomainConfiguration -SourceDomain "adatum" - Credentials $cred Test-PAMTrust -SourceForest "adatum.com" -CorpCredentials $cred Test-PAMDomainConfiguration -SourceDomain "adatum" - Credentials $cred 6. Sign in to MEL-DC1 by using the account Adatum\Administrator with the password Pa$$w0rd. 7. Open Active Directory Users and Computers. 8. In Active Directory Users and Computers, right-click Adatum.com, and then click Delegate Control.
9. On the Welcome to the Delegation of Control Wizard page of the Delegation of Control Wizard, click Next. 10. On the Users or Groups page, click Add. 11. On the Select Users, Computers, or Groups page, click Locations. 12. In the Locations dialog box, click ADATUMADMIN.COM, and then click OK. 13. In the Select Users, Computers, or Groups dialog box, type Domain Admins, and then click Check Names. 14. On the Enter Network Credentials dialog box, provide the following credentials, and then click OK: Username: adatumadmin\administrator Password: Pa$$w0rd 15. In the Select Users, Computers, or Groups dialog box, after Domain Admins; type Mimmonitor, click Check Names, and then click OK. 16. On the Users or Groups page, click Next. 17. On the Tasks to Delegate page, select Read All User Information, click Next, and then click Finish. Create privileged accounts and shadow principals 1. Open Windows PowerShell. 2. In the Windows PowerShell window, execute the following commands: New-ADGroup -name ProdAdmins -GroupCategory Security - GroupScope Global -SamAccountName ProdAdmins New-ADUser -SamAccountName Chuck -name Chuck $Pwd = ConvertTo-SecureString 'Pa$$w0rd' -asplaintext -force Set-ADAccountPassword -identity Chuck -NewPassword $Pwd Set-ADUser -identity Chuck -Enabled 1 -DisplayName "Chuck" 3. Switch to SYD-MIM. 4. In the Windows PowerShell window, execute the following commands: $PrivUser = New-PAMUser -SourceDomain adatum.com - SourceAccountName Chuck
$Pwd = ConvertTo-SecureString 'Pa$$w0rd' -asplaintext -force Set-ADAccountPassword -identity priv.chuck -NewPassword $Pwd Set-ADUser -identity priv.chuck -Enabled 1 $cred = get-credential -UserName Adatum\Administrator - Message "Production forest Administrator credentials" 5. In the dialog box, sign in by using Pa$$w0rd as the password, and then click OK. 6. In the Windows PowerShell window, execute the following commands: $PamGroup = New-PAMGroup -SourceGroupName "ProdAdmins" - SourceDomain adatum.com -SourceDC mel-dc1.adatum.com - Credentials $cred $PamRole = New-PAMRole -DisplayName "ProdAdmins" -Privileges $PamGroup -Candidates $PrivUser 7. Sign in to SYD-DC1 by using the account Adatumadmin\Administrator with the password Pa$$w0rd. 8. Open Active Directory Users and Computers. 9. In Active Directory Users and Computers, expand Adatumadmin.com, and then click PAM Objects. 10. Verify that the shadow principals Adatum.ProdAdmins group and PRIV.Chuck user are present. 11. Open Windows PowerShell. 12. In the Windows PowerShell window, execute the following commands: Get-ADGroup -identity Adatum.Prodadmins -properties SIDHistory Get-ADGroup -server mel-dc1.adatum.com -identity ProdAdmins 13. Verify that the SID History value of the Adatum.ProdAdmins group and the SID value of the ProdAdmins group are the same.
Request Privileged Access In this exercise, you install the PAM client on a server in the production forest, and let the PAM user request and use privileged access on the server. Install PAM client 1. Sign in to MEL-SVR1 by using the account Adatum\Administrator with the password Pa$$w0rd. 2. Open File Explorer and navigate to the D: drive. 3. If Internet Explorer does not open, double-click FIMSplash.htm. 4. In the Internet Explorer dialog box, click Yes. 5. On the Microsoft Identity Manager page, click Install Add-ins and Extensions, 64-bit. 6. In the Do you want to run or save setup.exe? dialog box, click Run. 7. On the Welcome to the Microsoft Identity Manager Add-ins and Extensions Setup Wizard page, click Next. 8. On the End-User License Agreement page, click I accept the terms in the License Agreement, and then click Next. 9. On the MIM Customer Experience Improvement Program page, ensure that I don't want to join the program at this time is selected, and then click Next. 10. On the Custom Setup page, click MIM Add-in for Outlook, and then click Entire feature will be unavailable. 11. On the Custom Setup page, click MIM Password and Authentication, and then click Entire feature will be unavailable. 12. On the Custom Setup page, click PAM Client, then click Entire feature will be installed on local hard drive, and then click Next. 13. On the Configure MIM PAM Service Address page, configure the following settings, and then click Next: PAM Server Address: syd-mim.adatumadmin.com
Port: 5725 14. Click Install, and when the installation finishes, click Finish. 15. Open Computer Management. 16. In the Computer Management console, expand Local Users and Groups, click Groups, and then double-click the Administrators group. 17. In the Administrators Properties dialog box, click Add. 18. In the Select Users, Computers, Service Accounts, or Groups dialog box, type adatumadmin\adatum.prodadmins and click Check Names. 19. In the Windows Security dialog box. enter the credentials adatumadmin\administrator and the password Pa$$w0rd. 20. Click OK three times. 21. Restart MEL-SVR1. Request privileged access 1. Sign in to MEL-SVR1 by using the account Adatum\Chuck with the password Pa$$w0rd. 2. Open Windows PowerShell. 3. In the Windows PowerShell window, execute the following command: Whoami /groups 4. Verify that Chuck is not a member of the ProdAdmins group. 5. In the Windows PowerShell window, execute the following command: Install-WindowsFeature WINS 6. Review the error message that informs you that you do not have adequate user rights to make changes to the target computer. 7. Sign out. 8. Sign in to MEL-SVR1 by using the account Adatumadmin\priv.Chuck with the password Pa$$w0rd. 9. In the Windows PowerShell window, execute the following command: Whoami /groups
10. Verify that Chuck is not a member of the ProdAdmins group. 11. In the Windows PowerShell window, execute the following command: Install-WindowsFeature WINS 12. Review the error message that informs you that you do not have adequate user rights to make changes to the target computer. 13. In the Windows PowerShell window, execute the following command. If you receive a permission error open PowerShell again without elevated access. Get-PAMRoleForRequest 14. This will show the available PAM roles to which priv.chuck can request access. 15. In the Windows PowerShell window, execute the following command: New-PamRequest -RoleDisplayName ProdAdmins 16. Sign out. 17. Sign in to MEL-SVR1 by using the account Adatumadmin\priv.Chuck with the password Pa$$w0rd. 18. Open Windows PowerShell as an administrator. 19. In the Windows PowerShell window, execute the following command: Whoami /groups 20. Verify that Chuck now is a member of the ProdAdmins group. 21. In the Windows PowerShell window, execute the following command. If you receive an error open an elevated PowerShell prompt. Install-WindowsFeature WINS 22. Verify that the WINS feature installs correctly.
Manage PAM In this exercise, you will create an additional PAM user, modify a PAM role and view PAM requests. Create a new user 1. Switch to MEL-DC1. 2. In the Windows PowerShell window, execute the following commands: New-ADUser -SamAccountName Melvin -name Melvin $Pwd = ConvertTo-SecureString 'Pa$$w0rd' -asplaintext -force Set-ADAccountPassword -identity Melvin -NewPassword $Pwd Set-ADUser -identity Melvin -Enabled 1 -DisplayName "Melvin" Create a new PAM user 1. Switch to SYD-MIM. 2. In the Windows PowerShell window, execute the following commands: $PrivUser = New-PAMUser -SourceDomain adatum.com - SourceAccountName Melvin $Pwd = ConvertTo-SecureString 'Pa$$w0rd' -asplaintext -force Set-ADAccountPassword -identity priv.melvin -NewPassword $Pwd Set-ADUser -identity priv.melvin -Enabled 1 Modify PAM role 1. On SYD-MIM, open Internet Explorer, and browse to http://sydmim.adatumadmin.com:82/identitymanagement/default.aspx.
2. If prompted, sign in as ADATUMADMIN\Mimadmin by using Pa$$w0rd as the password. 3. In the Microsoft Identity Manager console, in the navigation pane, under Privileged Access Management, click PAM Roles. 4. On the Privileged Access Management Roles page, click ProdAdmins. 5. In the Prodadmins dialog box, on the General tab, modify the PAM Role TTL(sec) to 600, click OK, and then click Submit. 6. In the list of Privileged Access Management roles, click Prodadmins. 7. In the Prodadmins dialog box, click the Candidates tab. 8. On the Candidates tab, click the Browse icon ( ). 9. In the Select Users dialog box, click the magnifying glass icon ( ) next to Search. Chuck and Adatum.Chuck should already be selected. Select ADATUM.Melvin and Melvin, and then click OK twice. 10. Verify the changes listed, and then click Submit to close the ProdAdmins dialog box. View PAM requests 1. On the Microsoft Identity Manager page, in the navigation pane, under Privileged Access Management, click PAM Requests. 2. Click PRIV.Chuck and review the details of when the request was made, when the request expires, and the role requested.