0

I am planning implementation of Microsoft’s Active Directory tier administrative model, and I was wondering how to overcome the problem of system administration over VPN. One of the security principals is to have all admin accounts in a Protected Users group, and the other is to use privileged access workstations. Using this in combination with working from home crates a problem. How to login with a Protected Users group member account when domain controller is not available? I am not an expert on VPN, and I need to know does Always On VPN enable a computer to connect to the VPN and gain access to corporate network and domain controllers before any user logs in? Or there is some other way to solve the problem of using protected users logging in outside the company network?

To overcome this problem I have also considered a additional user account for laptop PAW, that is not member of Protected Users group and it is used only to log on to PAW, and from there you can access local VM for common user purpersess that has internet and mail access, and access to the system administration but with different credentials for administration of various tiers of security.

Zoran Jankov
  • 243
  • 1
  • 2
  • 16
  • What about not logging in under privileged users *at all*? Login as unprivileged and run desired administrative applications using RunAs. – Nikita Kipriyanov Mar 26 '22 at 09:44
  • @NikitaKipriyanov Yes I have considered that as it is written in the second section of my question. – Zoran Jankov Mar 26 '22 at 09:47
  • I had a feeling you are about using some other system to connect ttrhough it, like a "proxy" and then connect with administrative account to the target system. I meant you connect directly to the target system (no PAW) with an unprivileged account, and then do adminstrative tasks with RunAs. – Nikita Kipriyanov Mar 26 '22 at 10:29
  • @NikitaKipriyanov If you are suggesting to perform system administration from a user workstation, the workstation that is used for internet browsing and for the external mail client, but with the different account, a privileged account, you are making a big mistake. No privileged account should be used on a unsecure workstation that is opened to the internet. It is a security violation because some malware that could be potentially downloaded from the internet could capture and compromise privileged credentials. – Zoran Jankov Mar 26 '22 at 10:42
  • Members of Protected Users must not be an account used to authenticate on a VPN. Use another non-privileged account. – Greg Askew Mar 26 '22 at 11:08
  • @GregAskew Can you explain why Protected Users member must not be an account used to authenticate on a VPN? I meen I must understand why that is the case... – Zoran Jankov Mar 26 '22 at 11:12
  • @ZoranJankov: These are the most critical accounts. You cannot provide an assurance that the credentials are protected over VPN because you don't know where they are. Further, these accounts are typically configured to only authenticate using a smart card. What you are doing would not pass an audit so I don't know what you are attempting to accomplish unless it's "we have to use this Protected Users group so how to make everything work the way it did before". Every person with a privileged account should have a non-privileged account for activities such as this. – Greg Askew Mar 26 '22 at 11:28

0 Answers0