Forum Discussion
A sample deployment of Authentication Policies and Authentication Policy Silos in Active Directory!
Dear Microsoft and Active Directory Friends,
The Active Directory is an important element in an IT infrastructure. With the intensive use, constant expansion, it can happen with time that the overview is lost. What exactly do I mean by this? Imagine you suddenly have 10 backup admins, do you still need them all? If so, are they allowed unrestricted access to all systems? Questions over questions.
In this article I will show you how to use Authentication Policies and Authentication Policy Silos to restrict access for a specific person (domain admin) to a specific system. You don't necessarily need both Authentication Policies and Authentication Policy Silos but the policies and silos go hand in hand in my opinion. Also, multiple policies can be used in one silo. But that would go too far now.
In this example, "Tina Bridge" should no longer have access to the FS01 system. Let's start right away. First of all, I'll show you that Tina can still log on to the FS01 system right now.
Also, on the next print screen, we see that Tina is a member of the domain administrators.
So that would be the current situation.
IMPORTANT: I am absolutely aware that Tina could undo everything (since she is the domain administrator). My point in this example is the principle/function of the Authentication Policies and Authentication Policy Silos, of course everything has to be adapted to the respective situation.
Now let's start with the actual configuration. In order to work with Authentication Policies and Authentication Policy Silos, we need to enable support for this feature. For this we use the group policies to enable the following feature: "KDC support for claims, compound authentication and Kerberos armoring". Since these settings are of a special type, I will use the Default Domain Policy and the Default Domain Controllers Policy.
Please make sure that all systems adopt the new settings of the two GPO's. For example, with "gpupdate /force". Now we need to set up the authentication policy using the Active Directory Administrative Center.
We start with setting up an authentication policy.
It continues with an Authentication Policy Silos. Make sure that you select both the user and computer account in the "Permitted Accounts". In addition, we set this policy to Enforce.
Now we need to assign the Authentication Policy silos at the Tina (user account) and at the FS01 (server system).
We now go back to our Authentication Policy and create a condition. If you want, you can configure the TGT for a specific validity period.
For some reason (couldn't figure it out yet) the "Mode" in our Authentication Policy Silos is reset to "Audit". We need to adjust that again accordingly.
So now let's test the whole thing. At the very beginning of the article, Tina was still able to log on to the FS01 system, how does it look now?
BINGO! Tina can no longer log on to the FS01 system.
This was one of many examples of how you can use Authentication Policies and Authentication Policy Silos. I hope this article was useful. Thank you for taking the time to read the article.
Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
6 Replies
Hello TomWechsler
I tried to reproduce those steps, and ended up with the same result as you - however, I do not understand why Tina is denied access to FS01.
We define a policy restricting access to FS01 to users and computers belonging to "fs01-silo" - and Tina belongs to this silo.
What did I miss ?
Regards,
- geakin
Microsoft
Here's what's missing, and it changes the entire premise of the conclusion- sorry TomWechsler;
We also need to enable the Kerberos client support for claims, compound authentication, and Kerberos armoring on clients.
The policy setting is under
Computer Configuration > Administrative Templates > System > Kerberos - "Kerberos client support for claims, compound authentication, and Kerberos armoring"
When this is applied and the client host is rebooted, the Auth Policy / Policy Silo setup works as expected; the specified user logs into host successfully, while any other user will receive the "protected by an authentication firewall" message- even if that user has group/explicit permissions to the local Remote Desktop Users group.
(credit to thesleepyadmins.com for pointing that out!) Alban1998 you are right, the purpose of the Authentication silo is to PERMIT login for the accounts into the computer specified into the silo itself (authentication policy condition).
What we have in this article is the demonstration that the Silo is NOT working as expected as Tina should be able to login into FS01 and nothing else (due to the condition applied)
- Hello,
Thank you for this awesome post. For those who do not know this feature, managing Active Directory/Filer delegations through Authentication Policies/Authentication Policies Silos/Claims aimed to replace the good old AGDLP/GPO delegation model (which suffered from token bloat issues amongst other things).
This was back in 2013.
Sadly, I never saw it in production since - even Microsoft PFE still rely on AGDLP/GPO model for Active Directory delegation last time I checked.- It's a pleasure!
- You're welcome Tom ! Any feedback about putting this into production ? Did it really improve security/quality of life for customers IT Teams ?
