[MUSIC PLAYING] So welcome back for those went to the last session, and welcome for the others which are new in the session. My name is Reto Bachmann. I'm a senior solution architect for those which are new in the room. The next couple of minutes, I want to show you the integration of Active Roles and Safeguard for the just-in-time provisioning. I will go through how to prepare Active Roles as well how to prepare Safeguard, and to show you how it works in the end-- so all the combination of the two products.
So what is the idea of just-in-time provisioning? The idea, in the end, is that we can integrate Active Roles and Safeguard to have real just-in-time provisioning for accounts in Active Directory. So you see Active Directory today, by the way, this is also possible with Identity Manager, for example. So you can do this with other products, as well.
And to add, in the end, accounts into temporary group. Temporary group is a key functionality of Active Roles where you can put users for a dedicated period into the group, and will be automatically managed, automatically be removed. So you have not to take care that the user still resides in this group, and an auditor has a finding on this group, for example, that the user was never removed. So this should be a real zero trust model.
I told this in the previous session. So Active Roles is doing all this zero trust since over 20 years. We never used the word zero trust, but in the end, it's a real zero trust Active Roles is doing against AD and Azure Active Directory since more than 20 years.
So that's the idea what I want to present with this just-in-time provisioning. Technically, in the end, how it works is we have Active Directory with Active Roles. So Active Roles, for those who don't know Active Roles, Active Roles is a kind of proxy against Active Directory and Azure Active Directory.
So the difference to Identity Manager is we are not synchronizing data. It's a real time against Active Directory. So we are caching it. It's a proxy solution against Active Directory and Active Roles.
And Active Roles, in the end, manages all the objects in Active Directory like groups, like users, and this is what we manage in the end with Safeguard, that Safeguard can manage these accounts directly. And between Safeguard is a service, and this service, in the end, is listening to Safeguard and then doing the provisioning or the action in the end in Active Directory via Active Roles, of course.
So everything is also documented. So all the actions in the end will be tracked also by Active Roles. All events, everything done in the end, auditors can also see. And of course, Safeguard is reading all the information from Active Directory like the accounts, the groups, the systems. So everything is managed by Safeguard.
So what are the prerequisites? As you can see here, of course, you need the latest version of Active Roles. So this is a main requirement to manage Active Directory in the end. Then, of course, we need Safeguard Password Appliance to manage the passwords of the users. We need the PowerShell module, which is used in the end also for the communication and the actions, and the just-in-time executables in the end you can find on the GitHub.
So there, you can download all the executables, the scripts. So everything I will show you in this presentation is available on GitHub, including the documentation. There, you can find all the information, including the source code, by the way, for the just-in-time agent we are using for Active Roles. So if you want to build something else, you have the source code there, as well.
So prepare AD and Active Roles. The first step is we need a service account. So it's a standard service account with any permission, no group memberships. And we need to create a certificate for this user because this certificate, in the end, is also used, then, in Safeguard to do the connection between. That's why we need a certificate, as well.
There is a PowerShell script on GitHub, so you can use this instead of doing all these steps manually. So you can do it manually, or you can download the PowerShell script directly from GitHub. And this will do all the required things in the end.
So how this looks like? So first of all, after you have downloaded the scripts and everything, we have to start PowerShell as an administrator and execute this file. Then, you have to add the domain.
Then the username you want to create, so you can type in any kind of username. And also, the password in the end you want to use for the private key we need after the Safeguard appliance. And then the script will do the connection against the Safeguard appliance and Active Roles. First, to Active Roles it will connect to, so you have to-- also, that's the credential for Safeguard. Because the script also checks if this account already exists.
It goes to domain. Search for the user. If it exists, it will pass this step.
So it creates the user. It also creates the account in Safeguard as well for this domain. Then, this is the script which will be created automatically, as well. So we have not to do it by yourself.
Then just copy the thumbprint away. If everything works well, you don't need it, but just in case. And store it somewhere where you can use it after.
So that's the first step. And now, if you go to your Active Directory, you see there is an account without any membership. And if we log on to Safeguard, if you go under User Management, we have now also a user. Same name, and you see it has a certificate. And if you go under Authentication, the certificate thumbprint is there, as well.
So this shows also how you can automate all the actions in Safeguard through PowerShell. So there is a lot of possibility you can do to manage Safeguard from outside, as well. Also under Asset Management, under Accounts. you see service account is there. And what's important, it is managed also by Safeguard.
So Safeguard is also managing this service account. So I have no clue what this password is. So it's completely managed by Safeguard in the end. So that's the first step to start with, to have the connection done. You have the service account user, because we use this user after also for the service account itself, which is doing the connection against Active Directory.
So in Active Roles, we need also OU. We need groups and users. We have to control after. Then also, we have to create some virtual attributes we need for the configuration, as well.
We need an access template. We have to assign the access template. For those which are not familiar with the Active Roles, Active Roles has a very nice feature called virtual attributes. Virtual attributes is a virtual extension of Active Directory, which means you can have additional attributes together with Active Directory without extending Active Directory in the end.
So these virtual attributes are only available if you use Active Roles against Active Directory. You will not see these virtual attributes in Active Directory without Active Roles.
The second thing is access templates. This access templates contains the delegation in Active Directory. So this is one of the main features of Active Roles to have the delegation to users and not being part of admin groups. This is the security part that you can get rid of all the group memberships. So administrators are not part of groups anymore in Active Directory. They are getting only the access templates which contains all the delegations.
And these delegations in these access templates you can keep in Active Roles. So there is no need, no requirement to del or to replicate this in Active Directory, and to have all these delegations in Active Directory. So if someone is logging on without Active Roles, they have no permission in Active Directory. This is also the zero trust approach we have since Active Roles is there in the end. And the last step, we have to install the Active Roles just-in-time service, which, in the end, is doing the listening against Safeguard.
So next step, going to Active Roles. So you see, I have here my Active Directory. I have more. I have two active directories, so you can also manage several domains, forests, whatever.
These are my. users in the end, which are managed by Safeguard. And as you can see, they are disabled. So Safeguard will also automatically enable and disable these accounts. So if they are not used, then they are not enabled. So even I know the password, I can't use it because it's disabled.
So I create here another user. Going to the auto script, which creates, in the end, the virtual attribute as well, the access templates. So for those joined before, this is another way how you can deploy from one Active Roles to the other.
There is a deployment manager where you can deploy it via the XML file. The other option is you can create such scripts which, in the end, creates the virtual attributes, and the access templates in any Active Roles environment. So as you can see here, it will create this virtual attribute. This virtual attribute, in the end, controls who can request those accounts.
If I go back to Active Roles, there, we have on the server configuration, we have these virtual attributes. I need to reconnect because I have to reload the schema.
And now if I go to Virtual Attributes, you can see there is these virtual attributes. And you can have as many virtual attributes as you like. So there is no limitation if you want to do something else.
The second step is creating these access templates, which gives the account, in the end, the permission the account needs-- all the permissions it needs to do in Active Directory. So this will create the access template. And if I go to Active Roles again, if I go to Access Templates, you will see there is a new entry with this access template. And this access template has just the permission in the end which is required for the service account. So they will not get any additional rights or permissions in the end.
So I need to delegate this for the service account. I have here my firefighter accounts which I want to control. So I do the delegation, and the delegation is for a dedicated group, or in this case, user. So it's for my service account, which is created.
And the next step is I have to pick my access template, which has only the permission for this service account which is required. And you see here propagate into Active Directory. So I have the possibility to replicate this in Active Directory, but normally, you will not do this because you want to have your AD clean and not fill up with other information. And this green arrow means there Active Roles is controlling now also this one here.
Now I want to have a group, and this group, in the end, should be controlled by Active Roles, as well. So these are my temporary domain admins. And on this group, in the end, I can add any permission I want to give this group for all the work I have to do in the end.
I don't add any members in it. And the next step is I convert it to a dynamic group. This is also a main feature of Active Roles.
So you can control any group, not just distribution list, as well as security groups in Active Directory, and you can pick any attribute value. In this case, I look for my virtual attribute I created. So this just in time. And if this is set to true, this means if there is any user which has this value set to true, this user will be automatically added to this group.
And I have also the possibility to add much more, so you can control, really, which accounts should be part of this group and which not. So now I have my dynamic group. You see here, to get another icon here, which is controlled in the end by Safeguard.
And now the last part is I have to create or install the agent on the system. I can also configure how you want to authenticate the attribute which should be controlled, the appliance. And here, I can add my thumbprint again. So this is why I need this here. Makes it a bit more easier instead of going to the certificate directly.
So that's it. So the service is now installed, and all the preparation in the end is done for this just-in-time provisioning. Just checking the service.
Now we have the service running here. The service is not running because I don't know the password. And for this, I go to Safeguard because the password is controlled by Safeguard, of course. So I log on with a user which has permission to it. Create a new request for password for my account.
And it's an auto approval for this request policy, so I should be able to get it immediately. So I have now the password. Copy the password, and now, I'm able to enter the password and start the service.
And the service is fully controlled by Safeguard, as well. So Safeguard is also managing the password. I have not to take care on this service account. It's fully managed by Safeguard, as well. It rotates the password every 30 days or whatever policy you have, and now, in the end, that's all you have to do for the configuration.
So then on the Safeguard side, so that's all done in the end in the script. Again, you can do this manually. If you download the script, then you have all done by directly with the script. So you don't need to do anything.
The other thing is you have to import the AD accounts to be managed. You have to create an access request policy to all the people which you want to give the possibility to request those users. So we have to log on to Safeguard for this. Of course, with a user which has permission.
And the first is we have to go to the asset management, going to my discover accounts. For those which has not seen Safeguard, you can have discovery jobs for assets. So this means for all the systems, directories, as well for accounts. So you can create auto discovery functionality for accounts in this way that the system goes periodically every 15 minutes and search for my accounts, as well to discover service accounts, as you have seen before.
So I can create a discovery rule. In my case, I want to search for all my firefighters accounts. And this should be automatically managed in the end by Safeguard together with Active Rules.
So this happens if you have a Swiss-German keyboard and working on a English system. And the next one is you have to create conditions. So you have different types of conditions like LDAP filters or search directly in Active Directory via prefix, suffix, or whatever.
So I searched for all the same account names which starts with this firefighter prefix. Then you have to select where in my Active Directory or in any directory. It could be also an LDAP, if you have this configured, including sub containers.
And now, this is a preview. So these are all the accounts which are in this discovery found. Then I have to also configure that it's automatically managed. So this means as soon as Safeguard finds these accounts, Safeguard will start managing these accounts, as well.
Then, of course, I need a password profile. So there, you can define all the fancy things, when to check the password, change the password. So all this information you can configure in here, including, if you want to, on a change there is this nice functionality, Suspend Account When Checked In. And with this, you can automatically lock the account when the request is finished or checked in again. Then it will also directly suspend the account after this request. Save this.
So that's it. And then you can run the either manually, or you can start this via a schedule that it runs every 15 minutes, for example. I also have, of course, to add an asset in which asset you want to manage this. This is my Active Directory.
So that's all. Yeah, so you see, there is the asset and the schedule. So we have all these options, how often you want to run this schedule in the end, including time windows.
So this will add now all the accounts, in the end, if I start this into Safeguard. And Safeguard will manage these accounts. You can see here, it starts now.
And if go to Accounts, I have now all my firefighter accounts in it, which are managed completely now by Safeguard. I have also the possibility to create account groups. So I can group this dynamic as well, so I have not to do the static. It's similar to what I showed you before.
So I can create a group. And with account rules, I can define the accounts on which a rule I want to contain the accounts in this. For me, it's now all the firefighter accounts. So you see, it's very simple. You can make much more complex queries if you wish, and this is now my dynamic group.
And on this group, I said now you can see. So my accounts, I have now to create an entitlement. Also, here, you can set time windows. So you can define that only during non-office hours someone can request users. So this can all be configured.
So this creates now the access request policy for my firefighter accounts. Also, that deposit has to be changed. Then I need the scope. So add the group. This is my firefighters I want to control with this request policy.
And now, I have to define also the workflow. So you can define if a command, for example, is required, how long they can use it, if it's auto approved or not. You can change this, as well.
If it should be reviewed after the request, so for auditors, for example. And this is now my request policy, which gives me the possibility to request these accounts. And of course, I have now to tell the system which users they can request this in the end. So these are the users from Active Directory in this group.
So that's it. How to configure, in the end, Active Roles and Safeguard that you can request these firefighter accounts. So it's not a big thing in the end to do. It's very simple.
And now, I want to show you how this works, in the end, in real time-- in real life. Not real time, in real life. How a user, an administrator can request such accounts through Safeguard. So the administrator can log on to Safeguard. And based on his AD group membership, he gets access to this request policy, which, in the end, allows him to request the account.
And during this request, in the end, Active Roles will put him in the right group. It will enable the account, of course. And after, it will disable the account again and remove the user from this group directly.
So we are logging on to the system with a normal user, which has just a few permission. So he goes to request. And based on his policy, has only access to these accounts. So he can't request anything else. So comment is mandatory. He needs to enter anything, and you can see he is also not able to change here the hours. But he can request it for later, for example.
And now, the system starts changing the password. So that's the new password. And if he goes to Active Roles to my firefighter account, just refresh it. You see, the user is enabled. And the user should be part of this temporary, or this dynamic group for two hours. So if I go now Members, he is part of this dynamic group.
And now, I can work with this user with all the permission the user has. And if I'm finished, I can check in the account. And now, the system goes and removes-- or first of all, he disables the user.
Reset the password, of course. So the user has now a new password. In Safeguard, the user is disabled, and the user should be gone in this membership list.
So that's, in the end, the idea of just-in-time provisioning, how it works. So it's not really a huge thing. And as I said, you can do this with, in the end, any system.
So this just-in-time provisioning service account, you can use this for anything else. It's available on GitHub. This is just an example together with Active Roles and showing also the capabilities of Active Roles, having this dynamic group functionality, and with this virtual attributes that you very easily can control such users in Active Directory to make your Active Directory much more secure and have a real zero trust environment in the end. And I just can say thank you
[APPLAUSE]
And enjoy the rest of the day.