With the described solution below the enrollment happens only once (the private key is only one per identity and is portable and only present inside the USB FIDO key) and is potentially usable on all secure desktop/PAWs in the domain.
Windows Hello for Business), if we want to use different PAWs (secured workstations from which the Administrator connects with privileged accounts Why are privileged access devices important | Microsoft Docs ) we need to configure and enroll the solution machine per machine (create different private keys one for any windows desktop). After having substituted the password with one MFA credential (private key + primary factor) (here more information : Azure Active Directory passwordless sign-in | Microsoft Docs) we can configure a way to make the password not necessary for domain administration, very long and complex, and disabled: Passwordless Strategy - Microsoft 365 Security | Microsoft Docs.I wanted to demonstrate that this solution can protect also Domain Admins group to protect high privileged accounts (important notice about is present in this document : ( FAQs for hybrid FIDO2 security key deployment - Azure Active Directory | Microsoft Docs – “FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts.Please have a look also at Plan a passwordless authentication deployment with Azure AD | Microsoft Docs. The solution is today present : the use a security key (FIDO2) : Passwordless security key sign-in to on-premises resources - Azure Active Directory | Microsoft Docs. Many customers asked me, after they have used Azure/Office 365 MFA: is it possible to use something like that to log on to the domain/on prem resources.No direct or indirect guarantee is given, and this cannot be considered official documentation. It’s up to you to integer this work into your security posture and evaluate impacts. I am not here to discuss if this document in any parts adhere to all principles and best practices of a secure administration environment, I just want to show a feature as a proof of concept. Obtain above with a sort of simplicity and costs control.Connect to Domain Controller thorough RDP form the PAW using SSO (Single Sign On).Same credential can be used on prem and in cloud (if needed).Have only one identity with one strong credential.Have the ability to use multiple PAWs (privileged access workstation) with same MFA credential.Eradicate from the domain the password presence for those privileged accounts (make impossible to use a password to log on to domain to prevent some king of password attacks).
0 kommentar(er)
