Measures for Securing Privileged Users in M365&Azure Every Organization Should Take by Eric Woodruff

[Music] everybody for coming we are having a great time at bsides Tampa and we're going to go ahead and get over to our next speaker so with us today we have Mr Eric Woodruff Eric throughout his 23-year career uh in it Eric has sought out and held a diverse range of roles including technical manager in the public sector senior Premier field engineer Microsoft and security and identity architect at the Microsoft partner ecosystem currently he is the product technical specialist at simp Paris focusing on itdr and Cloud identity resilience Eric is a Microsoft MVP for security recognized for his expertise in the Microsoft identity ecosystem outside of work Eric supports the professional Community providing his insights and expertise at conferences

participating in the ID Pro body of knowledge committee and blogging about Entre and related Cloud security topics without further Ado Eric Woodruff oh there we go all right um I always feel like I sound more full of myself when I hear that red out uh so yep Eric Woodruff I'm erican identity uh right it's sort of easy to remember ericon identity um social media handles I sort of have a lot of content within here uh right and sort of blue fence stuff can get very dry and heavy and I'm going to try to keep it light but uh along with leaving some time for Q&A if you want the slides um you know just find me on one of these socials and I'll

share this stuff out afterwards uh yeah so let's get into it um as s was the agenda today right so we're going to sort of talk about the mindset of securing privileged users and the you know Microsoft ecosystem of things right and talk about why we need to do this stuff why it's important and then you know the things we need to do so try to keep it pretty straightforward here uh right well we'll have a little sort of story first here as we talk about the mindset right so I live in New York uh North East I love going up to Maine love hiking uh and up in aad National Park so if you're ever up there

would suggest you uh check out Acadia um there's precipice Trail and it it's sort of hard to see here but kind of like to the right of the the gray rock is basically falling to your death um and so at the foot of the trail there's this sign here right and we have things where like you know make sure you don't bring your dog stay on the trail you know don't hike in the dark or the rain or if it's snowing out um right uh wear hiking shoes and um you know don't do silly things like throw rocks right and sort of if you do these things right you'll probably make it to the top of the the

mountain and you'll be alive and you know able to come speak in uh warmer places like uh Tampa um but right even if you don't do all these things like if I decide to wear my sneakers right it's very likely that I'll still make it to the top of the mountain right and so I kind of look at it as defense in depth right so when we talk about securing identities and systems like M365 and Azure right like zero trust is sort of like the big thing that gets thrown out a lot but honestly like to look at it from a defense and depth model right and so when we talk about defense and depth

again it's effectively an onion right that we can apply or it's it's layers of an onion if we try to think about defense and depth right and um usually if you look at that defense and depth model right there's like physical you know perimeter and network layers and identity and access and it's dat in the middle but you can really apply this to anything right so in this case it's it's going to be ENT ID uh in the middle and I'll just sort of highlight here right um for many folks this may be something you already know but for those that uh don't WR if you live in the Microsoft ecosystem right whether you love it or hate it um if you have Office

365 or M3 Microsoft 365 or Azure uh right the identity piece is ENT ID under the covers so when we talk about securing privileged users like your Global administrators right it it's entra there and um you know I've encountered customers who weren't necessarily aware that they have entra right they just think they have Microsoft services so when we sort of talk about securing privilege in these systems it's all kind of you know one and the same when we're talking about that highly privileged user right so also just to kind of level set things here right let's talk about what a privileged role is now Microsoft has 21 roles that they've defined as privilege and again there's a lot on

this you know slide here and you don't need to really remember all this stuff um primarily we want to focus on securing your Global administrators right and your Global administrators are like the domain admin of the cloud and again right domain admins in active directory sort of language is the thing that gets popped and then everyone has a bad day because nothing works anymore um Global admin is that domain admin on the cloud and uh you know I I would say I have a very informed opinion that it's only going to get worse before it gets better out in the cloud because the speed that attackers can start to move through Cloud systems right is much

quicker than they can move through on-prem systems and the ways that we can sort of infiltrate right cloud is is uh you know easier and we'll kind of dive into that right so Global admin it's like domain admin but worse um and then from an iterative perspective persective right once we secure our Global admins we can go back and secure some of these other roles that we could essentially call these as you know tier zero those highly privileged users because they may not be the keys to the kingdom but they can sort of either directly or indirectly give themselves or gain access to uh the Keys of the Kingdom right so but I think one other thing so uh from a proactive

perspective I spent some time working at Microsoft and I uh ran Azure ad which is now ENT ID security assessments for organizations um you know and one of the mindsets and the the shifts where I think we need to change things right is um it's always like trying to boil the ocean right everyone wants to focus on well we can't do all the security things and it's all very difficult but if we just focus right especially on like Global admin right um hopefully it's not too many users that were were impacting right in another term sort of in the microsof world is is right dog fooding it's like right eating your own dog food sort of testing your own stuff out right

so uh you know I've managed teams before where we implemented some of this stuff and they may have hated me for it but like um right we're sort of in control of our own destiny here when it comes to privilege if you manage privilege systems right so um a lot of this stuff right Implement against yourself you can sort of tune it see what works see what doesn't and then right start to talk about other roles and again if it's Office 365 you might have exchange admins SharePoint admins other people right but you can sort of figure out what what works and uh you know it's tough because it can turn into a sort of

it depends right I consulted for a while it's one of my favorite things to say right as far as what is privileged so again now you know why is this our problem um so you know a lot of times also we sort of have the this security versus usability struggle right where if we want things to be usful then they're not very secure and a lot of people would probably argue that you know Microsoft services are more usable right because they want they want all your money right and so they want to make things easy out of the box but also we've seen organizations that will you know turn all the dials up to 11 and then effectively if everything

is too secure right that's when we get Shadow it our users are sort of like our biggest enemy at this point because they will find ways to work around things right so for a user perspective we want to find that sort of middle ground but here we're really focusing again on those privileged users and right if we just focus on global admins those highly privileged users right that's where we really do want to try to turn the knobs and dials up to 11 um but there are some things within here right where it doesn't have to mean that we all sort of hate our life every morning that we we go to work so and also though relative to why it's

our problem right is the shared responsibility model um so if we take ENT ID and identity as a service platform which is effectively assass uh system here right um every uh shared responsibility model is a little different depending on the cloud provider um but right if we look at Microsoft here right accounts and identities they're the customers's problem right you only you know who your employees are you know who supposed to have access to what um right Microsoft does not and the identity and directory infrastructure right and this is split where uh you know aside from like the whole storm 0558 incident right generally it's Microsoft's problem to protect the back end of things uh but

again right we're the only ones that know like you know Tony in HR should have different conditional access policies for getting to workday because Tony's got access the pii or something right um and so a lot of the infrastructure as you might call it for a Sal platform is still really up to us right Microsoft doesn't know your business you know your business and it's sort of our job right to sort of apply the security controls that are made available uh to our our end users and our privileged users right so why is this important um you know going back to what I was saying about sort of the ease of access and the ability for you know attackers to sort

of Hit the cloud right I mean we basically have the management plane out here so this is you know all the portals admin. Microsoft portal. aure uh ent. Microsoft right all our apis or Powers show modules um you know all these things and then you have the control plane again is entra ID right and there's this symbiotic relationship here because we have our users and our privileged users an enter ID here um right and you have to use the same management plane that right anyone can go to portal. aure and type in any username they want right nothing's going to stop them um and if they have credentials for a privileged user right depending on how things are configured

nothing's going to stop them right and then they get into your control plane right and the control plane is what sort of dictates who can get to the management plane right so um you know a lot of times the focus is on the control plane but when you look at the management plane right it also expands out to all these other things that we likely have within our estate right so again speaking about a global admin here if our Global admin gets popped right then an attacker can move into the management plane and if we talk about our SAS applications again right like everything's SAS you know your workday your Salesforce right all these things

we talk about going back to on Prem well there's no on Prem Salesforce there's no on Prem workday right so CS applications are a fact of life um and if you have access in entra uh it's relatively easy to spoof users through saml claims and saml primarily is the way a lot of these things are integrated still uh to move into these SAS applications and impersonate users uh and it it can be very difficult to sort of uh track this stuff down great same with multicloud a lot of organizations you know may use entra for their AWS and gcp and all these things uh and again same sort of techniques used to move into SE

applications you can use to move into other multicloud right Federated uh management planes and um you know have privileges there right so P right so this is one of the things where the management plane we can go into Azure key VA or you know app services or whatever it is right and in the management plane there in the portal you can go say hey well now I want to have access to whatever is in the data plane right I want to Grant myself access to whatever this juicy stuff is in key Vol right and again move laterally um and also your IAS stuff right so through portal. Azure if you have a Windows VM or VMS that are say like domain

controllers running out there uh you can go run a oneliner um through the Run command and essentially give yourself access uh to that VM um right and if it's a DC you can go give yourself a domain admin uh account and if you look at you know things like Arc right Which is popular for sort of extending the management plane of azure to other is systems again whether it's on Prem or you know in AWS uh you can go run commands and Arc to basically Grant yourself local access right to those systems and again if it's like a domain controller in particular right you can go give yourself uh creds there so the ability to sort of spread into all the

things right and and honestly most organizations are not mature enough to detect these things at the speed that right someone that was skilled could uh move through this stuff so nobody's probably able to read this even if you were sending an instrum it um this is from the Microsoft digital defense report uh from 2023 and so we'll just sort of zoom in on things right so this page I pulled from it um is talking about um right sort of the the common findings that they have uh within um their incident response team right so Microsoft Dart and now I think it's just Microsoft instant response is if you're a Microsoft customer and you have some

sort of incident and right you call them in um a lot of that data rolls into their digital defense report right and so some of the common sort of uh findings that they have right are insecure configuration of identity platform and it's a bit wordy here um right but we're talking about misconfiguration and exposure of identity platforms so they're they're covering both enty and active directory here right and their components are common vectors for attackers to gain unauthorized high privilege access so they're not sort of making statements WR this is rolling in from them going in and you know responding to incidents or they're not theorizing I guess I should say um right insufficient uh privileged access and lateral

movement controls again right in here this is really focused on our privilege users right excessive permissions across the digital environment right all that stuff we just talked about um and often exposed administrative credentials on workstations uh subject to internet and productivity tasks the the tldr on this is people are not separating privilege right people have too much privilege we're not using dedicated workstations things like that um and then no multiactor or lack of modern MFA mechanisms and very cliche here uh today's attackers don't break in they log in right so this does move into the fishing resistant authentication or you know the lack thereof of it and unfortunately my layup is um sort of in

a state of disarray so we'll we'll have to just have a pre-recorded uh video here but what I wanted to show folks is um has anyone here played with uh evil genics okay so um right if you haven't uh for those that haven't um just going to walk through and basically show you how easy it is to get credentials um even using authenticator app push notifications right so over the past few years Microsoft sort of right there's been a move to passwordless and you get the push and you do the number matching and all that stuff on your phone right but it's not actually um fishing resistant right we're all waiting for pass keys right there's PH2 Keys hello

for business all these things um but for a lot of orgs that are just going passwordless right it's it's not good enough and right if I'll get this started here right so on our right right we've got the sort of attacker View and this is sort of post you know uh the the the person's already fulling for the link here right we're just sort of speeding things up so on our left is right the um the Target right so they've got this fishing link we've got evil genics running here on our on our right probably could have uh cut some of the the time out on the the video here but um right so we're going to

authenticate here and this could be a privileged user who also unfortunately is not using privilege separation right and I mean these systems as this you know goes through are pretty slick because right these proxies will you know mirror all of your you know uh any customization you have right in the the signin page for Office 365 right and so we can see actually here that on the left the user signed in they don't know anything's happen on the right evil genics essentially has their credentials where we've got their session here and we're going to look at their their session cookie and then we just replay this right in a browser now I mean again in a real fishing scenario

it's usually a bit more complicated and how they pass those credentials along to a different system to use them right but here we're just using um cookie editor we're just going to go drop that cookie that we captured in evil genics into our browser session here

right and so for people that have not seen this before this this should be scary because like my kid could probably do this he probably could do it better than I am right um so we've got the cookie in there we hit refresh right and now we're essentially in there as as this this user here right so um if you think of that as your Global administrator right or priv Ed user right and and we all like to I just came from the session about fishing right think that uh we're not going to fall for it but right realistically uh you know everyone at some point is going to fall for some sort of you know fish right um and we

want to make sure that that's not happening to our uh our privilege users here so let me all right so so let's talk about what we need to do here to secure our privileged access so we've got our privileged user up here and uh right the first thing we want to talk about is those strong credentials right in enter ID so the strong credentials assigned to the user that we're going to use on our devices I don't know how washed out it is uh if you're looking straight onto this but you know cat's in front of a laptop uh late at night here right um so as we go through and this is where it starts to

get a bit dry but just sort of hang in here with me um again if we focus on our Global administrators the sort of quadrant in the upper right here is effectively like right the time and effort that it should take organizations to implement this and again I'm talking about just your Global admins at first right if we were to extend this out to all the things and we try try to boil the ocean right that that probably will move up to more time and effort but it goes back to thinking of this from you know an iterative approach right uh start small and then sort of gain speed and um uh acceleration here right so for

these strong credentials again we want to have those dedicated privileged creds um right we want to configure them to not have mail enabled or have mail forwarding right because we don't want the administrator to you know be reading their work email or whatnot and right click on some fishing link and something bad happens right and again we can say well we've got you know all the things we've got the edrs and the XDS and all that great stuff and it it's great right but you still see fishing links you know slip through the cracks you still see malware slip through the cracks right and again from a defense and depth perspective having two sets of creds

isn't necessarily uh the end of the world to uh to have to deal with especially when you hold High privileges um we also want these to be Cloud native and sourced from ENT ID so there there's too many known attack pass right to move from active directory into entra ID right so if you're hybrid identity where you have ad um right whether it's uh abusing systems within uh entra connect or uh you know some abuses out there for pass through authentication or just right your your privileged users depending on how your active directory is structured may not actually be privileged in ad right and so you can see all these crazy attack PS where people can own right credit an active

directory and then use it to move into um into antra right this is where we want to get into using fishing resistant authentication whenever we can um unfortunately right it's it's on the cusp of public preview with pasy support in entri ID Microsoft's sort of been pushing it off every sort of month here I'm hoping to see this soon right once Pas Keys come out again another tool for um organizations to uh give a okay oh oh um yeah if there's any questions as I go through this you know feel free to just raise your hand but so when I say pass keys right pass keys for those that do not know are PH2 it's essentially PH2 security key um

but on a device right so being able to use a mobile device and actually have that be fishing resistant authentication uh it's not a Microsoft specific thing right the phto alliance has been working on pasis now for the past uh couple years um and also use ENT ID premium 2 for privileged users right so this isn't always uh easy to obtain necessarily depending on how you buy your Microsoft licensing but um but remember that you don't have to go buy 50,000 you know M365 or P2 licenses right you've got 10 highly privileged users 20 privileg users right whatever that number may be you can you can mix and match things here right so we can go get P2 licensing

for your Global admins um right it's only going to run you a couple hundred bucks a month right not whatever it would take to uh you know buy E5 for 100,000 users right so you know now we're going to go access the management plane here and we do want to introduce you know Pim right and again some folks May o mentioned Pam at this point and you know I have nothing against like the Cyber arcs and Beyond trust or anything here um you know just the world I come from is sort of living within the Microsoft ecosystem so we're trying to not incur additional costs right and this is very Cloud Centric so um you know we're we're

primarily talking about Pim here which again would be like a P2 license thing right so with these privilege roles and if we're talking about our Global administrators right we want to make sure that we we require right pin for those users uh but we want to actually limit the activation duration to 1 to two hours right so out of the box this is like eight hours I've seen organizations turn the dial up on this to like you know 24 I mean while while Pim is great if I've activated my role right at that point if someone steals my creds they also are me with those credentials activated and if at you know 900 in the morning I roll into

work and just activate my privilege right regardless of what I plan on doing that day and then just spend the entire day working as a global admin even if I don't need Global admin I leave and it right Pim knocks it back down I mean I might as well just not even use Pim right because that's still a huge window of time right where you have standing privileges right if you have Global admin 40 hours a week activated on your account so right we want to try to tune that down right this could turn into a whole sprawl of a conversation but try to limit the activation duration for something like Global administrator also a lot of orgs may

work with Consultants or vendors or msps or csps or whatever right where it's always been an issue as well to sort of tune these things with pin where say right we want to maybe have approvals required for consultant to elevate to like Global admin right where someone has to approve that but we don't want them to have to approve like employe EMP es activating the global admin access so we can use Pim enabled groups right where effectively we assign groups to the role of global admin but then to elevate into those groups right we can then be granular and saying like if it's you know contractors or vendors right they have to go through some approval

workflow uh versus if it's employees maybe they don't and there's other things right because this sort of increases the surface area that we need to make sure that those groups aren't something that then can be abused right to sort of go uh you know move up into Global admin but it does provide some flexibility that was all uh was sort of missing for for many years here um and also we want to require authentication context over MFA for RO Activation so this is something that's been out for a couple years but it isn't heavily used right so again with Pim we could go say hey like when you're going to elevate uh your rooll you know you

have to multiactor right if you already have multiactor and it's um right within your your claims you're going to see that you're not asked to MFA again um authentication context allows us to do things like say hey if you want to elevate your privilege you need to be coming from a compliant device it's I kind of like to think of it almost as like a loop back to conditional access for PIM right so um authentication context gives you a lot of that granularity of conditional access right and saying hey you need to like meet these conditions in order to elevate your Your Privilege um also enforce and audit your least privilege roles and I know this

can be tough for some ORS I mean I worked at a place where our CTO was a global admin because he was the CTO um I've worked with companies where they're like we're in the same scenario right and we need you to come in and be like the bad guy and you know say take the CTO out of global admin right um but you do see these things where people will have standing privilege right because they're important in the company or you don't want to hurt people's feelings on teams right I worked in public sector so like half the stuff you deal with is you know politics and you know all that sort of stuff right um but it's easy right if

you have a SIM or even if you don't uh depending on your licensing right you can at least look at the last month's worth of activity and entra and see who's really been actually using these privileges and this also gets into right this is there's a whole ball within this that I'll spare you fol folks from right but it's really identity governance for privilege users right um again very common thing you see is someone changes their roles in an organization or they leave or you know retire or fired or whatnot right um but they have that separate account but it's not managed by HR or other processes and like it still persists right so we want to make sure

that we have a life cycle around these privileged user accounts all right so we are going to introduce right MDR xdr EDR all these things against our devices here right and we want to have these hard and dedicated workstations but I will say especially as we get into this because what I'm going to talk about is one of everyone's well people I work with least favorite things are privileged access workstations right uh basically everyone hates these um it does require a lot of time and effort uh but if you were to sort of look at some of these comp components right even if it's just getting another asset right from it and just having a separate

device that you're working from even if you don't do all the hardening things with an InTune and all the stuff out there right like something is better than nothing when we're talking about privileged access uh workstations right and that this really gets into the the clean Source principle right which is a big Microsoft thing and I'll have a diagram here in a second that kind of helps illustrate this right but it's essenti saying that if you're accessing highly privileged systems right this throws back to uh you know the active directory days if you're accessing tier zero systems the system you're coming from needs to be right sort of on the same tier right so if you're on like

your your desktop that's likely not tier zero you don't want to be you know RDP into a domain controller right similarly if you're doing Global admin stuff you don't want to be right coming in from you know the shared family computer or something like that right where you know your kid was just doing who knows what playing Roblox or Minecraft or you know all all sorts of you know scenarios um that really lend to why privilege access workstations work right so a lot of guidance from Microsoft that I'm not going to sort of dive into here but I would say right that the user is not a local administrator on these devices right um to do privileged stuff

in the cloud you don't need to have local admin on the device right you want to install you know Azure CLI or whatever the latest pow modules are right um you know there's ways to do this stuff and and orchestrate that where you don't need local admin um but there is a trade-off here right especially again if we're talking about like the in if we're sticking in Microsoft world and we've got the InTune team right they now are effectively also uh indirectly Global admins right um even if you're not using pause but you have InTune they also are effectively Global admins right because they have a lot of influence over the uh the devices you

use right so this is like the old sort of model so if you've been around the block for a while and you've you know managed or work with active directory you may see this right and so effectively that that top horizontal right is the device you're coming from needs to always remain within the same tier as whatever you're you're managing and um right now Microsoft they've come out with a lot of new fancy guidance but essentially it's it's just that but flipped right so now it's a vertical where for privileged security right for our Global admins we want to be using pause for accessing right all the management plane control plane sort of stuff and so lastly here right we want

to make sure that we're using identity protection which again is a P2 thing a conditional access which is P1 right so if you cannot get P2 but if you have you know P1 licensing that you can use conditional access right we want to build conditional access policies that are targeting our privileged users uh I've seen a lot of ORS where there's too much sprawl here with uh conditional access policies um right where we don't need to sort of over engineer and over orchestrate this you can get by with some conditional access policies that are you know minimal for your your privileged users but we do want to Target them right with robust conditional access policies right that are

leveraging device compliance right like don't let them come in from a personal device again I've worked with some very large organizations where you'd see some of the craziest stuff that they would allow where effectively they were coming in from like personal devices to manage their estate and you're asking them like what would happen right if this all sort of went away or was ransomed or you know a thread actor did something and they're sort of like Well we'd be out of business and you're like okay well implementing a conditional access policy against these 10 users would take us like 15 minutes to apply right uh we also can use device filtering so beyond just um having

device compliance you can build filters so if you deploy PA right you can make sure that they're coming from a privileged access workstation again the identity Protection One is is Big here right and while you know we are sort of going password list and one of the big things with identity protection that I've always thought is slick was the whole leak credential thing right where it sort of crawls the web or Microsoft crawls the web right looking for you know username and password in a sandbox it tries to authenticate um effectively as you right and if the hash is matched and they know they found leak creds um and right there's the whole big AI

co-pilot all that sort of nonsense stuff that is uh newer but identity protection has been like ml for six something years um that they've been using this right so uh I I think has a pretty proven track record it can be difficult to sort of understand what some of the detections in it mean at times right but um for your you know anomalous travel sort of odd signals from authentication all these things right so protecting against people coming through tour and and all these other things right VPN anonymizers it works quite well those strong authentication requirements so now again right we can say uh we're earlier we're looking at making sure that we're using like PH2 Keys pass keys right these

sorts of things to authenticate our Global admins we can again require that now it's not just the MFA onoff switch there's authentication strengths that we can Define out there in uh inra um and one of the things now generally I find sign in frequency uh is very hurtful to our end users right but again from a defense and depth perspective you know a lot of folks argue that having a sign in frequency right of you know somewhere between 4 to 8 hours against your Global admins uh right I I it's it's one of those things where it's time based and these days time based security stuff is sort of not always the greatest right but um

essentially sign in frequency would say right if we have it set to eight hours that if you're in the portal and you're doing things um that after eight hours you're basically going to get right forced to have to reauthenticate um if you start to do things like if you have a PA that you're using like say hello for business and this is like a a cloudon PA right um there's ways that that can sort of mitigate uh some of the um interference this would have with a uh a privileged user though um because things like hello for business will actually um push back the uh it will renew your your primary refresh token and your signin frequency will be um

Extended out so I'm getting in the weed so I'll slash that rant there because again you could easily talk about any of these things for like hours on end and you know getting all the minu of it um so one last thing I just want to leave off here though with uh our privileged users right is making sure that we have break last accounts right and we want to make sure that we have two break last accounts so there was a issue this past March where there was some problem um a lot of organiz ations had conditional access policies and this isn't even from like a security perspective um it's as much of like a

sort of operational resilience thing where um all of a sudden a lot of people in certain parts of the world all started coming from like the same location uh and it's because there was some you know dun goof that happened with like the database that Microsoft uses to correlate IP ranges with you know GE locations right and a lot of organizations had policies that are like if you're not in whatever country we in Block access which is in itself again something that you will see some organizations use and and can be useful however now all of a sudden the entire org was locked out of right their estate because all their users appear to be

coming from someplace else in the world if you had your break L us account right at least for is it eight hours however long it took Microsoft to fix it right you could have sort of back door it in adjusted your conditional access policies for the day and sort of let everyone get back to back to business here so it's not just a security thing it's it's also uh you know provides operational resilience um we do want to exclude one from conditional access policies though right because everything breaks um and we don't want conditional access to be a thing that's going to get in the way of uh you know one of these accounts right so it's almost like

tiered where we have the break last and then we have like the the really break last account and we're also one as permanent assignment in pin so if you're using Pim right it's not eligible for a role it's active uh again you can sort of go out there every few months and see um Twitter or I guess X right complaining about some sort of problem with Pim you know it works great but there are times again where something gets hung up and it takes forever to elevate your privileges right and if you've got something you got to get done now because there's some sort of fire right um have that one permanently assigned so you're not not waiting to El

uh Elevate privilege and also again write most of these things if it's requiring MFA and the whole team quits right you you have some way to um everyone wins Lottery and everyone walks off right that you have an account to sort of get back into things with but these account should be highly monitored right so you see any authentication activity coming from your break glass like all the alarms all the bells and whistles and all your Sims and all these things should be going off uh and those passwords should be securely managed right and there's a lot of different strategies for that however again if it's like using key VA or keeping it in some other right system like a password

management just realize that that's also now tier zero and you could easily get into sort of um long rants about how the more things you do right you're you're increasing that attack surface area and the accounts that manage like right your cyber Arc now also are indirectly Global administrators um but using again PH2 security Keys uh can be an alternative for this right again you'd want to have uh n plus one you can register up to 10 on an account right now right um Microsoft is actually very surprised for the longest time they would never sort of admit in their documentation to using PH2 security Keys mostly because it's creating a dependency right on something

that they don't control because it's relying on vendors um but it is actually out there in the the docs now but in again earlier when I was talking about defense and depth right in the the sort of classic defense and depth model here right and this is where when we're talking about securing privilege right we can apply all these things right to protect our our privileged users uh sort of there on the the inside so questions oh okay does it does it make sense to have service accounts in your environment with global admin rights from a security stance to secure keep the environment secure um no I mean I would I would say that I mean it it's going to be it

depends I don't know what all the use cases are for 99.99 whatever percent of them like no right and so I didn't actually cover service principles in here sort of in an effort uh from a Time perspective um if you have service accounts they should actually be service principles whenever they can they should not be users um and quite honestly they should not hold Global admin like almost everything that you could think of what you'd want them to do shouldn't need GA um right I know some vendors again May argue otherwise uh many times it's just because the vendor doesn't know what they're doing no offense to vendors because I work for one but um uh yeah I know that's sort of

like a non-answer answer but yeah that's what I was thinking my use case was backup solution yeah where they needed full access to everything yeah and I mean I will say it gets sort of Muddy right at times because um I'll say so I'm at s pris we make software for doing entra things and it can get real complex with permissions because unfortunately there are some things in the ga role that you can't easily do with other things and so I don't know is it also backing up like uh your Office 365 and all that stuff yeah yeah um no I'll I'll it can be tough I would push back on them somewhat at least to

sort of explain right like why you need these permissions or have them at least say right like well we want to do this thing and if you look at like right the roles here we can only do it with like GA right and you can sort of weigh the risk there so so yeah regarding the conditional access the P1 right yeah you said you can do the device um conditional access with devices right yeah so um and actually because now what device compliance I think that's what it said yeah so I'm actually trying to think from a to keep me honest perspective if E3 comes with all the in tuny things or not uh it does okay okay then then yeah

you could do device compliance with with P1 uh and that's with in tunes and all that stuff yeah I mean if you have uh you know there's vendors that work with Microsoft um what's the VMware one I can't think of that does MDM and there's a few others uh as well that if you're not using in tune right but they sort of cooperate with the Microsoft ecosystem and they can sort of like inform uh cuz it's identity based even though it says device compliance well no so it is based on the device so the device's compliance is actually reported through the MDM platform into you know in tune and then that informs um you know entra of whether the

devices compliance so you do have to have in tune or or something like that yes you need to have some you need to have some sort of MDM solution that can sort of measure whether the device is compliant or not so we use connectwise um to those remote um devices here's my question right so if I use that let's say it does integrate with it and and it works right yeah my question is could we do something in regards to um let's say we have remote users that don't always use a certain laptop and their patches they haven't turned it on in three months so obviously they're not patch compliant y as soon as they turn

it on is there a policy or a setting that can say okay you can't connect to your you know your your tenant until this is patched yeah so that would exactly be so I don't know how connectwise if it does sort of work in the Microsoft ecosystem if it could if it can report device compliance in to whatever the InTune connector is then you could build a CA policy that said like don't let the user access certain things uh if their devices not compliant so yep you could you could do that I think there was uh

this is more maybe of a personal opinion from you you find it more of a higher barrier to entry to understand entra Azure and all of that or do you find it's easy to maintain the knowledge once you reach a certain level of understanding with uh I don't know I think identity is is tough in general um I mean I like identity but it's it's like um I don't know I'd say almost all the above I think I think it's difficult right I think for a lot of active directory people can be difficult for a lot of security people identity can be difficult um if you're passion driven by identity I think you know it's sort of like with

most stuff right if you invest sort of the time and energy into learning it um yeah I know that's like an non-answer answer but I any other questions oh

yeah privilege which um yeah uh was it this one the secure and privileged access uh I don't I well which uh what it's it's the password uh guidelines on hardening passwords me see if this is yeah and I think there was another question while this

one okay you I think you had yeah I ask yeah I mean I think that's sort of philosophical debate almost um right I mean there's a lot of things you can do in a Pam solution that you can't do with Pim um right like Pim still isn't for active directory uh even with some of the the right back stuff they're developing right your uh you know your keros tickets can hold group membership and other things where I'd say it'd be like iffy to use Pim for like 80 security um right and then it all gets into sort of like what your organization looks like there's some things right where some orgs like cyber Arc because it sort of

like the big brother right that watches everything you're doing and Records all the stuff you do right um so some of the decisions about using a pamm solution are you know based on your organization's interpretation of like what you need right to sort of meet whatever regulatory requirements or your own um you know other people will say that Pam uh can be a substitute for using like privilege access workstations I tend to argue more right that it will increase your surface area with a Pam solution and also can you guarantee right that the Pam solution will you know ensure that if someone's like running mimic hats on your desktop right pretend it's popped that like they're

still not going to get creds to go off and do whatever they want within um uh you know entra and again right it can all sort of snowball because You' be like well my EDR my xdr would pick that sort of stuff up but um you know there's a lot of vendors who are like very much like right we're going to do the things to just like 100% stop any sort of attack right and I mean again I work for a vendor I know what marketing's like right where it's always sort of like thinking nobody really can claim like they they stop 100% of the things when some sort of zero day comes out I'm

sorry I'm getting a bit soap oxy but uh um oh sorry have you ever seen a userfriendly implementation of a privileged access workstation well I think that's a a culture thing right um I mean again so when I was at the State uh so my my public uh uh sector role um about well almost a decade ago I had us Implement privilege acts as workstations against active directory and all the people that worked for me hated it um but right I think some of it's just a culture change thing um but I think also if they didn't really understand like why right they're just looking at it from like I just want them to hate coming to work um versus

you know seeing then when we had some red team come in and that like uh they got domain admin and like 10 minutes or whatever right and they're like oh like right that could be an attacker um no I mean I I think it could easily sprawl that if you use something like hello for business and it's Cloud only right so if we're just focus on like a ga paw and and really GA is like the only thing I would for most ORS would recommend like a paw for um I even if you don't do all the InTune stuff right just having a separate device and having them enroll and something like hello for business uh

a lot of the sort of headaches of sort of dealing in that life right can can go away I mean there's still things where um right you got to watch what you're doing with web browsing and all that and but um but I'll just yeah okay uh I mean uh would you I can uh if you have any additional questions can we please as Eric at the back of the room uh can we give another round of applause for Eric Woodruff in his presentation today thank you [Music]

[Music]