1 00:00:01,140 --> 00:00:03,940 Authentication Policy Silos. 2 00:00:03,940 --> 00:00:05,700 What's the situation here? 3 00:00:05,700 --> 00:00:06,250 Well, 4 00:00:06,250 --> 00:00:10,210 I like to look at authentication policy silos in some ways as 5 00:00:10,210 --> 00:00:12,580 an extension of the protected users group. 6 00:00:12,580 --> 00:00:17,350 Remember with protected users, there is this collection of preconfigured, 7 00:00:17,350 --> 00:00:20,250 non‑configurable security protections. 8 00:00:20,250 --> 00:00:23,230 One I forgot to mention is that you can, 9 00:00:23,230 --> 00:00:24,680 well, you can't configure it, 10 00:00:24,680 --> 00:00:28,830 but there is a reduced Kerberos ticket lifetime if 11 00:00:28,830 --> 00:00:31,240 you're in the protected users group. 12 00:00:31,240 --> 00:00:32,020 The silos, 13 00:00:32,020 --> 00:00:35,110 the authentication policies and their silos allow you to 14 00:00:35,110 --> 00:00:39,020 configure your own timeouts for Kerberos, 15 00:00:39,020 --> 00:00:43,040 and you can adjust protocols, authentication protocols, 16 00:00:43,040 --> 00:00:49,240 and most particularly, you can control access between domain users and groups, 17 00:00:49,240 --> 00:00:52,790 computer accounts, service accounts, and machines. 18 00:00:52,790 --> 00:00:56,920 So let me explain, first of all, the relationship is one‑to‑many, 19 00:00:56,920 --> 00:01:02,530 that is you have individual authentication policies and notice that you can 20 00:01:02,530 --> 00:01:06,980 group these policies together into what are called silos. 21 00:01:06,980 --> 00:01:11,040 And then in turn, you can associate a silo with a user account, 22 00:01:11,040 --> 00:01:14,140 a group account, a computer account, a service account. 23 00:01:14,140 --> 00:01:15,650 What's in the policies? 24 00:01:15,650 --> 00:01:16,650 Well, first of all, 25 00:01:16,650 --> 00:01:20,320 I just want to call out the fact here that you may have different silos 26 00:01:20,320 --> 00:01:24,820 that group different collections of identities and have different types 27 00:01:24,820 --> 00:01:27,940 of access and configuration and so on. 28 00:01:27,940 --> 00:01:31,150 I want you to see here that single policies can belong to 29 00:01:31,150 --> 00:01:35,440 more than one silo and different policies can contain 30 00:01:35,440 --> 00:01:39,790 different groupings of users, groups, managed service accounts, 31 00:01:39,790 --> 00:01:41,140 and computers. 32 00:01:41,140 --> 00:01:45,330 So there is this parent/child relationship between the silo and the policy. 33 00:01:45,330 --> 00:01:48,540 You can deploy policies individually, 34 00:01:48,540 --> 00:01:52,410 but Microsoft's proven practice is similarly to how it's 35 00:01:52,410 --> 00:01:57,180 easier to manage a group rather than control or give access 36 00:01:57,180 --> 00:01:59,440 to individual user accounts. 37 00:01:59,440 --> 00:02:04,230 It's going to be easier for you to give and restrict access at the silo level by 38 00:02:04,230 --> 00:02:09,140 just modularly patching in and removing policy references, 39 00:02:09,140 --> 00:02:12,480 instead of trying to directly attach policies. 40 00:02:12,480 --> 00:02:13,340 Alright? 41 00:02:13,340 --> 00:02:15,430 Now, if we look over on the right‑hand side, 42 00:02:15,430 --> 00:02:20,390 I've given an example of an authentication policy silo in action. 43 00:02:20,390 --> 00:02:21,600 For example, 44 00:02:21,600 --> 00:02:26,330 we may have a policy in a silo that says that only members of a 45 00:02:26,330 --> 00:02:30,820 particular Active Directory group are allowed to sign in to either 46 00:02:30,820 --> 00:02:35,440 the secure1 server and the paw1 workstation. 47 00:02:35,440 --> 00:02:38,210 PAW stands for privileged access workstation. 48 00:02:38,210 --> 00:02:43,360 So these are higher security machines that you really need 49 00:02:43,360 --> 00:02:46,070 to control who can sign into them such. 50 00:02:46,070 --> 00:02:46,390 You know, 51 00:02:46,390 --> 00:02:50,710 you might be accustomed to that concept of if you're a domain administrator, 52 00:02:50,710 --> 00:02:53,780 you normally can sign into any domain system, 53 00:02:53,780 --> 00:02:55,880 whether it's a server or a workstation. 54 00:02:55,880 --> 00:02:56,440 Well, 55 00:02:56,440 --> 00:03:00,590 authentication policy silos allow you to put a greater degree of 56 00:03:00,590 --> 00:03:03,880 control such that even if you're a domain administrator, 57 00:03:03,880 --> 00:03:05,020 in this case, 58 00:03:05,020 --> 00:03:09,670 if you're not part of that silo that grants you access to secure1 and paw1, 59 00:03:09,670 --> 00:03:11,400 you're not going to be able to sign in. 60 00:03:11,400 --> 00:03:13,280 So it's quite powerful indeed, 61 00:03:13,280 --> 00:03:18,070 particularly for a security compliance where you have machines that really 62 00:03:18,070 --> 00:03:22,640 have especially strict security and access requirements. 63 00:03:22,640 --> 00:03:23,750 So in this example, 64 00:03:23,750 --> 00:03:28,460 notice that a user account may be blocked when they try to sign in 65 00:03:28,460 --> 00:03:32,500 to either secure1 or paw1 because they're not a member of the group 66 00:03:32,500 --> 00:03:35,170 that is attached to a particular silo. 67 00:03:35,170 --> 00:03:36,040 Okay? 68 00:03:36,040 --> 00:03:40,580 So this same pattern applies not only to Active Directory users and groups, 69 00:03:40,580 --> 00:03:43,720 but also to your group managed service accounts. 70 00:03:43,720 --> 00:03:45,790 In this way, using silos, 71 00:03:45,790 --> 00:03:51,880 you can very granularly specify which systems a particular GMSA can 72 00:03:51,880 --> 00:03:55,840 use and all else it would not be allowed to be used. 73 00:03:55,840 --> 00:04:06,000 Again, this would be nice from a containment standpoint if a malicious user, process, or entity were to compromise a GMSA.