๐ Secure Bits ๐ก
๐๐ผ ๐ฌ๐ผ๐ ๐จ๐๐ฒ ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐ฃ๐ผ๐น๐ถ๐ฐ๐ถ๐ฒ๐?
Honestlyโฆ I wonโt blame you if you donโt.
Theyโre powerfulโbut ๐ฟ๐ฎ๐ฟ๐ฒ๐น๐ ๐๐๐ฒ๐ฑ.
๐ง With Authentication Policies, you can apply granular protection to Kerberos authentication. Think of it as ๐ฎ๐ฑ๐๐ฎ๐ป๐ฐ๐ฒ๐ฑ ๐ฐ๐ผ๐ป๐๐ฟ๐ผ๐นย for how TGTs and TGS tickets are issued.
๐๐ฒ๐ฟ๐ฒโ๐ ๐๐ต๐ฎ๐ ๐๐ผ๐ ๐ฐ๐ฎ๐ป ๐ฑ๐ผ ๐๐ถ๐๐ต ๐๐ต๐ฒ๐บ:
โ๏ธ Set ticket lifetimes per-entity (not just globally)
โ๏ธ Restrict where an account can request a TGT
โ๏ธ Restrict who can request a TGS for a service
โ ๏ธ But let me be clearโthis ๐ถ๐๐ปโ๐ ๐ฎ ๐น๐ฒ๐๐ฒ๐น ๐ญ control.
To implement it properly, you should already have a ๐ง๐ถ๐ฒ๐ฟ๐ถ๐ป๐ด ๐ ๐ผ๐ฑ๐ฒ๐น ๐ฎ๐ป๐ฑ ๐ฎ๐ฐ๐ฐ๐ฒ๐๐ ๐ฟ๐ฒ๐๐๐ฟ๐ถ๐ฐ๐๐ถ๐ผ๐ป๐ between tiers.
๐๐
๐ฎ๐บ๐ฝ๐น๐ฒ:
๐งโ๐ผ T0-Dave (a Tier 0 admin) is only allowed ๐๐ผ ๐ฟ๐ฒ๐พ๐๐ฒ๐๐ a TGT from T0-Assetsโthanks to the policy.
Try it from anywhere else? Error.
โ
This controls TGT issuance.
๐๐ป๐ผ๐๐ต๐ฒ๐ฟ ๐ฐ๐ฎ๐๐ฒ:
You restrict access to a file server (share) with TGS to only specific users.
If a Tier 0 admin tries to get a TGS for it?
โ Access denied.
The configuration is done through the ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐ ๐๐ฑ๐บ๐ถ๐ป๐ถ๐๐๐ฟ๐ฎ๐๐ถ๐๐ฒ ๐๐ฒ๐ป๐๐ฒ๐ฟ.
๐ฌ๐ผ๐ ๐บ๐ถ๐ด๐ต๐ ๐ฎ๐๐ธ:
โBut donโt I get similar results from just using access restrictions in a Tiering Model?โ
Kind of. But hereโs the difference:
๐ Tiering restrictions stop you ๐ณ๐ฟ๐ผ๐บ ๐๐๐ถ๐ป๐ด ๐๐ต๐ฒ ๐๐ถ๐ฐ๐ธ๐ฒ๐.
๐ Authentication Policies stop you ๐ณ๐ฟ๐ผ๐บ ๐ฒ๐๐ฒ๐ป ๐ด๐ฒ๐๐๐ถ๐ป๐ด ๐๐ต๐ฒ ๐๐ถ๐ฐ๐ธ๐ฒ๐.
See the distinction?
Make sure to use the ๐ฎ๐๐ฑ๐ถ๐ ๐ณ๐ฒ๐ฎ๐๐๐ฟ๐ฒ, you can easily lock yourself out.
๐ I go through this in my ๐ณ๐๐น๐น ๐ณ๐น๐ฎ๐ด๐๐ต๐ถ๐ฝ ๐ฐ๐ผ๐๐ฟ๐๐ฒ: Windows Infrastructure Security (WIS).
There are also Authentication Policy Silos, but we will discover them another day.
๐๐๐ ๐โ๐บ ๐ฐ๐๐ฟ๐ถ๐ผ๐๐โฆ
Have you ever used Authentication Policies in production?
How did it go?
