feat: Add management overlay pattern (Nebula T0 / Tailscale T1) and cloud admin VM guidance
This commit is contained in:
@@ -96,7 +96,18 @@ Nothing here replaces the governing question from Book I:
|
||||
- `[LOOK AT]` How many Domain Admins and Enterprise Admins exist, and are they all justified with named owners?
|
||||
- `[ASK]` When was the privileged account list last reviewed, and by whom?
|
||||
|
||||
### B2. PIM / JIT
|
||||
### B2. Admin workstations and management plane
|
||||
|
||||
- `[ASK]` What do admins use to reach a domain controller remotely? Is that path independent of the AD it manages, or does it depend on AD for authentication?
|
||||
- `[LOOK AT]` Do admins use the same device for privileged work (DC management, PIM activation) and daily tasks (email, browsing)?
|
||||
- `[ASK]` Is there a dedicated admin workstation — physical PAW or cloud admin VM (Windows 365 / AVD) — that is used only for privileged tasks?
|
||||
- `[LOOK AT]` If a cloud admin VM exists: is it enrolled in Intune with a hardened profile? Is it excluded from email and general browsing? Is it the device scoped in the CA policy restricting privileged role access?
|
||||
- `[LOOK AT]` Is there a management overlay (Nebula, Tailscale, Headscale) providing the admin access path to on-prem Tier 0 systems?
|
||||
- `[ASK]` If a Nebula T0 overlay exists: where is the CA key stored? Who can sign new node certificates? When was the last signing ceremony?
|
||||
- `[ASK]` If a Tailscale T1 overlay exists: is key expiry configured? Does re-authentication require phishing-resistant MFA via Entra?
|
||||
- `[LOOK AT]` For multi-cloud clients without a physical data centre: is the management plane explicitly designed, or is access to cloud management consoles and on-prem servers done ad hoc (VPN, direct RDP, per-cloud bastion, no unified plane)?
|
||||
|
||||
### B3. PIM / JIT
|
||||
|
||||
- `[LOOK AT]` Is Entra PIM deployed and enforced for Entra administrative roles?
|
||||
- `[LOOK AT]` Are Entra roles set to eligible (not active) by default?
|
||||
@@ -106,7 +117,7 @@ Nothing here replaces the governing question from Book I:
|
||||
- `[LOOK AT]` Is PIM alert configuration enabled (Roles activated without MFA, Redundant assignments, etc.)?
|
||||
- `[ASK]` For on-prem DA/EA: is there any JIT or time-limited elevation mechanism in place?
|
||||
|
||||
### B3. Service Accounts (On-Prem)
|
||||
### B4. Service Accounts (On-Prem)
|
||||
|
||||
- `[LOOK AT]` Are there service accounts with SPNs and static passwords older than 12 months? (Kerberoastable)
|
||||
- `[LOOK AT]` Which service accounts are over-permissioned (e.g., Domain Admin, local admin on all servers)?
|
||||
@@ -114,7 +125,7 @@ Nothing here replaces the governing question from Book I:
|
||||
- `[LOOK AT]` Are there service accounts nobody can identify a current owner for?
|
||||
- `[TEST]` Run a Kerberoast simulation: do ticket requests for service account SPNs generate any detection?
|
||||
|
||||
### B4. Service Principals & App Registrations (Cloud)
|
||||
### B5. Service Principals & App Registrations (Cloud)
|
||||
|
||||
- `[LOOK AT]` Which app registrations hold escalation-grade Graph permissions (application permissions): `RoleManagement.ReadWrite.Directory`, `AppRoleAssignment.ReadWrite.All`, `Application.ReadWrite.All`, `Directory.ReadWrite.All`?
|
||||
- `[LOOK AT]` Which app registrations have non-expiring client secrets?
|
||||
@@ -122,14 +133,14 @@ Nothing here replaces the governing question from Book I:
|
||||
- `[LOOK AT]` Which apps have tenant-wide admin consent, and is each justified and reviewed?
|
||||
- `[LOOK AT]` Which Azure workloads use client secrets instead of managed identities where managed identities are available?
|
||||
|
||||
### B5. Tier Model / Clean Source
|
||||
### B6. Tier Model / Clean Source
|
||||
|
||||
- `[LOOK AT]` Do Domain Admins / Enterprise Admins authenticate from standard workstations used for email and browsing?
|
||||
- `[LOOK AT]` Is ADCS (Active Directory Certificate Services) deployed? If so, is it on a Tier 0 or hardened host, or on a standard server?
|
||||
- `[LOOK AT]` Are there shared administrative jump boxes that cross tier boundaries (used for both Tier 0 and Tier 1 work)?
|
||||
- `[LOOK AT]` Do cloud admins use the same device for privileged Entra work as for daily activity?
|
||||
|
||||
### B6. Escalation Paths
|
||||
### B7. Escalation Paths
|
||||
|
||||
- `[LOOK AT]` Are there accounts with `GenericAll`, `WriteDACL`, or `WriteOwner` on high-value AD objects (domain root, DCs, admin groups) that are not themselves Tier 0?
|
||||
- `[LOOK AT]` Are there computers with unconstrained delegation enabled (excluding DCs)?
|
||||
@@ -137,7 +148,7 @@ Nothing here replaces the governing question from Book I:
|
||||
- `[LOOK AT]` Is LAPS (Windows LAPS preferred) deployed across all workstations and servers? What is the coverage percentage?
|
||||
- `[TEST]` Run BloodHound (or equivalent) and count attack paths to Domain Admin. Note the number as a baseline. Is it going up or down over time?
|
||||
|
||||
### B7. Break-Glass
|
||||
### B8. Break-Glass
|
||||
|
||||
- `[LOOK AT]` Do cloud-only break-glass Global Admin accounts exist?
|
||||
- `[LOOK AT]` Is phishing-resistant authentication (FIDO2 or certificate) configured on break-glass accounts?
|
||||
@@ -146,7 +157,7 @@ Nothing here replaces the governing question from Book I:
|
||||
- `[TEST]` Sign in to the break-glass account in a controlled drill. Does it work? Does the alert fire? Does someone respond?
|
||||
- `[ASK]` Where are the break-glass credentials stored, and can they be retrieved without the systems they recover?
|
||||
|
||||
### B8. Phishing-Resistant MFA for Admins
|
||||
### B9. Phishing-Resistant MFA for Admins
|
||||
|
||||
- `[LOOK AT]` What MFA method is enforced for Global Admins: FIDO2, certificate-based auth, or push/SMS?
|
||||
- `[LOOK AT]` Push-approve and SMS are not acceptable for administrative accounts. If they are in use, that is a P0.
|
||||
|
||||
Reference in New Issue
Block a user