Score:0

Logging on Windows with user accounts in Protected Users group over VPN

de flag

I am planning implementation of Microsoft’s Active Directory tier administrative model, and I was wondering how to overcome the problem of system administration over VPN. One of the security principals is to have all admin accounts in a Protected Users group, and the other is to use privileged access workstations. Using this in combination with working from home crates a problem. How to login with a Protected Users group member account when domain controller is not available? I am not an expert on VPN, and I need to know does Always On VPN enable a computer to connect to the VPN and gain access to corporate network and domain controllers before any user logs in? Or there is some other way to solve the problem of using protected users logging in outside the company network?

To overcome this problem I have also considered a additional user account for laptop PAW, that is not member of Protected Users group and it is used only to log on to PAW, and from there you can access local VM for common user purpersess that has internet and mail access, and access to the system administration but with different credentials for administration of various tiers of security.

Nikita Kipriyanov avatar
za flag
What about not logging in under privileged users *at all*? Login as unprivileged and run desired administrative applications using RunAs.
de flag
@NikitaKipriyanov Yes I have considered that as it is written in the second section of my question.
Nikita Kipriyanov avatar
za flag
I had a feeling you are about using some other system to connect ttrhough it, like a "proxy" and then connect with administrative account to the target system. I meant you connect directly to the target system (no PAW) with an unprivileged account, and then do adminstrative tasks with RunAs.
de flag
@NikitaKipriyanov If you are suggesting to perform system administration from a user workstation, the workstation that is used for internet browsing and for the external mail client, but with the different account, a privileged account, you are making a big mistake. No privileged account should be used on a unsecure workstation that is opened to the internet. It is a security violation because some malware that could be potentially downloaded from the internet could capture and compromise privileged credentials.
cn flag
Members of Protected Users must not be an account used to authenticate on a VPN. Use another non-privileged account.
de flag
@GregAskew Can you explain why Protected Users member must not be an account used to authenticate on a VPN? I meen I must understand why that is the case...
cn flag
@ZoranJankov: These are the most critical accounts. You cannot provide an assurance that the credentials are protected over VPN because you don't know where they are. Further, these accounts are typically configured to only authenticate using a smart card. What you are doing would not pass an audit so I don't know what you are attempting to accomplish unless it's "we have to use this Protected Users group so how to make everything work the way it did before". Every person with a privileged account should have a non-privileged account for activities such as this.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.