August 2019
Intermediate to advanced
786 pages
20h 22m
English
Content preview from Mastering Active Directory - Second Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
What does PAM have to do with AD DS 2016?
AD DS 2016 now allows time-based group membership, which makes this whole process possible. A user is added to a group with a time-to-live (TTL) value and, once it expires, the user is removed from the group automatically. For example, let's assume your CRM application has administrator rights assigned to the CRMAdmin security group. The users in this group only log in to the system once a month to do some maintenance. But the admin rights for the members in that group remain untouched for the remaining 29 days, 24/7. This provides enough opportunity for attackers to try and gain access to privileged accounts. So, if it's possible to grant access privileges for a shorter time period, isn't that more ...