Step by step MIM PAM setup and evaluation Guide – Part 2

This is second part of the series. In the previous post we have prepared test environment for PAM deployment. Now we have two forests – prod.contoso.com and priv.contoso.com. In PROD we have set up Certificate services, Exchange server, ADFS services and configured two test applications – one is using Windows Integrated Authentication and the second Claim based Authentication.

Series:

• Part 1 – Preparing test environment
• Part 2 – PAM prerequisites
• Part 3 – Installing PAM Server
• Part 4 – Installing PAM Example portal
• Part 5 – MFA configuration
• Part 6 – Evaluation

Installing PAM prerequisites

1. 1. Preparing PROD Forest

Log on to PROD-DC as an Administrator

1. 1. 1. Create OU for Exchange Linked Mailbox accounts

New-ADOrganizationalUnit -Name 'Linked accounts' -Path "DC=prod,DC=contoso,DC=com" -ProtectedFromAccidentalDeletion $true

1. 1. 1. Create Auditing Group

In PowerShell execute following commands

New-ADGroup -Name "PROD`$`$`$" -Path "OU=SystemAccounts,DC=prod,DC=contoso,DC=com" -GroupScope DomainLocal -GroupCategory Security -Description "Supports PAM Auditing"

1. 1. 1. Configure Audit policies

Open Admin Command Prompt and execute following command:

Auditpol.exe /Set /Category:"Account Management","DS Access" /Failure:Enable /Success:Enable

gpupdate /force /target:Computer

1. 1. 1. Configure registry settings for SID History migration

New-ItemProperty –Path HKLM:SYSTEMCurrentControlSetControlLsa –Name TcpipClientSupport –PropertyType DWORD –Value 1

Restart-Computer

1. 2. Preparing PRIV Forest:

Log on to PRIV-DC as an Administrator

1. 1. 1. Create Organizational Units

New-ADOrganizationalUnit -Name 'Service Identities' -Path "DC=priv,DC=contoso,DC=com" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name 'Service accounts' -Path "OU=Service Identities,DC=priv,DC=contoso,DC=com" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name 'PAM Objects' -Path "DC=priv,DC=contoso,DC=com" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name 'Service groups' -Path "OU=Service Identities,DC=priv,DC=contoso,DC=com" -ProtectedFromAccidentalDeletion $true

1. 1. 1. Prepare Domain for gMSA

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

New-ADGroup -Name 'Grp-gMSA' -Path "OU=Service groups,OU=Service Identities,DC=priv,DC=contoso,DC=com" -GroupScope Global -Description 'This Group contains Principals allowed to retrieve Managed Password'

1. 1. 1. Create Accounts

$svcAccounts = "OU=Service accounts,OU=Service Identities,DC=priv,DC=contoso,DC=com"

$secPwd = ConvertTo-SecureString 'P@$$w0rd' -asplaintext –force

New-ADUser -Name PAMAdmin -DisplayName "PAM Administrator" -Enabled $true -Path $svcAccounts -SamAccountName PAMAdmin -AccountPassword $secPwd -UserPrincipalName "PAMAdmin@priv.contoso.com" -Description "Used to install and Administer MIM. Needs Logon Locally and access over the network"

New-ADUser -Name svc_PAMAppPool -DisplayName "PAM AppPool" -Enabled $true -Path $svcAccounts -SamAccountName svc_PAMAppPool -AccountPassword $secPwd -UserPrincipalName "svc_PAMAppPool@priv.contoso.com" -Description "This Domain Account will run the SharePoint App Pool for PAM Portal (needs logon as a batch job)"

New-ADUser -Name svc_PAMFarmWSS -DisplayName "PAM FarmWSS" -Enabled $true -Path $svcAccounts -SamAccountName svc_PAMFarmWSS -AccountPassword $secPwd -UserPrincipalName "svc_PAMFarmWSS@priv.contoso.com" -Description "This Domain Account will run WSS farm."

New-ADUser -Name svc_PAMWs -DisplayName "PAM Service" -Enabled $true -Path $svcAccounts -SamAccountName svc_PAMWs -AccountPassword $secPwd -UserPrincipalName "svc_PAMWs@priv.contoso.com" -Description "This Domain Account runs MIM Service (Put this into MIMSyncAdmins and MIMSyncPasswordSet groups). If you are running Exchange Server 2007 or later give this account a mailbox. In any event make it mail enabled"

New-ADUser -Name svc_PAMMonitor -DisplayName "PAM Monitor" -Enabled $true -Path $svcAccounts -SamAccountName svc_PAMMonitor -AccountPassword $secPwd -UserPrincipalName "svc_PAMMonitor@priv.contoso.com" -Description "This Domain Account runs PAM Monitor Service"

New-ADUser -Name svc_PAMComponent -DisplayName "PAM Component" -Enabled $true -Path $svcAccounts -SamAccountName svc_PAMComponent -AccountPassword $secPwd -UserPrincipalName "svc_PAMComponent@priv.contoso.com" -Description "This Domain Account runs PAM Component Service"

New-ADUser -Name svc_MIMMA -DisplayName "MIM Management Agent" -Enabled $false -Path $svcAccounts -SamAccountName svc_MIMMA -AccountPassword $secPwd -UserPrincipalName "svc_MIMMA @priv.contoso.com" -Description "Needed for MIM Portal installation – NOT IN USE"

1. 1. 1. Add PRIV-PAM computer account to Grp-gMSA Group to be able to retrieve Group Managed Service Accounts passwords:

Add-ADGroupMember -Identity "CN= Grp-gMSA,OU=Service groups,OU=Service Identities,DC=priv,DC=contoso,DC=com" -Members PRIV-PAM$

1. 1. 1. Create Group Managed Accounts for SQL

New-ADServiceAccount -name svc_SQLService -DNSHostName 'priv-pam.priv.contoso.com ' -PrincipalsAllowedToRetrieveManagedPassword 'Grp-gMSA' -Description 'This Domain Account runs SQL Service'

New-ADServiceAccount -name svc_SQLAgent -DNSHostName 'priv-pam.priv.contoso.com ' -PrincipalsAllowedToRetrieveManagedPassword 'Grp-gMSA' -Description 'This Domain Account runs SQL Agent'

1. 1. 1. Add SPNs

On PRIV-DC in PowerShell execute following commands:

setspn -S http/pamportal.contoso.com svc_PAMAppPool

setspn -S http/pamapi.contoso.com svc_PAMAppPool

setspn -S FIMService/pamsvc.contoso.com svc_PAMWs

setspn -S http/pamportal svc_PAMAppPool

setspn -S http/pamapi svc_PAMAppPool

setspn -S FIMService/pamsvc svc_PAMWs

1. 1. 1. Set Kerberos Constrained Delegation

On PRIV-DC open Active Directory Users and Computers, in menu select View/Advanced Features, go to Service Identities/Service accounts OU and double click svc_PAMWs account

Select “Delegation Tab, Select “Trast this User for Delegation to specific services” and select “Use Kerberos only”

Select Add and in new window select same user (svc-PAMWs). Select FIMService and OK and again OK.

Double click svc_PAMAppPool account

Select “Delegation Tab, Select “Trast this User for Delegation to specific services” and select “Use Kerberos only”

Select Add and in new window select svc-PAMWs user.

Select FIMService and OK and again OK.

1. 1. 1. To be able to configure MFA Server we will temporarely establish two-way trust between PROD domain and PRIV domain.

netdom trust prod.contoso.com /domain:priv.contoso.com /usero:prodAdministrator /passwordo:"<Administrator Password>" /Twoway /ForestTRANsitive:Yes /add

1. 1. 1. Configure Trust to enable SIDHistory

netdom trust prod.contoso.com /domain:priv.contoso.com /EnableSIDHistory yes /usero:prodAdministrator /passwordo:"<Administrator Password>"

netdom trust prod.contoso.com /domain:priv.contoso.com /Quarantine no /usero:prodAdministrator /passwordo:"<Administrator Password>"

1. 1. 1. Configure Audit policies

On PRIV-DC open Admin Command Prompt and execute following command:

Auditpol.exe /Set /Category:"Account Management","DS Access" /Failure:Enable /Success:Enable

gpupdate /force /target:Computer

1. 1. 1. Configure access Rights for PAMAdmin to AD

Log on to the PRIV-DC as an Enterprise Administrator, open command prompt (Admin) and execute following commands:

dsacls "CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=priv,DC=contoso,DC=com" /g PAMAdmin:RPWPRCWD;;msDS-AuthNPolicy /i:s

dsacls "CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=PRIV,DC=contoso,DC=com" /g PAMAdmin:CCDC;msDS-AuthNPolicy

dsacls "CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=PRIV,DC=contoso,DC=com" /g PAMAdmin:RPWPRCWD;;msDS-AuthNPolicySilo /i:s

dsacls "CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=PRIV,DC=contoso,DC=com" /g PAMAdmin:CCDC;msDS-AuthNPolicySilo

1. 2. Create Mailbox for svc_PAMWs account

Log on to PROD-EX as a Domain Administrator

1. 1. 1. Open PowerShell and execute following commands:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

New-Mailbox -Name "PAM Service" -LinkedDomainController "priv-dc.priv.contoso.com" -LinkedMasterAccount "svc_PAMWs@priv.contoso.com" -OrganizationalUnit 'Linked accounts' -UserPrincipalName svc_PAMWs@prod.contoso.com -LinkedCredential:(Get-Credential PRIV.contoso.comadministrator)

1. 2. Prepare for SQL Server Installation

Log on to PRIV-PAM as a Domain Administrator

1. 1. 1. Install Windows .Net 4.6 and 3.5

Install-WindowsFeature NET-Framework-45-Core

Install-WindowsFeature NET-Framework-Core -Source "<Windows OS Drive>sourcessxs"

Install-WindowsFeature RSAT-AD-PowerShell

1. 1. 1. Harden accounts

On the PRIV-PAM server open Server Manager and from Tools menu select “Local Security Policy”

Navigate to “Local PoliciesUser Right Assignment”

Add specified users to appropriate Policies:

1. 1. 1. 1. Access this computer from the network – PAMAdmin, svc_SQLService
         2. Adjust memory quotas for a process - svc_SQLService
         3. Allow log on locally – PAMAdmin
         4. Allow log on through Remote Desktop Services – PAMAdmin
         5. Bypass traverse checking - svc_SQLService
         6. Deny Log on as a batch job – PAMAdmin
         7. Deny Log on as a service – PAMAdmin
         8. Deny Log on Locally - svc_SQLService
         9. Deny Log on through Remote Desktop Service - svc_SQLService
         10. Log on as a Batch Job - svc_SQLService
         11. Log on as a service – svc_SQLService
      2. Restart PRIV-PAM server

Restart-Computer

1. 1. 1. Install Service Accounts

Log on to PRIV-PAM as a Domain Administrator

On the PRIV-PAM server open PowerShell as an Admin and execute following commands:

Install-AdServiceAccount svc_SQLService

Install-AdServiceAccount svc_SQLAgent

1. 1. 1. Add PAMAdmin account to Local Administrators Group

$group = [ADSI]"WinNT://PRIV-PAM/Administrators,group"

$group.psbase.Invoke(“Add”,([ADSI]”WinNT://PRIV/PAMAdmin”).path)

1. 2. Install SQL Server 2016

Log on to PRIV-PAM as a privPAMAdmin

1. 1. 1. Create Answer file

Open Notepad and paste following

[OPTIONS]

ACTION="Install"

SUPPRESSPRIVACYSTATEMENTNOTICE="True"

IACCEPTSQLSERVERLICENSETERMS="True"

ENU="True"

QUIET="False"

QUIETSIMPLE="True"

FEATURES=SQLENGINE,FULLTEXT

INSTANCENAME="PAM"

INSTANCEID="PAM"

SQLCOLLATION="SQL_LATIN1_General_CP1_CI_AS"

; Accounts

SQLSVCACCOUNT="PRIVsvc_SQLService$"

AGTSVCACCOUNT="PRIVsvc_SQLAgent$"

SQLSYSADMINACCOUNTS="PRIVPAMAdmin"

INDICATEPROGRESS="1"

AGTSVCSTARTUPTYPE="Automatic"

SQLSVCSTARTUPTYPE="Automatic"

SQLTEMPDBFILECOUNT="4"

TCPENABLED="1"

NPENABLED="1"

This will install SQL server in Evaluation mode. You may want to add SQL Server License Key. Just add this line at the end of the above (naturally replace Xes with your license Key):

PID=”XXXX-XXXXX-XXXX-XXXX”

1. 1. 1. Save Answer file to the disk as PAM.Inf
      2. Open PowerShell and position to folder where answer file is saved
      3. Run following command (replace path to SQL distribution with yours)

C:SetupSoftwareSQL2016setup.exe /ConfigurationFile=PAM.inf

This will install SQL server on PRIV-PAM machine.

1. 1. 1. Configure SQL Server Networking:

From PowerShell run following commands:

$env:PSModulePath = $env:PSModulePath + ";C:Program Files (x86)Microsoft SQL Server130ToolsPowerShellModules"

Import-Module SQLPS

$wmi = new-object ('Microsoft.SqlServer.Management.Smo.Wmi.ManagedComputer').

$Tcp = $wmi.GetSmoObject("ManagedComputer[@Name=`'PRIV-PAM`']/ServerInstance[@Name=`'PAM`']/ServerProtocol[@Name='Tcp']")

$Tcp.IsEnabled = $true

$wmi.GetSmoObject("ManagedComputer[@Name=`'PRIV-PAM`']/ServerInstance[@Name=`'PAM`']/ServerProtocol[@Name='Tcp']/IPAddress[@Name='IPAll']").IPAddressProperties['TcpPort'].Value='1433'

$wmi.GetSmoObject("ManagedComputer[@Name=`'PRIV-PAM`']/ServerInstance[@Name=`'PAM`']/ServerProtocol[@Name='Tcp']/IPAddress[@Name='IPAll']").IPAddressProperties['TcpDynamicPorts'].Value=""

$Tcp.Alter()

$np = $wmi.GetSmoObject("ManagedComputer[@Name=`'PRIV-PAM'`]/ServerInstance[@Name=`'PAM`']/ServerProtocol[@Name='np']")

$np.IsEnabled = $true

$np.Alter()

1. 1. 1. Restart SQL Server Service
      2. Create Firewall rule to allow access to SQL Service

New-NetFirewallRule -Description 'Enables connection to SQL Server' -Enabled True -Name 'AllowSQL' -DisplayName 'Allow SQL' -Protocol Tcp -LocalAddress Any -LocalPort '1433' -RemoteAddress Any -RemotePort Any

1. 1. 1. SQL Management Studio isn’t any longer part of SQL Server distribution and needs to be downloaded separately and installed. To Download and Install SQL Server Management Studio
         1. Download SQL Management Studio from

https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-2017

1. 1. 1. 1. From PowerShell run following command (replace path with yours)

& 'C:SetupSoftwareMicrosoft SQL Server Management Studio - 18.0 Preview 4SSMS-Setup-ENU.exe' /install /passive

1. 2. Prepare PAM Server for Installation
      1. Install Windows features

On the PRIV-PAM server from PowerShell (Admin) run following commands

Install-WindowsFeature Web-Common-Http

Install-WindowsFeature Web-Static-Content

Install-WindowsFeature Web-Default-Doc

Install-WindowsFeature Web-Dir-Browsing

Install-WindowsFeature Web-Http-Errors

Install-WindowsFeature Web-Http-Redirect

Install-WindowsFeature Web-Asp-Net

Install-WindowsFeature Web-Net-Ext

Install-WindowsFeature Web-ISAPI-Filter

Install-WindowsFeature Web-Http-Logging

Install-WindowsFeature Web-Request-Monitor

Install-WindowsFeature Web-Http-Tracing

Install-WindowsFeature Web-Stat-Compression

Install-WindowsFeature Web-Dyn-Compression

Install-WindowsFeature Web-Basic-Auth

Install-WindowsFeature Web-Windows-Auth

Install-WindowsFeature Web-Digest-Auth

Install-WindowsFeature Web-Filtering

Install-WindowsFeature Web-Mgmt-Console

Install-WindowsFeature Web-Scripting-Tools

Install-WindowsFeature Web-Mgmt-Compat

Install-WindowsFeature Net-Framework-Features

Install-WindowsFeature Web-Server

Install-WindowsFeature Web-WebServer

Install-WindowsFeature Web-App-Dev

Install-WindowsFeature Web-Health

Install-WindowsFeature Web-Security

Install-WindowsFeature Web-Performance

Install-WindowsFeature Web-Mgmt-Tools

Install-WindowsFeature Web-Metabase

Install-WindowsFeature NET-HTTP-Activation

Install-WindowsFeature NET-Non-HTTP-Activ

Install-WindowsFeature NET-WCF-Pipe-Activation45

Install-WindowsFeature NET-WCF-HTTP-Activation45

Install-WindowsFeature Web-Asp-Net45

Install-WindowsFeature Web-Net-Ext45

1. 1. 1. Set Local Policies – harden accouns

On the PRIV-PAM server open Server Manager and from Tools menu select “Local Security Policy”

Navigate to “Local PoliciesUser Right Assignment”

Add specified users to appropriate Policies

1. 1. 1. 1. Deny access to this computer from the network - svc_PAMMonitor, svc_PAMComponent
         2. Deny Log on as a batch job – svc_PAMMonitor, svc_PAMComponent, svc_PAMWs
         3. Deny Log on Locally - svc_PAMMonitor, svc_PAMComponent, svc_PAMWs
         4. Deny Log on through Remote Desktop Service - svc_PAMMonitor, svc_PAMComponent, svc_PAMWs
         5. Log on as a service – svc_PAMMonitor, svc_PAMComponent, svc_PAMWs
      2. Reapply Policies

From PowerShell run following command

gpupdate /force /target:Computer

1. 1. 1. Configure IIS

From PowerShell run following command

iisreset /STOP

C:WindowsSystem32inetsrvappcmd.exe unlock config /section:windowsAuthentication -commit:apphost

iisreset /START

1. 1. 1. Create SQL Aliases

Now we will create two SQL Aliases for SharePoint and for PAM Service. Using SQL Aliases is recommended because makes easier changes of SQL Server

New-Item "HKLM:SoftwareMicrosoftMSSQLServerClientConnectTo"

New-ItemProperty -Path "HKLM:SoftwareMicrosoftMSSQLServerClientConnectTo" -Name SPSSQL -PropertyType String -Value "DBMSSOCN,PRIV-PAMPAM"

New-ItemProperty -Path "HKLM:SoftwareMicrosoftMSSQLServerClientConnectTo" -Name SVCSQL -PropertyType String -Value "DBMSSOCN,PRIV-PAMPAM"

1. 1. 1. Configure registry settings for SID History migration

New-ItemProperty –Path HKLM:SYSTEMCurrentControlSetControlLsa –Name TcpipClientSupport –PropertyType DWORD –Value 1

Restart-Computer

1. 1. 1. Test Connectivity to SQL Server

Log on to PRIV-PAM as a privPAMAdmin

Open PowerShell and run following code:

[System.Data.SqlClient.SqlConnection]$SqlConnection = New-Object System.Data.SqlClient.SqlConnection

$SqlConnection.ConnectionString = "Server = SPSSQL; Database = Master; Integrated Security = True;"

$SqlConnection.Open()

Write-Host ("Connection state to SPSSQL is {0}" -f $SqlConnection.State)

$SqlConnection.Close()

$SqlConnection.ConnectionString = "Server = SVCSQL; Database = Master; Integrated Security = True;"

$SqlConnection.Open()

Write-Host ("Connection state to SVCSQL is {0}" -f $SqlConnection.State)

$SqlConnection.Close()

At the end of the outpoot you should see following messages:

Connection state to SPSSQL is Open

Connection state to SVCSQL is Open

Conclusion of Part 2

Now we are ready for the Part 3 - Installing PAM Server.

In this exercise we went step by step through PAM Service prerequisites setup.

In the Part 3 we will set up SharePoint 2016, PAM Service, Portal and PAM.

Until then

Have a great week.

Disclaimer – All scripts and reports are provided ‘AS IS’

This sample script is not supported under any Microsoft standard support program or service. This sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of this sample script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of this script be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use this sample script or documentation, even if Microsoft has been advised of the possibility of such damages.