What’s new in Active Directory in Windows Server 2016!
Recently, a lot of talks about innovations in Windows Server virtualization related 2016, data storage and remote desktop services. However, these are not the only components of Microsoft server operating systems that have received extensive upgrades. The most undeserved, in my opinion, bypassed the attention of Active Directory. Therefore, your focus will be presented below, the translation of the article Joseph Moody (Moody) dedicated to this service.
With the release of Windows Server, Active Directory 2016 received three significant new features. In this paper, we will discuss
- Access Management;
- Azure AD Join;
- Microsoft Passport;
The focus mostly on the greater part of the innovations in Windows Server 2016 is security. You can see this in all the roles and services. Shielded VM in Hyper-V, code integrity application server and Privileged Access Management in Active Directory Domain Services.
However, not all new Active Directory related to security. You still hear a lot about the first of these is Active Directory Join Azure in the coming months (especially if you are a small/medium organization). The second important function which we will mention is a Microsoft Passport. Although it is too early to say this, Microsoft Passport, potentially freeing users from their headaches (and IT specialists from their problems) associated with passwords. Enough introductions. Now we turn to the case!
Privileged Access Management
- Privileged Access Management (PAM) is the Active Directory equivalent to (PAW);
- Privileged Access Workstation (PAW). While the PAW is using for workstations and servers, PAM is designed to control the forest, security groups, and group membership.
Like the kernel, PAM uses:
- Microsoft Identity Manager (MIM) and requires the domain functional level of your forest was not below Windows Server 2012 R2. Microsoft believes that if PAM was needed, its Active Directory forest already compromised. Therefore, when configuring PAM creates a new AD forest. It is isolated to work with privileged accounts and because it just created the MIM, is clean from any third-party action.
- Using this protected forest, MIM can manage requests for access rights. Like other applications to manage permissions, such as, for example, AGPM, MIM implements process management administrative privileges by approval requests. When a user receives a new administrative law, he or she becomes a member of shadowy security groups in a new, trusted forest.
By using links expiring membership in related groups is limited in time. If the user approves the request for additional access rights for one hour, then an hour later, those rights are automatically removed from him.
- All of this is completely transparent to the user. Through the use of trusts between forests and additional secure accounts in the new forest, users can get elevated access rights without need log out. Key Distribution Center (KDC) takes into account these multiple temporary groups and the user account that is a member of several shadow groups, Kerberos ticket gets for a term corresponding to the minimum time limit.
Join Azure AD for AD Domain Services performs the same role as Intune to SCCM — Join Azure AD, mainly designed for smaller organizations, which do not have Active Directory infrastructure. Microsoft calls these cloud-first organization/cloud-only.
- The primary purpose of the AD is to Join Azure benefits local Active Directory environment without the concomitant complexity of ownership and management. Devices shipped with Windows 10 could be included in the Azure AD, and this allows companies without the full IT Department to manage their enterprise resources.
- The greatest benefit of Azure AD can receive company Join who already use Office 365.
From your device, Windows installed the user can:
- Login into Windows 10;
- Check email;
- Synchronize settings between Windows;
- IT support staff can customize policy and Windows Store the MDM for their company. And all this without locally deployed AD domain.
One important potential markets for Azure AD Join is education. Today the dominant product in this market is Google’s Chrome. Despite the fact that the mobile device is included in the AD domain provides more possibilities of customization than Chrome, price, and performance of Windows devices have played against them. Now very cheap device included in the Azure AD (c) access to the custom application store and Office 365 can significantly enhance the Microsoft position and enable it to catch up with competitors.
Microsoft Passport can help solve problems with passwords
Update passwords are one of the major security issues that arise when working with users. I think every Admin knows those who use the same password for multiple services. When they use another one, and the same username, such as your email address, the exploitation of this vulnerability becomes quite simple. Once the attacker has obtained the data in one account, he got them all.
- Microsoft Passport should change everything. Using two-factor authentication, Passport can offer enhanced security, compared to common passwords, without the complexity of traditional solutions, such as smart cards. It is designed for use with Windows Hello (integrated biometric authentication system in Windows 10 Pro/Enterprise).
- Two-factor authentication with Microsoft Passport consists of a user account and proper credentials for your device (which is associated with the user). Each user of the instrument has a unique authenticator (also called hello) or PIN. It allows you to ensure that people are entering credentials, this is their owner.
This technology can work both in traditional on-premises Active Directory Wednesday and Azure AD. In some versions of the installation, you will need a domain controller running Windows Server 2016. When you use Microsoft Passport, an IT administrator can no longer worry about changing user passwords, because you still need a second authentication method. You will be able to soften hard password policies (which require long passwords or establishing short-term actions), as Microsoft Passport now provide additional protection. The simpler the authentication process can significantly improve user satisfaction with corporate IT.
Each of these innovations in Active Directory is focused on an ever-growing audience of Windows Server. PAM helps protect user accounts. Join Azure AD gives you the opportunity to take advantage of AD small companies who have no money or infrastructure for a complete local solution. Finally, Microsoft Passport must change the authentication occurs. Due to work with the Alliance of FIDO, Microsoft Passport can be used on many different devices and platforms (and may receive more widespread).