Setting up JIT for computers

Lithnet Access Manager supports granting administrative access to computers using a simple just-in-time access model. Rather than having administrators permanently being a member of each computer's local administrator group, they can use Access Manager to grant themselves administrative access on a temporary as-needed basis.

By removing all permanent administrators from your computers, you increase the difficulty of a successful lateral-movement based attack.

At a high level, in order to enable just-in-time access the following tasks need to be completed;

1. An empty AD group is created for each computer. This is the group used to grant JIT access.

2. Those groups are each added to the local administrators group of their corresponding computer

3. All members except for the built-in administrator account and the JIT group are removed from the local administrators group

4. The members who were removed are then granted access through an Access Manager authorization rule.

Step 1: Prepare the Active Directory

Access Manger's JIT functionality works with any version of Active Directory from Windows Server 2003 and above, but the underlying mechanism used depends on the forest functional level.

Windows Server 2016 forest functional level and above where PAM feature is enabled

Active Directory forests, with Windows 2016 or higher forest functional levels, can take advantage of a new feature called time-based membership. This has several advantages over the dynamic group model. In this model when a user is granted JIT access to a role, Access Manager adds the user directly to the JIT group, but it can tell Active Directory that the group membership itself is time-limited. The user is added to the group with a time-to-live value and after that time, the user is automatically removed from the group by Active Directory.

Time-based membership is part of the and must be explicitly enabled.

You can use the Enable PAM feature in forest script, available on the `Directory configuration/Active Directory/Just-in-time access' page to enable this feature in your forest.

Other domains

If the Active Directory PAM forest feature is not enabled or not available, Access Manager will add the user to the JIT group, and use its internal scheduler to remove the user from the group when the time has expired.

Step 2: Creating the JIT groups

Best practice for JIT is that each computer that you want to enable JIT for, has a dedicated JIT group created for it in AD. The Access Manager Service contains a feature that allows you to automatically create a JIT group for each computer.

From the Directory Configuration/Active Directory/Just-in-time access page, you can enable automatic JIT group creation. Click Add to create a new mapping.

Select the OU that contains the computers you want to create JIT groups for and select a different OU where the JIT groups should be created.

It is recommended that the JIT group OU be dedicated to Access Manager JIT groups only. If the OU contains other groups, and the delete groups in this OU that do not have matching computers option is selected, those other groups will be deleted by Access Manager.

WARNING Given that anyone with access to modify group membership in this OU can effectively become an admin of any computer managed by JIT, you must take care to secure the OU and ensure only Access Manager has access to the objects within it.

Select a group name template, making sure to include the %computerName% variable. For each computer found in the specified OU, AMS will use this template to create the group. For a computer called PC1, a template of JIT-%computerName% will result in the group being called JIT-PC1. You'll need to use this name template name when creating the authorization rule that grants users access to these computers.

Once you have saved the mapping, use the Delegate permission script on the JIT Access page to ensure AMS can manage group objects in the specified container.

Note, using AMS specifically to create JIT groups is not required for JIT to work. If you have an existing group management tool you'd prefer to use, you can use that instead. Just ensure AMS has access to modify the group membership for those groups.

Step 3: Add the JIT group via group policy

Using the group policy editor, create a new group policy object and link it to the OU containing your computer objects. Open the policy and navigate to Computer Configuration, Preferences, Control Panel Settings, Local Users and Groups.

Right-click the Local users and groups node, and select New, Local group. Click the drop-down arrow on the Group name field, and select Administrators (built-in).

Click the Add button, and the group, using the %computername% variable, specify the templated name of the group set in step 2.

Add the built-in admin account, by creating a new member entry for Administrator.

If you are ready to enforce JIT access, select the Delete all member users tick box, as well as the Delete all member groups. This will ensure that only the built-in administrator, the JIT group and any members specified in this policy are in the local administrators group.

It is recommended that you only turn this on after appropriate testing, and once all existing administrators have been granted access through an AMS authorization rule.

If you have additional users or groups that should also be in the local administrators group, then you can add those to the list. Remember, in order to prevent lateral movement with administrator rights, no accounts should have permanent administrative rights. Use this feature temporarily, to assist in an orderly transition to removing permanent admin rights, or in very limited circumstances.

Note, if you are currently using the older Windows Restricted groups policies, you'll need to convert that membership to use the new group-policy preferences style. The restricted groups policy does not allow use of the %computername% variable. The functionality provided by restricted groups is available in group policy preferences.

Step 4: Assign access

Once the policy configured you can now configure access to individual users and groups using the AMS configuration tool.

From the Authorization rules/Computers page, select Add... to create a new authorization rule. Select the OU containing the computers enabled for JIT and provide a friendly description for this rule. This will appear in audit logs if a user is granted access.

Select Edit Permissions... to open the ACL editor. Assign the appropriate users and groups permission to allow JIT access.

You must provide the group name or template in the Just-in-time access settings area, as well as the length of time until the access is expired.

If you'd like to be notified when someone requests JIT access, select the notification channels you'd like to send to for success and failure events.

Step 5: Validate access

Log in to the access manager web app as an authorized user, and request JIT access to a computer. If you have performed the steps correctly, you should be able to log into the server with local administrator rights.