Question:
I am looking for some guidance on how to best use CyberArk PAM to secure the domain admin password and perform daily AD tasks such as GPO, DNS, AD, and LAPS. I have two options in mind:
- Option 1: Use PAM to manage and monitor the domain admin password and access to domain controllers. However, I am concerned about the security risks of using the domain admin for routine tasks.
- Option 2: Use a non-domain joined VM as a PAW with no internet access, and manage a local admin account on it with PAM. However, I encountered some problems with this option, such as not being able to open the LAPS UI or manage GPO on the domain controller, even with the proper permissions.
Which
option is more secure and efficient? How can I overcome the challenges I faced with option 2? I appreciate any feedback or suggestions from the experts. Thank you.
Answer:
How to Use CyberArk PAM for Domain Admin and AD Tasks
CyberArk PAM is a powerful tool for managing privileged accounts and access, but it can also pose some challenges when it comes to securing the domain admin password and performing daily AD tasks such as GPO, DNS, AD, and LAPS. In this article, we will explore two options for using CyberArk PAM in this scenario, and discuss their pros and cons, as well as some tips to overcome the difficulties.
The first option is to use PAM to manage and monitor the domain admin password and access to domain controllers. This means that the domain admin password is stored in a secure vault, and can only be retrieved by authorized users through PAM. The access to domain controllers is also done through PAM, so that every session is recorded and audited.
The main advantage of this option is that it provides a high level of visibility and control over the domain admin account and the domain controllers. It also simplifies the management of the domain admin password, as it eliminates the need to manually change it or rotate it. Furthermore, it reduces the risk of the domain admin password being compromised by phishing, malware, or other attacks.
However, this option also has some drawbacks. The most obvious one is that it relies on the domain admin account for daily AD tasks, which is not a good security practice. The domain admin account is the most powerful account in the domain, and should only be used for critical tasks that require its privileges. Using it for routine tasks increases the exposure and the potential damage in case of a breach. Moreover, it can cause performance issues, as every access to the domain controllers has to go through PAM, which adds latency and overhead.
Option 2: Use a Non-Domain Joined VM as a PAW with No Internet Access, and Manage a Local Admin Account on it with PAM
The second option is to use a non-domain joined VM as a PAW (Privileged Access Workstation) with no internet access, and manage a local admin account on it with PAM. This means that the PAW is isolated from the rest of the network, and can only communicate with the domain controllers. The local admin account on the PAW is also managed by PAM, and can be used to access the domain controllers and perform AD tasks.
The main advantage of this option is that it provides a higher level of security and efficiency for the domain admin account and the AD tasks. It minimizes the use of the domain admin account, as it is only needed to delegate permissions to the local admin account on the PAW. It also reduces the attack surface, as the PAW is not exposed to the internet or the rest of the network. Furthermore, it improves the performance, as the access to the domain controllers is done directly from the PAW, without going through PAM.
However, this option also has some challenges. The most common one is that some AD tasks may not work properly on a non-domain joined VM, such as opening the LAPS UI or managing GPO. This is because some AD tools require authentication or authorization from the domain controller, which is not possible on a non-domain joined VM. To overcome this, there are some possible solutions:
- Use the command-line interface (CLI) instead of the graphical user interface (GUI) for some AD tasks, such as LAPS. The CLI can be run with the local admin account on the PAW, and can connect to the domain controller with the domain admin credentials. For example, to view the LAPS password for a computer, you can use the following command:
- Use the Remote Server Administration Tools (RSAT) instead of the native AD tools for some AD tasks, such as GPO. The RSAT can be installed on the PAW, and can connect to the domain controller with the domain admin credentials. For example, to open the Group Policy Management Console (GPMC), you can use the following command:
“`powershell
Get-AdmPwdPassword -ComputerName
“`
“`powershell
runas /netonly /user:
“`
Conclusion
In summary, both options have their advantages and disadvantages, and the best choice depends on your specific needs and preferences. Option 1 is more convenient and transparent, but less secure and efficient. Option 2 is more secure and efficient, but less convenient and compatible. In either case, you can use some tips and tricks to overcome the challenges and optimize the use of CyberArk PAM for the domain admin password and the AD tasks.
I
hope this article was helpful for you. If you have any questions or feedback, please let me know. Thank you for reading. 😊
Leave a Reply