1
00:00:01,040 --> 00:00:04,560
Next let's switch over to dc1, my domain controller,

2
00:00:04,560 --> 00:00:08,080
and if I bring up Active Directory Users and Computers,

3
00:00:08,080 --> 00:00:11,530
we can see in the Users container some new Domain

4
00:00:11,530 --> 00:00:13,250
Local built‑in security groups.

5
00:00:13,250 --> 00:00:17,920
There's our Allowed RODC Password Replication group and here's

6
00:00:17,920 --> 00:00:21,840
our Denied RODC Password Replication group.

7
00:00:21,840 --> 00:00:25,110
And then if we go over to Domain Controllers,

8
00:00:25,110 --> 00:00:30,570
we have a new entry for RODC, which is a read‑only domain controller,

9
00:00:30,570 --> 00:00:32,640
as we've already talked about.

10
00:00:32,640 --> 00:00:36,900
Alright, the other part of this demo is on authentication policy silos,

11
00:00:36,900 --> 00:00:38,270
and let's take a look here.

12
00:00:38,270 --> 00:00:41,930
So what we've got going on is first of all I've got a

13
00:00:41,930 --> 00:00:44,380
couple members of the Domain Admins group.

14
00:00:44,380 --> 00:00:47,240
Let's go to Domain Admins, take a look at its membership,

15
00:00:47,240 --> 00:00:50,790
and besides my own account, we've got Taylor and Karl.

16
00:00:50,790 --> 00:00:54,680
Let's focus in on both of those, and we'll use Karl in our example.

17
00:00:54,680 --> 00:00:57,570
So, these folks are domain admins,

18
00:00:57,570 --> 00:01:02,110
but let's say that we have security such that if we go to Computers,

19
00:01:02,110 --> 00:01:08,130
MEM1, let's say, contains particularly sensitive information and only I,

20
00:01:08,130 --> 00:01:11,980
Tim, should be allowed to sign into that domain member server,

21
00:01:11,980 --> 00:01:13,760
even though Karl, for example,

22
00:01:13,760 --> 00:01:16,640
is a domain admin and normally he would be allowed

23
00:01:16,640 --> 00:01:20,840
to sign into any domain member, whether a server or a client.

24
00:01:20,840 --> 00:01:24,910
We can use authentication policy silos to prevent that sign‑in.

25
00:01:24,910 --> 00:01:28,740
This is one of the value propositions of those silos.

26
00:01:28,740 --> 00:01:32,400
And just like we saw earlier with fine‑grained password policy,

27
00:01:32,400 --> 00:01:35,530
this is something that we have to do with Active

28
00:01:35,530 --> 00:01:37,690
Directory Administrative Center, or ADAC.

29
00:01:37,690 --> 00:01:41,940
You can see right here we have an Authentication node that consists of

30
00:01:41,940 --> 00:01:46,610
Authentication Policies and Authentication Policy Silos.

31
00:01:46,610 --> 00:01:48,640
Now you can just use policies,

32
00:01:48,640 --> 00:01:52,370
but it's best practice to do your granular work at the

33
00:01:52,370 --> 00:01:56,050
policy level and then patch them into silos,

34
00:01:56,050 --> 00:01:59,620
and then you can join your accounts, your user accounts,

35
00:01:59,620 --> 00:02:02,440
your service accounts, your computer accounts,

36
00:02:02,440 --> 00:02:03,850
to a particular silo.

37
00:02:03,850 --> 00:02:05,650
I'll show you how all that works.

38
00:02:05,650 --> 00:02:07,970
So let's go into Policies first.

39
00:02:07,970 --> 00:02:11,840
Let me right‑click and create a New, Authentication Policy.

40
00:02:11,840 --> 00:02:14,160
I'm going to give this a really imaginative name,

41
00:02:14,160 --> 00:02:19,900
how about tim‑mem1‑policy, and I want to make sure,

42
00:02:19,900 --> 00:02:21,470
you can do audit or enforce.

43
00:02:21,470 --> 00:02:23,480
I want to be really sure that I do enforce.

44
00:02:23,480 --> 00:02:25,410
In the past when I've tested this,

45
00:02:25,410 --> 00:02:29,840
I've had problems thinking why isn't the silo actually applying?

46
00:02:29,840 --> 00:02:32,900
And then it turns out I had either a policy or a silo

47
00:02:32,900 --> 00:02:36,640
set to audit instead of enforce, so make sure that you're doing that.

48
00:02:36,640 --> 00:02:39,540
Alright, so if we come down here,

49
00:02:39,540 --> 00:02:43,370
we've got settings depending upon what principle we're talking about,

50
00:02:43,370 --> 00:02:47,540
whether it's a User, a Service account or a Computer account,

51
00:02:47,540 --> 00:02:49,810
you've got some configurable protections.

52
00:02:49,810 --> 00:02:50,560
And, again,

53
00:02:50,560 --> 00:02:54,480
this goes above and beyond the Protected Users global group that

54
00:02:54,480 --> 00:02:57,450
contains just a canned set of protections.

55
00:02:57,450 --> 00:02:59,520
So for User sign‑on, for instance,

56
00:02:59,520 --> 00:03:04,860
we can limit the Ticket‑Granting‑Ticket Lifetime way down to 60 minutes,

57
00:03:04,860 --> 00:03:08,740
as opposed to, I think the default is something like 8 hours.

58
00:03:08,740 --> 00:03:11,940
I mean that's pretty impressive right off the top, wouldn't you agree?

59
00:03:11,940 --> 00:03:14,150
Okay, so let's click OK for now.

60
00:03:14,150 --> 00:03:16,460
We've got our tim‑mem1‑policy.

61
00:03:16,460 --> 00:03:19,220
Now let's go to Authentication Policy Silos.

62
00:03:19,220 --> 00:03:23,530
Again, I'll right‑click and we'll create a new silo using the same pattern,

63
00:03:23,530 --> 00:03:26,340
tim‑mem1, this time it's silo.

64
00:03:26,340 --> 00:03:30,540
Now, again, I want to make sure to choose enforce here before I forget.

65
00:03:30,540 --> 00:03:32,450
And there's two important principles here.

66
00:03:32,450 --> 00:03:33,500
One is,

67
00:03:33,500 --> 00:03:37,120
notice that for Authentication Policy you can patch in different

68
00:03:37,120 --> 00:03:39,730
policies based on what kind of principle it is,

69
00:03:39,730 --> 00:03:42,440
whether it's an interactive User,

70
00:03:42,440 --> 00:03:45,600
a group Managed Service Account or a Computer account.

71
00:03:45,600 --> 00:03:48,180
Now I'm going to use a single monolithic policy

72
00:03:48,180 --> 00:03:51,540
that applies to all of them there, so that's one.

73
00:03:51,540 --> 00:03:54,060
The other aspect of the silo is membership,

74
00:03:54,060 --> 00:03:58,540
or the permitted accounts, the ones that will be associated with this silo.

75
00:03:58,540 --> 00:04:00,140
So let's click Add,

76
00:04:00,140 --> 00:04:02,990
make sure that my Object Type filter has all three

77
00:04:02,990 --> 00:04:06,360
of those principles connected, and let's bring in MEM1.

78
00:04:06,360 --> 00:04:10,450
And now let's do another Add operation and let me bring in my own account,

79
00:04:10,450 --> 00:04:13,040
my tim account, good deal.

80
00:04:13,040 --> 00:04:17,150
We're going to have to make sure that we don't forget to add those users.

81
00:04:17,150 --> 00:04:19,580
See how this has an Assigned field?

82
00:04:19,580 --> 00:04:21,110
Right now they're not assigned.

83
00:04:21,110 --> 00:04:25,190
So actually right now, before I forget, let me head on over to Users,

84
00:04:25,190 --> 00:04:28,650
tim, and we can do all this directly within ADAC,

85
00:04:28,650 --> 00:04:29,800
we don't have to leave it.

86
00:04:29,800 --> 00:04:32,040
We can come down to Silo,

87
00:04:32,040 --> 00:04:35,600
and then we're going to assign an Authentication Policy Silo,

88
00:04:35,600 --> 00:04:39,050
tim‑mem1‑silo, click OK.

89
00:04:39,050 --> 00:04:44,790
And now let me do the same thing, let me go back to domain, Computers, MEM1.

90
00:04:44,790 --> 00:04:47,940
I'll double left‑click it, come down to Silo,

91
00:04:47,940 --> 00:04:52,740
and we're going to assign the tim‑mem1‑silo to the MEM1 server,

92
00:04:52,740 --> 00:04:56,340
good deal, so they should both be assigned.

93
00:04:56,340 --> 00:04:59,940
Alright, so to finish this out, let's go back to our original policy,

94
00:04:59,940 --> 00:05:02,840
tim‑mem1‑policy,

95
00:05:02,840 --> 00:05:06,280
and I want you to see here that tim‑mem1‑silo is

96
00:05:06,280 --> 00:05:08,980
associated for all three types of policy.

97
00:05:08,980 --> 00:05:12,140
We're going to add a condition for User Sign On that in

98
00:05:12,140 --> 00:05:15,930
order for this policy to kick in, we're going to do Edit,

99
00:05:15,930 --> 00:05:17,800
and we're going to make sure in our condition,

100
00:05:17,800 --> 00:05:20,350
Add a condition, that the User,

101
00:05:20,350 --> 00:05:23,090
notice that we can create our conditions based on

102
00:05:23,090 --> 00:05:25,540
Active Directory Group or Silo,

103
00:05:25,540 --> 00:05:30,290
the User AuthenticationSilo Equals the Value. Unfortunately there's

104
00:05:30,290 --> 00:05:33,180
no browse so you have to know what the name is,

105
00:05:33,180 --> 00:05:38,640
User AuthenticationSilo Equals tim‑mem1‑silo.

106
00:05:38,640 --> 00:05:40,570
I think that's looking pretty good so far.

107
00:05:40,570 --> 00:05:42,000
But wait, there's more.

108
00:05:42,000 --> 00:05:43,290
There's one more step.

109
00:05:43,290 --> 00:05:45,190
It seems like there's always one more step,

110
00:05:45,190 --> 00:05:50,650
and that is we need to make sure to enable this technology in Group Policy,

111
00:05:50,650 --> 00:05:53,570
and we need to do that both for our domain controllers,

112
00:05:53,570 --> 00:05:55,500
as well as for our client systems,

113
00:05:55,500 --> 00:05:59,040
and that would include servers and desktop clients.

114
00:05:59,040 --> 00:06:00,590
So let me show you those policies,

115
00:06:00,590 --> 00:06:04,340
because it may in fact come up on your AZ‑801 exam.

116
00:06:04,340 --> 00:06:05,940
So for your Domain Controllers,

117
00:06:05,940 --> 00:06:09,750
notice that I'm going to edit the Default Domain Controllers policy.

118
00:06:09,750 --> 00:06:14,810
And if I walk the tree down, Computer Configuration,

119
00:06:14,810 --> 00:06:19,140
Policies, Administrative Template, System,

120
00:06:19,140 --> 00:06:20,540
KDC.

121
00:06:20,540 --> 00:06:22,200
And for your domain controllers,

122
00:06:22,200 --> 00:06:26,390
the policy in question is called KDC support for claims,

123
00:06:26,390 --> 00:06:29,110
compound authentication and Kerberos armoring.

124
00:06:29,110 --> 00:06:33,440
All we want to do there is do Enabled, Supported.

125
00:06:33,440 --> 00:06:36,530
That also enables Dynamic Access Control by the way,

126
00:06:36,530 --> 00:06:39,580
and that's going to be what we need for our domain controllers.

127
00:06:39,580 --> 00:06:42,810
Then for our member servers and workstations,

128
00:06:42,810 --> 00:06:45,960
I'm going to do this change in the Default Domain Policy.

129
00:06:45,960 --> 00:06:48,010
It's the same path.

130
00:06:48,010 --> 00:06:51,580
So if I go to Policies, Administrative Template,

131
00:06:51,580 --> 00:06:56,440
System, instead of KDC, we go to Kerberos,

132
00:06:56,440 --> 00:07:01,440
and here the policy is called Kerberos client support for claims,

133
00:07:01,440 --> 00:07:04,620
compound authentication and Kerberos armoring.

134
00:07:04,620 --> 00:07:06,740
We just want that Enabled.

135
00:07:06,740 --> 00:07:07,440
And then, of course,

136
00:07:07,440 --> 00:07:11,220
you're going to want to do an Invoke‑GPUpdate to make sure

137
00:07:11,220 --> 00:07:13,780
that all of your machines are on board.

138
00:07:13,780 --> 00:07:16,290
I actually have already done the policy,

139
00:07:16,290 --> 00:07:19,880
as you see, and I've already rebooted the necessary machines.

140
00:07:19,880 --> 00:07:25,840
So to test this out, let me from my current server open up mstsc,

141
00:07:25,840 --> 00:07:27,590
the Remote Desktop Connection,

142
00:07:27,590 --> 00:07:33,640
and let's attempt a connection as Karl to the mem1 server.

143
00:07:33,640 --> 00:07:35,660
Okay, it looks like we've got some issues.

144
00:07:35,660 --> 00:07:39,330
Probably my Remote Desktop is not enabled on MEM1.

145
00:07:39,330 --> 00:07:42,740
Well, we can always go to phase 2, can't we?

146
00:07:42,740 --> 00:07:47,820
And that phase 2 is to connect to MEM1 on a separate RDP,

147
00:07:47,820 --> 00:07:50,790
in other words, interactively sign in.

148
00:07:50,790 --> 00:07:57,900
So I'm going to do a karl@timw.info, supply his password, and he's being let in.

149
00:07:57,900 --> 00:08:00,610
Okay, I think I understand what's going on here.

150
00:08:00,610 --> 00:08:04,340
I'm going to have to reboot again, so hold tight for a moment.

151
00:08:04,340 --> 00:08:09,590
Okay, back from a reboot here on mem1.timw.info.

152
00:08:09,590 --> 00:08:12,230
So remember, Karl is a domain administrator,

153
00:08:12,230 --> 00:08:16,150
and his credentials are correct, but notice that he receives the error,

154
00:08:16,150 --> 00:08:21,040
The computer you're signing into is protected by an authentication firewall.

155
00:08:21,040 --> 00:08:32,000
The specified account is not allowed to authenticate to the computer, hence the use case, or one of the big use cases of authentication policy silos.