1 00:00:06,970 --> 00:00:16,450 Secure accounts achieve a secure HDD forest and domain infrastructure by default every account that 2 00:00:16,450 --> 00:00:23,640 science into domain joint client or server is cached locally on that computer. 3 00:00:23,770 --> 00:00:32,320 The computer maintains by default the last 10 user profiles and their associated credentials. 4 00:00:32,320 --> 00:00:39,220 This is the risk for example in the following situations consider an administrative account that is 5 00:00:39,220 --> 00:00:48,310 used for troubleshooting or supporting users by assigning local it to regular users do wise the user 6 00:00:48,310 --> 00:00:52,640 account profile and its credentials are stored in the system. 7 00:00:52,720 --> 00:01:00,550 If the owner of the system has higher local rights he or she can use tools to retrieve the administrative 8 00:01:00,550 --> 00:01:06,050 credentials and then use them to access other information on the network. 9 00:01:06,040 --> 00:01:13,690 Another situation is that certain user accounts and computers contain highly critical information. 10 00:01:13,690 --> 00:01:22,540 Therefore ensure that only authorized users can sign into their workstations and make sure that other 11 00:01:22,540 --> 00:01:26,020 users can not access the same computers. 12 00:01:26,050 --> 00:01:33,940 You should configure a highly trusted service account for authorization only on a certain set of computers 13 00:01:34,150 --> 00:01:40,430 to provide administrators with the ability to address these risks and requirements. 14 00:01:40,450 --> 00:01:50,320 Windows Server 2016 and later versions include new functionalities for credential potential and management 15 00:01:50,600 --> 00:01:59,170 the functionalities are protected to users authentication policies and authentication policies silence. 16 00:01:59,170 --> 00:02:03,160 Let's review each of this these functionalities in more detail. 17 00:02:03,160 --> 00:02:10,690 The protected users security group prevents highly sensitive accounts from being locally cached on demand 18 00:02:10,750 --> 00:02:12,230 member computers. 19 00:02:12,310 --> 00:02:19,780 It requires domain controller authentication for those accounts for every sign in that a cure is protected 20 00:02:19,780 --> 00:02:28,330 to users is a new group that you can use to configure highly sensitive accounts and you can find it 21 00:02:28,420 --> 00:02:36,970 in the user's container in Active Directory to enable protected to users and administrators simply adds 22 00:02:37,330 --> 00:02:42,070 the highly trusted accounts to the protected user security group. 23 00:02:42,070 --> 00:02:50,030 This protected users feature does not require Windows Server 2012 our two domain controllers. 24 00:02:50,050 --> 00:02:58,690 However this group is created only when a Windows Server 2000 twelve hour two or newer domain controller 25 00:02:59,020 --> 00:03:06,700 receives the PDC emulator operations master role for future use of this feature. 26 00:03:06,700 --> 00:03:15,580 It is not necessary that the PDC emulator operations monster remain on the Windows Server 2012 our two 27 00:03:15,580 --> 00:03:21,640 domain controller and it is not necessary to maintain the Domain Controller. 28 00:03:21,640 --> 00:03:29,980 However because the domain controller can only be promoted when the schema has been extended the schema 29 00:03:29,980 --> 00:03:40,600 extension for Windows Server 2012 R2 or newer needs to be in place even if the feature does not require 30 00:03:40,600 --> 00:03:41,170 it. 31 00:03:41,170 --> 00:03:48,550 The protected users feature is a client site feature that protects the main accounts on domain member 32 00:03:48,550 --> 00:03:56,920 computers protected users depend on the demand members operating system and is available on the following 33 00:03:56,920 --> 00:03:58,430 operating systems. 34 00:03:58,450 --> 00:04:09,370 Windows 8 dot 1 or newer and Windows Server 2012 are 2 on you're older operating systems will not support 35 00:04:09,370 --> 00:04:17,050 this feature and will not prevent the counts and the protected users group from being cast locally to 36 00:04:17,050 --> 00:04:22,580 ensure that accounts within the protected users group are not compromised. 37 00:04:22,730 --> 00:04:29,330 An older operating systems use the other methods such as denial log on locally. 38 00:04:29,440 --> 00:04:37,210 Security is certain where appropriate protected to users who assign into demand member a computer that 39 00:04:37,210 --> 00:04:45,430 has a supported operating system will be prevented from using the following protocols like default credential 40 00:04:45,430 --> 00:04:55,380 delegation or credential security support provider which is great SSP digest authentication and A.L. 41 00:04:55,420 --> 00:05:05,110 AM when all domain controller also assigning domain are based on Windows Server 2012 our two and the 42 00:05:05,110 --> 00:05:14,380 domain functional well as the race to Windows Server 2012 R2 additional security is provided because 43 00:05:14,380 --> 00:05:16,570 of this additional security. 44 00:05:16,600 --> 00:05:25,660 Users can not use e s or our AC for encryption in Canberra's pre authentication. 45 00:05:25,660 --> 00:05:35,440 They cannot be delegated with unconstrained or constrained delegation and they cannot renew their Gerber 46 00:05:35,560 --> 00:05:40,790 TGT without contact with the demand controller. 47 00:05:40,840 --> 00:05:46,610 The following applies when a user is a member of the Protector to user a security group. 48 00:05:46,750 --> 00:05:53,100 The user must be able to use authentication based on a e s encryption. 49 00:05:53,170 --> 00:06:02,080 Therefore all domain controllers must be at a Windows Server 2008 level or newer the password of any 50 00:06:02,280 --> 00:06:10,900 accounting protected user group must have been changed against a Windows Server 2008 or newer domain 51 00:06:10,900 --> 00:06:20,320 controller to ensure that the password was encrypted by using a s unsupported domain controllers. 52 00:06:20,330 --> 00:06:21,250 Domain members. 53 00:06:21,250 --> 00:06:30,520 Sorry such as Windows 10 and Windows Server 2016 the credentials of the user will not be cached the 54 00:06:30,520 --> 00:06:38,200 user will only be able to sign in to domain members that are able to authenticate against their domain 55 00:06:38,200 --> 00:06:43,430 controller of line saying nil will not work for these accounts. 56 00:06:43,450 --> 00:06:52,750 The startup of services that use an account that is a member of the protected User Group will fail when 57 00:06:52,840 --> 00:06:58,240 the domain member says of fly and the maximum lifetime of the issued. 58 00:06:58,240 --> 00:07:08,440 Gerber as TGT and the maximum lifetime for ticket renewal are limited to two for two minutes or four 59 00:07:08,530 --> 00:07:16,270 hours while administrators configure all other accounts by using the domain policy settings which are 60 00:07:16,510 --> 00:07:22,610 10 hours by default for the ticket and seven days for renewal. 61 00:07:22,630 --> 00:07:31,540 Four hours are hard coded to protected users protected users is a security certain that is global within 62 00:07:31,540 --> 00:07:32,540 the domain. 63 00:07:32,560 --> 00:07:39,550 This setting does not allow you to protect certain users only on certain devices. 64 00:07:39,550 --> 00:07:47,770 Therefore use protected users carefully and tested before relying on the protected users feature. 65 00:07:47,770 --> 00:07:55,870 Now let's talk about another functionality for credential protection and management reaches authentication 66 00:07:55,870 --> 00:08:04,420 policies with authentication policies you can configure more restrictive Gerber sadness for a specific 67 00:08:04,450 --> 00:08:06,310 user or service account. 68 00:08:06,520 --> 00:08:16,210 Additionally you can use Dec claims to define conditions that need to be met by users or service accounts 69 00:08:16,540 --> 00:08:26,830 and or devices during signing authentication policies implement by using a new object class with the 70 00:08:26,830 --> 00:08:34,300 name authentication policy in added years to implement authentication policies you need to ensure that 71 00:08:34,300 --> 00:08:41,290 you meet the following prerequisites including that old domain controller is in the domain must be based 72 00:08:41,290 --> 00:08:53,700 on Windows Server 2012 R2 or newer the domain functional level must be Windows Server 2000 16 or 2012 73 00:08:53,750 --> 00:09:02,980 are two domain controllers must be configured to support deck windows stand Windows 8 and a dot one 74 00:09:03,340 --> 00:09:15,990 Windows Server 2016 2012 are 2 and 2012 domain members must be configured to support Dec including Cobra's 75 00:09:16,000 --> 00:09:25,300 compound claims or device claims when configuring an authentication policy in the active directory administrative 76 00:09:25,300 --> 00:09:26,160 center. 77 00:09:26,230 --> 00:09:33,570 You can configure the following sentence display in name of the authentication policy description if 78 00:09:33,580 --> 00:09:41,760 the policies should be enforced which is default or if you want to well a date the policy by audit policy 79 00:09:41,770 --> 00:09:46,580 restrictions only accounts to which the policies should apply. 80 00:09:46,680 --> 00:09:50,350 Accounts are in the authentication policies Saturns. 81 00:09:50,380 --> 00:09:54,590 However be aware that you can figure this on the account. 82 00:09:54,940 --> 00:10:01,690 Unlike authentication policies silence where their accounts are configured within the silo for user 83 00:10:01,720 --> 00:10:06,070 service and computer accounts you can define the following sentence. 84 00:10:06,150 --> 00:10:15,890 Certainly the digital TV lifetime of the count and access control conditions used in deck claims that 85 00:10:15,890 --> 00:10:24,320 define rich users or services are able to run on which devices you can configure this sentence to user 86 00:10:24,320 --> 00:10:32,210 accounts are there within the user properties window in the active directory administrative center or 87 00:10:32,450 --> 00:10:40,310 by configuring them in the authentication policy properties window regardless of where you can figure 88 00:10:40,550 --> 00:10:48,530 these surgeons they are written to the authentication policy after you configure this sentence you will 89 00:10:48,530 --> 00:10:56,840 sign in to do YS or you will receive the message that your account is configured to prevent you from 90 00:10:56,840 --> 00:11:01,840 using this P.C. in either case an event is logged. 91 00:11:01,910 --> 00:11:10,220 Please note that while older operating systems have options to restrict users from signing into specific 92 00:11:10,220 --> 00:11:19,490 devices they are easier to circumvent authentication policies and authentication policies silos that 93 00:11:19,490 --> 00:11:28,970 are built on core birth instead of names only and DEC claims provide a security method to ensure that 94 00:11:29,120 --> 00:11:33,680 only certain users can sign into certain devices. 95 00:11:33,680 --> 00:11:42,880 Also please note that authentication policies do not prevent users from signing in by using anti-Islam. 96 00:11:43,070 --> 00:11:50,620 When a domain member is fully able to communicate by using Gerber as it is likely that the rules configured 97 00:11:50,620 --> 00:11:55,070 in the authentication policy work as expected. 98 00:11:55,340 --> 00:12:01,640 However there might be scenarios where lamb is used to prevent this. 99 00:12:01,670 --> 00:12:06,410 Consider combining protected users and account policies. 100 00:12:06,530 --> 00:12:14,060 And now let's talk about another functionality for credential but protection and management which is 101 00:12:14,240 --> 00:12:22,010 authentication policies Silas authentication policies silence enable administrators to configure users 102 00:12:22,310 --> 00:12:30,050 service accounts and computers within the same security scope to apply the same authentication policy 103 00:12:30,380 --> 00:12:39,260 authentication policies enable administrators to select a separate authentication policy for each security 104 00:12:39,260 --> 00:12:43,570 principal type user a service or computer accounts. 105 00:12:43,610 --> 00:12:52,040 The system then adds an additional claim to silence principles which enables file server administrators 106 00:12:52,340 --> 00:13:00,980 to restrict access to certain files for security principles of specific authentication policies silence 107 00:13:01,220 --> 00:13:09,470 the prerequisites of authentication policies Silas are the same are the prerequisites of authentication 108 00:13:09,470 --> 00:13:17,510 policies you should use them as an alternative means to assign user a service or computer account to 109 00:13:17,510 --> 00:13:25,130 use certain authentication policies by using active directory delegation your rebuild to assign different 110 00:13:25,130 --> 00:13:34,160 rules to create authentication policies and then assign those policies to security principles by use 111 00:13:34,160 --> 00:13:42,590 an authentication policies silence like authentication policies you can configure authentication policies 112 00:13:42,590 --> 00:13:53,210 silence to be enforced or in auditing mode authentication policies are enforced by default while authentication 113 00:13:53,210 --> 00:14:02,060 policies silos are configured in order and mode additionally authentication policies Silas have a higher 114 00:14:02,060 --> 00:14:05,700 precedence than authentication policies. 115 00:14:05,790 --> 00:14:15,080 Furthermore authentication policies Silas do provide a claim and an administrator can use it to ensure 116 00:14:15,080 --> 00:14:24,710 that certain files or certain files structures can only be accessed when users or computers have been 117 00:14:24,710 --> 00:14:28,990 validated by an administration policies sale. 118 00:14:29,000 --> 00:14:33,670 Next up we'll be talking about configure and user account policies. 119 00:14:33,680 --> 00:14:34,690 I'll see you there.