What is Bastion Forest?
Windows Server 2016 comes with numerous features. Putting aside very cool virtualization features, new Active Directory capabilities have attracted network administrators’ attentions all around the world. As technical team in Microsoft has mentioned many times, security is one the most concerns that forced developers to put so much effort on. Novel features, such as Privileged Access Management (PAM), Just-in-Time access (JIT), Microsoft Identity Management (MIM), etc., dramatically can improve Active Directory security.
If you read a few articles or blogs about new features in Windows Server Active Directory 2016, you have probably stumbled upon bastion forest or bastion environment already. Although the term has not been officially defined at the time this article was written and it may change to another term later to refer to a general concept, I will explain what is bastion forest in this article.
New Security Principle
One of the most troubling issues in today’s networks is securing Active Directory access. Now days, it became very easy for intruders to comprise the security of not-being-well-configured Active Directory. Following an IT news, you will hear a lot about unauthorized privileged escalation, spear phishing, AD security vulnerabilities, etc. The thing is that it is very hard to find the comprised Domain Admin account. It is sometimes extremely difficult to stop the attacker in time when such access is granted.
To solve these problems, Windows Server 2016 provides several features and concepts. One of these important concepts, or somehow security principle, recommends creation of a duplicate domain which is responsible for authorization of privileged user accounts, such as Domain Admins, etc. This new concept, or new domain, the name of which is not agreed upon yet, is sometimes called bastion domain (probably similar to contoso which is Microsoft-made name for its documentation) and sometimes referred to as PRIV domain controller.
Anyhow, to reach the goal, the following changes should be conducted:
1. A new Active Directory forest (bastion forest) will be created
2. Privileged accounts will be created in the new forest. It is not necessary for other account such as domain users.
3. A trust will be stablished between these two domains, referred to as PAM trust.
4. New types of groups (unique to Windows Server 2016), called shadow groups, will be created in the bastion forest.
Read this Microsoft document to understand the steps required for planning bastion environment. By doing this, privileged accounts are being separated from the original Active Directory environment. As a result, all authentications and authorizations are handled by Privileged Identity Management (PIM) feature with the following steps:
1. When a user account needs privileged access, it requests privileged access from PAM, which is an instance of PIM.
2. Based on the policy, the request is approved or denied. Moreover, these requests as well as all activities are logged in Even Viewer, and alerts and reports can be generated as well.
3. If the request is approved, the user will be temporarily added to the shadow principle (group) in the bastion forest. Now, the user account can access the original domain as before since the shadow principle refers to the same group in the original domain. However, the membership now is time-bound (Read more about temporary group membership feature). In fact, this kind of membership has a time-to-live after which the privilege is automatically taken away.
The simplified version of this process is depicted in the above figure. Note that you don’t have to upgrade your current domain or forest functional level to Window Server 2016 since only the bastion forest need such features. Also it is worth noting that the process of requesting a privilege (which is a kind of workflow) is only required for administrative accounts. Additionally, all changes and requests are logged in Event Viewer that can be simply used in monitoring solutions.