Securing

Privileged

Access

Information

Protection

Datacenter

Security

Securing High

Value AssetsInformation Worker

and

Device Protection

Admin Environment

On-Premises

Datacenters

3rd Party SaaS

Customer and

Partner AccessBranch Office Intranet and Remote PCs

High Value Assets

3rd Party IaaS

Mobile Devices

Microsoft AzureOffice 365

Azure Active

Directory

Rights Management

Services Key Management

ServicesIaaSPaaS

More than 200 days (varies by industry)

First Host Compromised Domain Admin Compromised Attack Discovered

Research & Preparation Attacker Undetected (Data Exfiltration)

24-48 Hours

Active Directory and Administrators control all the assets

under attack

One small mistake can

lead to attacker control

Attackers Can

• Steal any data

• Modify

documents

• Impersonate users

• Disrupt business

operations

Active Directory and Administrators control all the assets

Tier 2 Workstation &

Device Admins

Tier 0Domain &

Enterprise Admins

Tier 1Server Admins

1. Beachhead (Phishing Attack, etc.)

2. Lateral Movementa. Steal Credentials

b. Compromise more hosts &

credentials

3. Privilege Escalationa. Compromise unpatched servers

b. Get Domain Admin credentials

4. Execute Attacker Missiona. Steal data, destroy systems, etc.

b. Persist Presence

24-48 Hours

DC

Client

Domain.Local

Attack Operator DomainAdmin

http://aka.ms/pthdemo

How to protect your privileges against these attacks

2-4 weeks 1-3 months 6+ months

Attack Defense

Three Stage Mitigation Plan

http://aka.ms/privsec

These practices are still importantPart of a complete long term security strategy

Domain Controller Security Updates

Target full deployment within 7 days

Remove Users from Local

Administrators

Manage exceptions down to near-zero

Ensure only admin of one workstation

Baseline Security Policies

Apply standard configurations

Manage exceptions down to near-zero

Anti-Malware

Detect and clean known threats

Log Auditing and Analysis

Centralize logs to enable investigations

and analysis

Software Inventory and Deployment

Ensure visibility and control of

endpoints to enable security operations

1. Separate Admin account for admin tasks

3. Unique Local Admin Passwords

for Workstationshttp://Aka.ms/LAPS

2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW

4. Unique Local Admin

Passwords for Servershttp://Aka.ms/LAPS

2-4 weeks 1-3 months 6+ months

First response to the most frequently used attack techniques

First response to the most frequently used attack techniques2-4 weeks 1-3 months 6+ months

Top Priority Mitigations

Attack Defense

2. Time-bound privileges (no permanent admins)http://aka.ms/PAM http://aka.ms/AzurePIM

1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening

(Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW

4. Just Enough Admin (JEA)

for DC Maintenancehttp://aka.ms/JEA

9872521

6. Attack Detectionhttp://aka.ms/ata

5. Lower attack surface

of Domain and DCs http://aka.ms/HardenAD

2-4 weeks 1-3 months 6+ months

Build visibility and control of administrator activity, increase protection against typical follow-up attacks

3. Multi-factor for elevation

2-4 weeks 1-3 months 6+ monthsAttack Defense

2. Smartcard or Passport

Authentication for all adminshttp://aka.ms/Passport

1. Modernize Roles and

Delegation Model

3. Admin Forest for Active

Directory administratorshttp://aka.ms/ESAE

5. Shielded VMs for

virtual DCs (Server 2016

Hyper-V Fabric)http://aka.ms/shieldedvms

4. Code Integrity

Policy for DCs

(Server 2016)

2-4 weeks 1-3 months 6+ months

Move to proactive security posture

2-4 weeks 1-3 months 6+ monthsAttack Defense

Securing Privileged Access

Microsoft is committed to mitigating security threats

Industry Leading Technology

Integrated Intelligence

Microsoft is bringing the power of cloud to securing your assets

on premises

cloud hosted

Leverage the security capabilities you own

How Can Microsoft Services Help?

Assess your current risk level and build a plan

Prioritized

Tailored to your needs

Rapid deployment of proven solutions

Support and operationalize new technologies

Let’s get this deployed to maximize your defenses!

Technical Reference (2-4 Week Plan)

Microsoft Technology Microsoft Services Solutions3rd party Alternate

(Examples)

1. Separate Admin account for admin tasks

N/A N/A N/A

2. Privileged Access

Workstations (PAWs) Phase 1 - Active Directory admins

Windows 10 Enterprise

• Privileged Account

Workstation (PAW)

• Enhanced Security

Administrative Environment

(ESAE)

N/A

3. Unique Local Admin Passwords for Workstations

Local Administrator Password

Solution (LAPS)

http://aka.ms/LAPS

• Securing Lateral Account

Movement (SLAM)

• Lateral Traversal Mitigation (in

pilot)

Credential Vault

Solutions

(Lieberman,

CyberArk, Thycotic,

Dell PPM, etc.)4. Unique Local Admin Passwords for Servers

Technical Reference (1-3 Month Plan)

Microsoft Technology Microsoft Services Solutions3rd party Alternate

(Examples)

1. Privileged Access

Workstations (PAWs) Phases 2 and 3 –All Admins and

additional hardening (Credential

Guard, RDP Restricted Admin,

etc.)

Windows 10 with Device Guard

and Credential Guard

• Privileged Account

Workstation (PAW)

• Enhanced Security

Administrative Environment

(ESAE)

N/A

2. Time-bound privileges (no permanent administrators)

Microsoft Identity Manager

(MIM) Privileged Access

Management (PAM)

Managed Access Request System

(MARS)

Credential Vault

Solutions

(Lieberman,

CyberArk, Thycotic,

Dell PPM, etc.)3. Multi-factor for time-bound elevation

MIM PAM + Azure AD Multi-

factor Authentication (MFA)

Technical Reference (1-3 Month Plan)

Microsoft Technology Microsoft Services Solutions3rd party Alternate

(Examples)

4. Just Enough Admin (JEA) for DC Maintenance

PowerShell Windows

Management Framework 5.1

(Supported OS from Windows

7/Windows Server 2008 R2)

Custom Scoped N/A

5. Lower attack surface of Domain and DCs

Advanced Directory Services

Hardening (ADSH)

6. Attack Detection Advanced Threat Analytics (ATA)

http://aka.ms/ata

ATA Implementation Services

(ATAIS)

Strongly recommended services solution to enable customer to handle events!

N/A

Technical Reference (6+ Month Plan)

Microsoft Technology Microsoft Services Solutions3rd party Alternate

(Examples)

1. Modernize Roles and Delegation Model (Consulting)

Builds on MIM PAM, JEA, and

others to achieve least privilegeCustom Scoped N/A

2. Smartcard or Passport Authentication for all admins

Microsoft Passport -

http://aka.ms/Passport

Public Key Infrastructure using

Microsoft Active Directory

Certificate Services

3rd Party MFA (RSA

SecureID, others)

3. Admin Forest for Active Directory administrators

MIM PAM with Windows Server

2016

Enhanced Security Administrative

Environment (ESAE)N/A

4. Code Integrity for DCs (Server 2016)

Windows Server 2016 N/A until Server 2016 release N/A

5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)

Windows Server 2016 N/A until Server 2016 releaseN/A