Overview

Solution overview

This chapter summarizes:

  • requirements for solution
  • solution architecture
  • implementation of requirements

Requirements

Business Requirements Summary

There are the following business requirements for the solution:

[B01] Solution is required to be resistant against tampering with by user of the computer it is implemented on, even if the user of the computer is member of local Administrators group

[B02] Solution must be centrally manageable. This includes:

  • Ability to know the password for certain computer without the need to directly touch it, either locally, or remotely
  • Ability to install, update and uninstall the solution in unattended way and on many computers at the same time

[B03] Solution must be able to manage password of built-in or custom (other than built-in) local administrator account

[B04] Solution must be able to handle the scenario when built-in Administrator account is renamed, without the knowledge of the new name

[B05] Solution must be able to correctly handle the situation when computer is disconnected from corporate network, i.e. not to change the password when it is not possible to report it to the password repository

[B06] Solution must support OS Windows XP/2003 and above

[B07] Solution must support x86 and amd64 hardware platforms

[B08] Solution must support encryption of stored data using industry standard asymmetric algorithm

[B09] Solution must be able to maintain history of passwords, along with information about time of validity of those passwords

[B10] Solution must support deployment in environments with RODC:

  • Not to allow sensitive data replication to RODC
  • To work in sites where RODC is installed

[B11] Solution must be able to detect and fix scenario when password of managed local administrator account was changed manually, making password reported in password storage outdated

[B12] Solution must support retrieval of password of managed local administrator account from deleted computer objects.

User Requirements Summary

There are the following requirements for end user experience:

[U01] Solution must contain simple to use tool for retrieval of password for managed local administrator account on given computer

[U02] In default configuration, solution must not show any traces of activity on the computer it is installed on – it must be hidden from user as much as possible

[U03] When configured by an administrator, solution must provide with logging of its activity on managed machine

[U04] Solution must offer easy to use configuration tools integrated with PowerShell configuration tools framework

[U05] Solution must offer password retrieval and reset from single place in multiple AD forests, provided there is AD trust relationship among forests

Security Requirements Summary

There are the following security requirements for the solution:

[S01] Solution must generate unique random password of managed local administrator account for every managed computer

[S02] Generated passwords must fulfil the following complexity requirements:

  • Password length must be configurable by the administrator of the solution, with default of 12 characters
  • Password complexity must be configurable. Most complex password must contain at least 1 character from each of the following character groups:
    • Capital letters
    • Small letters
    • Numbers
    • Special characters

Characters belonging to each category are specified in table below:

Category Characters
Capital letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
Small letters abcdefghijklmnopqrstuvwxyz
Numbers 0123456789
Special characters ,.-+;!#&@{}[]+$/()%

[S03] Maximum age of password must be configurable with default of 30 days. After this time, solution must automatically change the password to new value

  • Granularity of configuration value needs to be 1 hour

[S04] Solution must allow only authorized personnel to retrieve the password of managed Administrator account for particular computer

[S05] Solution must support changing the password of managed local administrator account on demand, without the need to directly touch the workstation either locally or remotely, so it is possible to force password change when necessary, before password gets automatically changed because of its age

  • It must be possible to plan the password expiration on per-workstation basis, to support scenarios such as “Password is set to expire tomorrow at midnight”

[S06] Solution must allow for auditing of password reads from password repository and password resets

[S07] Password encryption on the rest must use asymmetric encryption with encryption key at least 1024 bit long

[S08] Solution must allow rotation of encryption keys during normal operation, without impacting service availability

[S09] Solution must be able to generate and maintain key pairs for encryption/decryption

Installation requirements

Requirements for the installer are:

[I01] Installer must support unattended installation

[I02] Installer is expected to be a single file performing all tasks related to installation

[I03] Installer must run on Windows XP/2003 and above

[I04] Installer on managed machines must support creation of custom admin account during installation

  • Password of this custom account needs to be complex and random after installer finishes its creation
  • This password is not required to be logged or reported anywhere: it is expected that regular password management will change the password shortly after the installation and report changed password to AD
  • Newly created custom admin account needs to be made a member of local Administrators group as a part of its creation process

[I05] Installer on managed machines must be able to set random complex password on existing built-in administrator account.

  • This password is not required to be logged or reported anywhere: it is expected that regular password management will change the password shortly after the installation and report changed password to AD

[I06] Client side footprint shall be as small as possible

Solution architecture

Solution architecture is depicted on schema below:

solution topology

Roles of particular solution components are specified below.

CSE on managed machines

Core of the functionality of solution is implemented as Client Side Group Policy Extension (CSE), installed on every managed machine. CSE works as part of Group Policy framework and is responsible for maintenance of password of managed local admin account based on parameters specified in GPO. It is also responsible for processing of password reset requests. This implementation model will bring the following benefits:

  • Resistance against tampering with from the side of user of the computer: security of CSE will be basically the same as security of GPO framework itself
  • Provide privileged security context for local execution: all local operations will be performed under LOCAL SYSTEM security. This will ensure high enough privileges for local operations (especially password reset of managed admin account).
  • Provide security context for network operations: Network operations (especially interaction with password repository) will use identity of computer account of managed computer.
  • Automatic timing of operations: password management (check of password age and change of password if necessary) will be performed every time GPO refresh event occurs on the computer
  • Automatic detection of offline state: when managed workstation is offline, GPO refresh event will not occur and CSE execution is not triggered
  • Scalability: locally installed solution is more independent, reliable and scalable than any central solution that touches every managed computer across the network.

Active Directory

Another important component of the solution is Active Directory. Active Directory (AD) is used as authentication and authorization provider for the solution, and is also used as repository for:

  • passwords of managed admin accounts
  • password reset requests

Password repository is implemented using newly defined attributes in AD schema, added to may-contain property set of computer accounts.

Usage of AD as repository brings the following benefits:

  • Availability: Design goal is to manage passwords on domain-joined computers, so for every managed computer, AD infrastructure is reachable by design
  • Security: AD infrastructure offers advanced tools for implementation of security model for the solution by allowing for per-attribute Access Lists (ACLs) and implementing confidential attributes for password storage
  • Independence: Solution is highly self-contained. It depends mostly just on AD infrastructure, which makes it more secure and robust and makes implementation of desired security model easier. Also, management of the solution is easier because set of components to maintain is minimized.
  • Simplicity of implementation of transport encryption: When transferring passwords from managed workstations to the AD, and from AD to users requesting it, it is necessary to protect it from eavesdropping on the wire. AD client on managed workstation supports Kerberos-based encryption for LDAP protocol operations. Encryption relies only on Kerberos authentication protocol that is available to any domain-joined workstation by default. That means that there is no need to implement other encryption means (such as SSL or IPsec) that require additional planning and implementation of prerequisites (such as deployment of server certificates to domain controllers and PKI infrastructure in place)
  • Scalability: Using AD infrastructure as password repository will allow reporting the password to any writable DC, typically the one that is closest to the workstation; thus, password repository is not a single point of failure and solution scales to the same extent as AD infrastructure itself
  • Firewall friendliness: Usage of AD as repository for password reset requests eliminates the need to touch managed machine when password reset is requested, simplifying overall management by eliminating the need to open firewall holes for inbound communication. In addition, managed machines communicate using existing protocols that are used by every machine joined to AD domain.. This makes implementation in environment with hardened network security straightforward
  • Protection against attacks: AD database is one of most important assets for each company, as it contains user identities including their passwords. That means that it is usually accordingly protected, including backup media. This solution just reuses current protection model of AD database for its sensitive data – passwords of built-in Administrator account of managed computers.
    Additionally, AD infrastructure supports Read-Only Domain Controllers (RODCs) that are designed for environments with insufficient physical security. This solution is not blocker for RODC implementation: passwords of managed admin accounts are by default prevented from replication to RODC.

Group Policy

Group Policy is used as configuration repository and transport mechanism of chosen configuration to managed machines. Solution contains ADMX template that defines configuration values and allows their management via GPO Editor.
Usage of GPO allows easy integration of configuration of solution into existing configuration management processes.

Password Decryption Service

PDS is responsible for the following tasks:

  • Creation and maintenance of key pairs used for password encryption and decryption
  • Processing of requests to password reads and resets and authorization of this requests, based on security model implemented in AD
  • Communication with Active Directory – password reads and decrypts, password resets
  • Auditing of requests of users for password reads and resets
  • Registration and maintenance of DNS SRV record used for discovery of service by clients

PDS uses own security context when communicating with AD – it does not perform delegation. PDS runs under NETWORK SERVICE account by default, so it accesses AD authenticated as computer account of machine PDS is running on.

Note: When PDS is hosted on DC and running under default account, which is NETWORK SERVICE, it accesses DC as NETWORK SERVICE rather than computer account. Running of PDS under domain account is fully supported.
PDS registers and maintains SRV record in DNS: _admpwd._tcp.<domain>, so clients are able to find service without any specific configuration.

PDS supports more than one encryption key pair being used, so different managed machines can use different keys to encrypt the password reported to AD. Also, key rollover is fully supported, so solution is ready to change encryption key without disruption of the service.
PDS protects transport channel when reading data from AD, and when sending data to clients using Kerberos Encryption, that is available to all domain joined machines out of the box. So, clear text password is never revealed on wire.

Client UI

Solution comes with the following client UIs:

  • Fat client
  • PowerShell module
  • Web UI

Fat client

Allows easy access to password read and reset functionality for a computer. Can also be run from network (so installation to every machine that needs to run it is not necessary), and allows to be registered as context menu extension for Active Directory Users and Computers tool

PowerShell module

Cmdlets provided by PowerShell module allow complete usage and configuration of the solution. Module allows:

  • Reading and resetting local admin password for given computer
  • Prepare AD schema for the solution
  • Implement security model for the solution
  • Manage key pairs in PDS
  • Retrieve various information about solution

Web UI

Web UI offers the following functionality:

  • Read and reset local admin password for given computer
  • Manage key pairs in PDS

Web UI calls into PDS for its operation and uses Kerberos Constrained Delegation (KCD) for passing caller’s identity into PDS for proper authorization of requests. This means that during solution configuration, KCD needs to be configured so as identity of Web UI can impersonate caller when calling PDS interface.
Note: Web UI is not installed with solution. Rather, Web UI is offered as open source project , ready to be configured and modified per Look & Feel requirements for customer’s environment.

Implementation of requirements

Following chapters summarize how requirements specified above are implemented by solution architecture.

Business requirements

[B01] Client side of the solution is implemented as Group Policy Extension. This means that protection level is the same as for built-in Group Policy Framework that is used for configuration management of other components running on the machine

[B02] Solution stores data in Active Directory. Both password reads and password resets are performed against AD, without the need to reach managed workstation.
Solution contains MSI installer that supports unattended installation with config management solution of choice (such as SCCM) Solution comes with ADMX template that defines parameters configurable via GPO. Configuration on managed computers is completely manageable via GPO.

[B03] Solution automatically detects built-in admin account, even when renamed. Support of custom admin account is implemented via GPO – it is possible to configure name of admin custom account to be managed

[B04] Solution detects built-in admin account via well-known SID, so it does not depend on specific name for built-in admin account
[B05] Solution activity is triggered on client side by regular GPO refresh events. When computer is disconnected from domain, GPO refresh event does not occur, so password change does not occur as well.
In addition, solution is implemented the way it requires connectivity to AD infrastructure to reset local admin password – so when managed machine is offline, there is no AD connectivity and thus no local admin password management event.

[B06] Solution is developed using APIs that are available on Windows XP/2003 and newer OS’s. Roadmap for development takes OS lifecycle into consideration, so solution is supported on all supported Windows OS’s.

[B07] Delivery contains installers for x86 and amd64 hardware platforms

[B08] Solution supports encryption of password stored in AD using RSA public key. Password is then decrypted with corresponding RSA private key. Key pairs are maintained by PDS service; PDS is only holder of private key.
Note: Password encryption is optional; requirements for encryption and public key are configured via GPO. Solution is fully interoperable with Microsoft LAPS solution.

[B09] Solution supports maintenance of password history. Password history is maintained along with information about time when password was valid. Passwords in password history support encryption the same way as current password

[B10] Default AD schema definition prevents replication of password and password history to RODC, so sensitive data is not replicated to RODC
Both managed clients and management tools avoid connection to RODC and always connect to writable domain controller to make sure that password can be reported to AD and read from AD in all scenarios.

[B11] CSE remembers timestamp when it changed the password of managed local administrator account, and compares it with age of password as reported by OS. When password age is different than expected, it is considered as password was manipulated with outside of the solution, and password is reset immediately.

[B12] Solution can consider Deleted Objects container and retrieve password from deleted computer account.
Note: When multiple deleted computers with the same name is found, password is retrieved from most recently deleted on.

User requirements

[U01] Solution contains simple fat client application that allows to enter computer name and:

  • Retrieve current local admin password
  • Optionally retrieve complete password history
  • Request local admin password reset (both immediate and planned)
    Fat client application allows to be registered as context menu extension for Active Directory Users and Computers tool and to be run from network location for even easier integration with existing support processes.
    In addition, Web UI is available that offers the same functionality as fat client application, plus capability to manage encryption keys.

[U02] Solution only logs error messages on managed machines by default. Warning and information messages are logged only when requested by administrator.

[U03] Solution provides with the following logging capabilities:

  • On managed machines: Operational logging into Application log
  • On PDS: Operational and audit logging into dedicated log

[U04] Solution comes with PowerShell module that implements necessary cmdlets for configuration of solution.

[U05] Solution supports delegation of permissions cross forest, and administrative tools allows specifying of forest DNS name where to look for computer account to retrieve password for and reset password for. Management tools allow users to specify AD forest name when reading and resetting password.

Security requirements

[S01] Solution generates cryptographically random password – RSA CSP is used to generate random numbers used to construct the password.

[S02] Generated password has parameters as specified by requirements; password parameters are configurable via GPO.

[S03] Password change is triggered by GPO update event on managed machines. This happens by default every ~90 minutes (can be shortened if needed), so potentially, password can be changed as often as every ~1 hours if needed.
Password age is configurable via GPO and default is 720 hours (30 days)

[S04] Solution relies on AD security model and allows to grant permission to read/reset computer account on per-computer basis, or delegate those permissions on container level

[S05] Solution relies on AD security model to grant permission to reset local admin password on per computer basis. Password reset request is written to AD to computer account of computer. Computer then processes password reset request upon next GPO refresh. Password reset request can be immediate or planned.
Usage of AD as storage for password reset requests allows to manage workstation without touching it directly, increasing scalability of the solution.

[S06] Password reads and resets are handled by PDS working as trusted subsystem. PDS provides auditing of all operations into own log, so it is very easy to collect those audit events for further analysis by tool of choice.
In addition, it is possible to setup auditing on AD level to audit actions performed by PDS and administrators of AD service.

[S07] Password encryption is implemented via RSA CSP. This CSP is available as Windows component out of box. Key length is configurable – solution administrator can use keys with appropriate length based on company standards, up to 16384 bits

[S08] Solution support re-keying as a native functionality. New key is distributed with GPO and managed machines start using it at next change of password of managed account.
PDS maintains all keys issued and currently in use; data format used for encrypted password ensures that PDS always knows which keys to use for password decryption. This means that multiple keys can be used in environment at the same time.

[S09] PDS supports functionality of generating of new key pairs. This functionality is limited for use by dedicated role only (PDS Key admins). Key creation operation is audited.

Installation requirements

[I01] Part of the delivery is MSI installer that supports unattended installation via /q switch. Running installer silently without parameters installs just CSE – the only component of solution that is expected for bulk installation.

[I02] All components of solution (except Web UI) are contained in installer MSI package. Web UI is installed separately because it is expected to be customized according to Look & Feel requirements for environment where deployed

[I03] MSI can be installed on all supported versions of Windows

[I04] Installer supports creation of custom local admin account during installation of CSE. Account name is specified via installer variable CUSTOMADMINNAME – variable can be set from command line or via MST transform

[I05] Installer supports protection of built-in local admin account by complex random password during installation of CSE. This protection is turned on via installer variable PROTECTBUILTINADMIN – variable can be set from command line or via MST transform

[I06] Delivery contains 2 .msi packages:

  • CSE package: installs CSE only single DLL with necessary registry data for integration with OS
  • PDS and administrative tools package: installs Fat Client UI, PowerShell module, GPO templates and PDS

For management of Windows 2016 Nano server, we deliver AppX package containing client side components, and PowerShell DSC  configuration that delivers configuration data to Nano server