Symantec Privileged Access Management

We are working on a project in which the client wishes to implement an RBAC model using shared AD privileged Credentials using PAM 3.3.2.

Given: 

1. AD Connectors are the preferred mechanism for AD Credential Management;
2. LDAPS must be enabled (it's not by default) ;
3. DCs must have a valid Server Certificate for Secure LDAP communications, requiring both a PKI Infrastructure (or 3rd party subscription) and recurring, periodic certificate renewals.
4. Credential Manager does not synchronize AD target accounts using unencrypted LDAP (via AD Connector or windows proxy)

If a client is unable to meet all of the above requirements, are Windows Proxy and Windows Remote a viable alternative?

The default port documentation would lead us to believe that the windows proxy, much like the AD Connector, requires 636 (LDAPS) to communicate with domain controllers; Which in turn suggest that it too wouldn't be able to manage AD accounts in a non-LDAPS enabled environment. But that is NOT the case. It behaves similarly as the Windows Remote Connector - it doesn't appear to require LDAPs.

The Windows Remote documentation informs that SMB (445) and WMI (135) plus additional high ports are required. However, there's no clear indication of whether or not it requires LDAPS for secure AD Credential Management.

Are there any KB articles that document, in details, how the Windows Proxy and Windows Remote connectors manage AD Account passwords?
What is the process-flow and what protocols are used to rotate / validate AD credentials?
Does windows remote/proxy require LDAPs to be enabled in order to manage AD credentials?
How does windows remote/proxy encrypted / secure comms with the DCs?

Assume the following setup:
We on-board a device having both name and address set to the FQDN of the domain ie 'my.domain.int' - the a dns lookup of the address returns all of the Domain Controllers (IPs) in that domain.
We add all windows member servers in the domain to a device group and set the authentication source == to the domain FQDN device.

Next we have a Windows Remote application configured for "Domain Account (Lookup DCs in DNS Servers)" type and specifies the domain FQDN  'my.domain.int'  in the Domain name field.

Then two Active Directory privileged Credentials are vaulted in PAM as Windows Remote - linked to the appropriate application (as above); one is a master account for the other. The managed account has PVPs that enforce change on view/autoconnect and Reasons for view / autoconnect.

Finally, a policy that allows RDP access to a group of devices configured with the 'domain device' as the authentication source. 

This all works well until the managed account is locked out. 

Same is true if we use windows Proxy Connector, configured the same way as the windows remote connector. password rotation is ok until an account gets locked out.

What are our options here? as Neither Windows remote nor Windows Proxy connectors appear to be able to unlock the managed account.

thanks in advance

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Windows Remote and the Windows Proxy do not use LDAP to manage account credentials.  Both of them involve the installation of a native windows application (Windows Remote does it on-demand), and that application uses Microsoft native methods to manipulate accounts/passwords via RPC.

I am not sure why Windows Remote/Proxy will not unlock an account.  Perhaps that would require an extra call to AD that they are not making?  Or perhaps its simply a permissions issue on your master account.  Hopefully someone has an answer for that.
Original Message:
Sent: 05-22-2020 12:38 PM
From: Sebastiano Alighieri
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

We are working on a project in which the client wishes to implement an RBAC model using shared AD privileged Credentials using PAM 3.3.2.

Given:

1. AD Connectors are the preferred mechanism for AD Credential Management;
2. LDAPS must be enabled (it's not by default) ;
3. DCs must have a valid Server Certificate for Secure LDAP communications, requiring both a PKI Infrastructure (or 3rd party subscription) and recurring, periodic certificate renewals.
4. Credential Manager does not synchronize AD target accounts using unencrypted LDAP (via AD Connector or windows proxy)

If a client is unable to meet all of the above requirements, are Windows Proxy and Windows Remote a viable alternative?

The default port documentation would lead us to believe that the windows proxy, much like the AD Connector, requires 636 (LDAPS) to communicate with domain controllers; Which in turn suggest that it too wouldn't be able to manage AD accounts in a non-LDAPS enabled environment. But that is NOT the case. It behaves similarly as the Windows Remote Connector - it doesn't appear to require LDAPs.

The Windows Remote documentation informs that SMB (445) and WMI (135) plus additional high ports are required. However, there's no clear indication of whether or not it requires LDAPS for secure AD Credential Management.

Are there any KB articles that document, in details, how the Windows Proxy and Windows Remote connectors manage AD Account passwords?
What is the process-flow and what protocols are used to rotate / validate AD credentials?
Does windows remote/proxy require LDAPs to be enabled in order to manage AD credentials?
How does windows remote/proxy encrypted / secure comms with the DCs?

Assume the following setup:
We on-board a device having both name and address set to the FQDN of the domain ie 'my.domain.int' - the a dns lookup of the address returns all of the Domain Controllers (IPs) in that domain.
We add all windows member servers in the domain to a device group and set the authentication source == to the domain FQDN device.

Next we have a Windows Remote application configured for "Domain Account (Lookup DCs in DNS Servers)" type and specifies the domain FQDN  'my.domain.int'  in the Domain name field.

Then two Active Directory privileged Credentials are vaulted in PAM as Windows Remote - linked to the appropriate application (as above); one is a master account for the other. The managed account has PVPs that enforce change on view/autoconnect and Reasons for view / autoconnect.

Finally, a policy that allows RDP access to a group of devices configured with the 'domain device' as the authentication source.

This all works well until the managed account is locked out.

Same is true if we use windows Proxy Connector, configured the same way as the windows remote connector. password rotation is ok until an account gets locked out.

What are our options here? as Neither Windows remote nor Windows Proxy connectors appear to be able to unlock the managed account.

thanks in advance

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Thanks Joseph.

I've tested the setup with AD connectors and the unlock works - there's nothing wrong with the master account.

Are there any KB articles that discuss, in details, the methods & protocols used by Windows remote / proxy connectors when it comes to managing AD Accounts?

In deed, it does appear as though unlocking of AD Accounts with Windows remote/proxy connectors was not included in their design, or perhaps there's isn't a native RPC call or method that allows those connectors to unlock AD accounts - it may be a limitation of the native windows application and/or RPC stack.






------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Original Message:
Sent: 05-26-2020 09:58 AM
From: Joseph Fry
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

Windows Remote and the Windows Proxy do not use LDAP to manage account credentials.  Both of them involve the installation of a native windows application (Windows Remote does it on-demand), and that application uses Microsoft native methods to manipulate accounts/passwords via RPC.

I am not sure why Windows Remote/Proxy will not unlock an account.  Perhaps that would require an extra call to AD that they are not making?  Or perhaps its simply a permissions issue on your master account.  Hopefully someone has an answer for that.
Original Message:
Sent: 05-22-2020 12:38 PM
From: Sebastiano Alighieri
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

We are working on a project in which the client wishes to implement an RBAC model using shared AD privileged Credentials using PAM 3.3.2.

Given:

1. AD Connectors are the preferred mechanism for AD Credential Management;
2. LDAPS must be enabled (it's not by default) ;
3. DCs must have a valid Server Certificate for Secure LDAP communications, requiring both a PKI Infrastructure (or 3rd party subscription) and recurring, periodic certificate renewals.
4. Credential Manager does not synchronize AD target accounts using unencrypted LDAP (via AD Connector or windows proxy)

If a client is unable to meet all of the above requirements, are Windows Proxy and Windows Remote a viable alternative?

The default port documentation would lead us to believe that the windows proxy, much like the AD Connector, requires 636 (LDAPS) to communicate with domain controllers; Which in turn suggest that it too wouldn't be able to manage AD accounts in a non-LDAPS enabled environment. But that is NOT the case. It behaves similarly as the Windows Remote Connector - it doesn't appear to require LDAPs.

The Windows Remote documentation informs that SMB (445) and WMI (135) plus additional high ports are required. However, there's no clear indication of whether or not it requires LDAPS for secure AD Credential Management.

Are there any KB articles that document, in details, how the Windows Proxy and Windows Remote connectors manage AD Account passwords?
What is the process-flow and what protocols are used to rotate / validate AD credentials?
Does windows remote/proxy require LDAPs to be enabled in order to manage AD credentials?
How does windows remote/proxy encrypted / secure comms with the DCs?

Assume the following setup:
We on-board a device having both name and address set to the FQDN of the domain ie 'my.domain.int' - the a dns lookup of the address returns all of the Domain Controllers (IPs) in that domain.
We add all windows member servers in the domain to a device group and set the authentication source == to the domain FQDN device.

Next we have a Windows Remote application configured for "Domain Account (Lookup DCs in DNS Servers)" type and specifies the domain FQDN  'my.domain.int'  in the Domain name field.

Then two Active Directory privileged Credentials are vaulted in PAM as Windows Remote - linked to the appropriate application (as above); one is a master account for the other. The managed account has PVPs that enforce change on view/autoconnect and Reasons for view / autoconnect.

Finally, a policy that allows RDP access to a group of devices configured with the 'domain device' as the authentication source.

This all works well until the managed account is locked out.

Same is true if we use windows Proxy Connector, configured the same way as the windows remote connector. password rotation is ok until an account gets locked out.

What are our options here? as Neither Windows remote nor Windows Proxy connectors appear to be able to unlock the managed account.

thanks in advance

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------​

I have never seen anything that describes how Windows Remote or the Proxy actually does what they do.  I know they use native windows API's... probably functions in lmaccess (likely NetUserSetInfo).

I believe that the unlocking was simply a side effect of using LDAP to change passwords and it was never the intent for PAM to be in the business of  unlocking accounts; so no additional code was added to do so.

Again, this is just speculation.  Without looking at the code, I cannot know for sure how Windows Remote/Proxy work.
Original Message:
Sent: 05-26-2020 10:57 AM
From: Sebastiano Alighieri
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

Thanks Joseph.

I've tested the setup with AD connectors and the unlock works - there's nothing wrong with the master account.

Are there any KB articles that discuss, in details, the methods & protocols used by Windows remote / proxy connectors when it comes to managing AD Accounts?

In deed, it does appear as though unlocking of AD Accounts with Windows remote/proxy connectors was not included in their design, or perhaps there's isn't a native RPC call or method that allows those connectors to unlock AD accounts - it may be a limitation of the native windows application and/or RPC stack.






------------------------------
Services Architect
HCL Technologies Ltd

Original Message:
Sent: 05-26-2020 09:58 AM
From: Joseph Fry
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

Windows Remote and the Windows Proxy do not use LDAP to manage account credentials.  Both of them involve the installation of a native windows application (Windows Remote does it on-demand), and that application uses Microsoft native methods to manipulate accounts/passwords via RPC.

I am not sure why Windows Remote/Proxy will not unlock an account.  Perhaps that would require an extra call to AD that they are not making?  Or perhaps its simply a permissions issue on your master account.  Hopefully someone has an answer for that.
Original Message:
Sent: 05-22-2020 12:38 PM
From: Sebastiano Alighieri
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

We are working on a project in which the client wishes to implement an RBAC model using shared AD privileged Credentials using PAM 3.3.2.

Given:

1. AD Connectors are the preferred mechanism for AD Credential Management;
2. LDAPS must be enabled (it's not by default) ;
3. DCs must have a valid Server Certificate for Secure LDAP communications, requiring both a PKI Infrastructure (or 3rd party subscription) and recurring, periodic certificate renewals.
4. Credential Manager does not synchronize AD target accounts using unencrypted LDAP (via AD Connector or windows proxy)

If a client is unable to meet all of the above requirements, are Windows Proxy and Windows Remote a viable alternative?

The default port documentation would lead us to believe that the windows proxy, much like the AD Connector, requires 636 (LDAPS) to communicate with domain controllers; Which in turn suggest that it too wouldn't be able to manage AD accounts in a non-LDAPS enabled environment. But that is NOT the case. It behaves similarly as the Windows Remote Connector - it doesn't appear to require LDAPs.

The Windows Remote documentation informs that SMB (445) and WMI (135) plus additional high ports are required. However, there's no clear indication of whether or not it requires LDAPS for secure AD Credential Management.

Are there any KB articles that document, in details, how the Windows Proxy and Windows Remote connectors manage AD Account passwords?
What is the process-flow and what protocols are used to rotate / validate AD credentials?
Does windows remote/proxy require LDAPs to be enabled in order to manage AD credentials?
How does windows remote/proxy encrypted / secure comms with the DCs?

Assume the following setup:
We on-board a device having both name and address set to the FQDN of the domain ie 'my.domain.int' - the a dns lookup of the address returns all of the Domain Controllers (IPs) in that domain.
We add all windows member servers in the domain to a device group and set the authentication source == to the domain FQDN device.

Next we have a Windows Remote application configured for "Domain Account (Lookup DCs in DNS Servers)" type and specifies the domain FQDN  'my.domain.int'  in the Domain name field.

Then two Active Directory privileged Credentials are vaulted in PAM as Windows Remote - linked to the appropriate application (as above); one is a master account for the other. The managed account has PVPs that enforce change on view/autoconnect and Reasons for view / autoconnect.

Finally, a policy that allows RDP access to a group of devices configured with the 'domain device' as the authentication source.

This all works well until the managed account is locked out.

Same is true if we use windows Proxy Connector, configured the same way as the windows remote connector. password rotation is ok until an account gets locked out.

What are our options here? as Neither Windows remote nor Windows Proxy connectors appear to be able to unlock the managed account.

thanks in advance

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------​

Thanks again for the input​

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Original Message:
Sent: 05-26-2020 01:23 PM
From: Joseph Fry
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

I have never seen anything that describes how Windows Remote or the Proxy actually does what they do.  I know they use native windows API's... probably functions in lmaccess (likely NetUserSetInfo).

I believe that the unlocking was simply a side effect of using LDAP to change passwords and it was never the intent for PAM to be in the business of  unlocking accounts; so no additional code was added to do so.

Again, this is just speculation.  Without looking at the code, I cannot know for sure how Windows Remote/Proxy work.
Original Message:
Sent: 05-26-2020 10:57 AM
From: Sebastiano Alighieri
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

Thanks Joseph.

I've tested the setup with AD connectors and the unlock works - there's nothing wrong with the master account.

Are there any KB articles that discuss, in details, the methods & protocols used by Windows remote / proxy connectors when it comes to managing AD Accounts?

In deed, it does appear as though unlocking of AD Accounts with Windows remote/proxy connectors was not included in their design, or perhaps there's isn't a native RPC call or method that allows those connectors to unlock AD accounts - it may be a limitation of the native windows application and/or RPC stack.






------------------------------
Services Architect
HCL Technologies Ltd

Original Message:
Sent: 05-26-2020 09:58 AM
From: Joseph Fry
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

Windows Remote and the Windows Proxy do not use LDAP to manage account credentials.  Both of them involve the installation of a native windows application (Windows Remote does it on-demand), and that application uses Microsoft native methods to manipulate accounts/passwords via RPC.

I am not sure why Windows Remote/Proxy will not unlock an account.  Perhaps that would require an extra call to AD that they are not making?  Or perhaps its simply a permissions issue on your master account.  Hopefully someone has an answer for that.
Original Message:
Sent: 05-22-2020 12:38 PM
From: Sebastiano Alighieri
Subject: HOW TO: Use Windows Remote Accounts to Manage Active Directory Credentials

We are working on a project in which the client wishes to implement an RBAC model using shared AD privileged Credentials using PAM 3.3.2.

Given:

1. AD Connectors are the preferred mechanism for AD Credential Management;
2. LDAPS must be enabled (it's not by default) ;
3. DCs must have a valid Server Certificate for Secure LDAP communications, requiring both a PKI Infrastructure (or 3rd party subscription) and recurring, periodic certificate renewals.
4. Credential Manager does not synchronize AD target accounts using unencrypted LDAP (via AD Connector or windows proxy)

If a client is unable to meet all of the above requirements, are Windows Proxy and Windows Remote a viable alternative?

The default port documentation would lead us to believe that the windows proxy, much like the AD Connector, requires 636 (LDAPS) to communicate with domain controllers; Which in turn suggest that it too wouldn't be able to manage AD accounts in a non-LDAPS enabled environment. But that is NOT the case. It behaves similarly as the Windows Remote Connector - it doesn't appear to require LDAPs.

The Windows Remote documentation informs that SMB (445) and WMI (135) plus additional high ports are required. However, there's no clear indication of whether or not it requires LDAPS for secure AD Credential Management.

Are there any KB articles that document, in details, how the Windows Proxy and Windows Remote connectors manage AD Account passwords?
What is the process-flow and what protocols are used to rotate / validate AD credentials?
Does windows remote/proxy require LDAPs to be enabled in order to manage AD credentials?
How does windows remote/proxy encrypted / secure comms with the DCs?

Assume the following setup:
We on-board a device having both name and address set to the FQDN of the domain ie 'my.domain.int' - the a dns lookup of the address returns all of the Domain Controllers (IPs) in that domain.
We add all windows member servers in the domain to a device group and set the authentication source == to the domain FQDN device.

Next we have a Windows Remote application configured for "Domain Account (Lookup DCs in DNS Servers)" type and specifies the domain FQDN  'my.domain.int'  in the Domain name field.

Then two Active Directory privileged Credentials are vaulted in PAM as Windows Remote - linked to the appropriate application (as above); one is a master account for the other. The managed account has PVPs that enforce change on view/autoconnect and Reasons for view / autoconnect.

Finally, a policy that allows RDP access to a group of devices configured with the 'domain device' as the authentication source.

This all works well until the managed account is locked out.

Same is true if we use windows Proxy Connector, configured the same way as the windows remote connector. password rotation is ok until an account gets locked out.

What are our options here? as Neither Windows remote nor Windows Proxy connectors appear to be able to unlock the managed account.

thanks in advance

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------​