Configuring JIT for User Management in AD via WinRM and senhasegura

PAM Core
1

Just-In-Time (JIT) user management in Active Directory (AD) using Windows Remote Management (WinRM) can be efficiently configured through senhasegura. To do this, it is necessary to create specific templates for creating and deleting users, which facilitate the automated and secure process of managing domain users. Here is the step-by-step guide to configuring these templates and their subsequent use within senhasegura.

Configuring Windows RM Connectivity:

  1. Connection Ports via WinRM:
  • WinRM uses port 5985 for HTTP connections and port 5986 for HTTPS connections. Make sure these ports are configured and open on the target devices.
  1. Creating Templates in senhasegura:

  • Access Executions > Settings > Templates in senhasegura.

  • Create a Windows RM executor template with the “New User” type for creating users and another with the “User Delete” type for deleting users.
    gif1

Execution Templates:

  • User Creation Template:

!unsecure

powershell New-ADUser -SamAccountName [#USERNAME#] -Name "[#USERNAME#]" -AccountPassword (ConvertTo-SecureString -AsPlainText "[#NEW_PASSWORD#]" -Force) -Enabled $true -Path 'CN=Users,DC=senhaseguralab,DC=com'
  • User Removal Template:

!unsecure

powershell Remove-ADUser -Identity "[#USERNAME#]" -Confirm:$false

JIT Settings Configuration in Credential:

  • After creating the templates, edit the desired credential and in the “JIT settings” tab add the creation and deletion templates as needed.
    gif

Additional Considerations:

  • Customizing the Base CN:

    • Adapt the CN=Users,DC=senhaseguralab,DC=com path in the scripts according to your AD structure to ensure that users are created and removed correctly.

  • Verifying Windows RM Connectivity:

    • Make sure that Windows RM connectivity is properly configured and functional on the target device to avoid failures in the execution process.

Important:

These settings allow you to manage AD users remotely and automatically, using the senhasegura infrastructure with WinRM support. Remember, these settings are specific to domain credentials, not applicable to local accounts.