How a bastion forest limits exposure of admin privileges

Get started
Bring yourself up to speed with our introductory content.

A Windows Server 2016 feature called a bastion forest is the centerpiece of Microsoft’s privileged access management model that limits the exposure of admin rights.


Administrative accounts are necessary for IT workers, but they also pose a significant risk to an organization…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

if they fall into the wrong hands. One way to tighten security is to deploy a bastion forest.

When it comes to IT security, the bastion concept is not new. A bastion host, for example, is a hardened server that proxies requests to a back-end resource. It protects the back-end servers from various threats by removing direct access. A bastion forest works in a similar fashion by shielding a sensitive resource, namely Active Directory administrative accounts.

Moderating privileged credentials access

Bastion forests are a part of a layered privileged access management (PAM) architecture. The overarching idea behind PAM is to give IT workers narrow administrative privileges with a limited life span.

[embedded content]

How to tighten controls on privileged access

Administrative activities typically require one or more very specific privileges. Creating an Active Directory user account does not require the same permissions as other administrative tasks, such as managing a group policy setting.

Also, IT workers do not require administrative privileges at all times. If an administrator has no management tasks to perform, then PAM can restrict the privileged access.

How bastion forests restrict admin access

Bastion forests, which debuted in Windows Server 2016, are a key component in the PAM architecture. A bastion forest isolates privileged accounts from the rest of the Active Directory through a one-way trust to make it much more difficult for an attacker to compromise privileged accounts.

A bastion forest is different from a trusted forest that contains privileged accounts because an administrator does not log into a privileged account to manage Active Directory resources in the usual way. Instead, PAM only issues the permissions required for a specific administrative task for a limited time.

A bastion forest is different from a trusted forest that contains privileged accounts because an administrator does not log into a privileged account to manage Active Directory resources in the usual way.

In a PAM configuration, when administrators need to create an Active Directory user account, they must request privileged access in one of three ways: through a REST endpoint, via the New-PAMRequest cmdlet or through the Microsoft Identity Manager Web Service API. After it has been approved, the privileged account receives the requested permission through a foreign principal group in the bastion forest.

The interesting aspect of this security setup is the administrator’s account derives its privileges from a group membership in the bastion forest. The account does not hold any native elevated privileges in the organization’s primary forest.

Also, when adding an administrative account to the privileged group in the bastion forest, the group membership eventually expires. The time limit is set by specifying a time-to-live value in the PowerShell Set-ADObject cmdlet.

Dig Deeper on Windows systems and network management