Here is useful information to apply the ideal security recommendations for implementing the least privilege permission assigned criterion to your environment.
All the provided instructions can be considered optional, and the adoption of some, all, or none of the recommendations depends on your sensitivity level and/or needs.
Hardening CoreView Hybrid Connector service accounts’ permissions (optional)
This is the list of commands used by management actions executed in your hybrid environment:
Get-ADDomainController Get-ADForest Get-ADDomain Get-Group Get-ADGroup New-ADGroup Remove-ADGroup Set-ADGroup Set-ADAccountPassword Get-DistributionGroup Add-DistributionGroupMember New-DistributionGroup Remove-DistributionGroup Remove-DistributionGroupMember Set-DistributionGroup Get-User Get-ADUser New-ADUser Set-AdUser Set-User Get-Recipient Get-RemoteMailbox Enable-RemoteMailbox Set-RemoteMailbox Get-ADObject Move-ADObject Rename-ADObject Set-ADObject Unlock-ADAccount Get-ExchangeServer Get-ADRootDSE
We recommend assigning your service accounts with Active Directory Domain Admins group membership, to be able to execute both the “native” Management Actions available from within the CoreView portal and any custom management actions you will set up.
If your security domain-joined doesn't allow you to do that, you can secure your environment by reducing its attack surface and minimizing the likelihood of successful exploits through both the Active Directory Delegation and configuring the security settings of Powershell session, also known as Powershell runspace.
More information about the Active Directory Delegation feature is available in the Microsoft documentation.
Active Directory Delegation
Active Directory (AD) delegation is the process of giving certain users or groups the ability to manage specific AD objects or attributes, without giving them full access to the entire AD. Delegation allows for more granular control over the management of AD objects, and can be useful in situations where different users or groups need to manage different parts of the AD.
For delegating your Hybrid Connector service account with the needed permission, you can open Active Directory Users and Computer snap-in, right-click all the OUs for which you would like to delegate and assign the following permissions to your service account:
You need to assign the delegated permissions to each Organization Unit (OU) of your Active Directory environment you would like to manage through the CoreView portal.
Please mind selecting the same delegated OUs from within the Organizational unit tree filter pane you can find under the On-Premises section of the My Organization menu of the PowerShellCoreView portal.
PowerShell remoting connection
CoreView Hybrid Connector uses your service account to run commands and scripts on both your configured Active Directory Domain Controller and Hybrid Exchange PowerShell virtual directory, as well as access the PowerShell environment on those computers, without having to log on to each one individually via remoting PowerShell.
The remoting powershell sessions are made through Invoke-Command cmdlets.
PowerShell remoting is a feature in PowerShell that allows you to run commands on one or more remote computers using the PowerShell command-line interface (CLI). This is made possible through the use of Windows Remote Management (WinRM), Microsoft's implementation of the Web Services-Management (WSMan) protocol. WSMan is an open standard protocol that is built on top of the Common Information Model (CIM) protocol.
To secure your environment, you can modify your runspace configuration through the “Set-PSSessionConfiguration” cmdlet. This command is useful if you need to make changes to the security settings of a PowerShell session configuration, such as adding or removing users or groups that are allowed to connect to the session.
We recommend creating a custom security group in your Active Directory environment and then adding the CoreView Hybrid Connector service account to that group.
Once done, you can run the following PowerShell script to open the Microsoft.Powershell session configuration:
Set-PSSessionConfiguration microsoft.powerShell -ShowSecurityDescriptorUI
Once done, you can assign the security custom group with the permission Execute (Invoke) in order to allow your service account to connect remotely to on-premises your Domain Controller:
Exchange hybrid service account
If your Hybrid Connector will manage the on-premises Exchange Server environment, please assign it to your service account with the Recipient Management group membership. Further info can be found in the Microsoft documentation.
Group Managed Service Account
Please note that a group Managed Service Account doesn’t apply to a Multi-Forest environment.
A Group Managed Service Account (gMSA) is a type of managed service account in Windows Active Directory that allows multiple computers to share the same account for running services. It is designed to allow multiple computers to share an identity without needing to know its password. A gMSA is used to provide a unique identity for a service that runs on multiple computers, eliminating the need to manage individual service accounts on each computer.
Since CoreView Hybrid Connector is running from within a docker instance which is not a domain-joined host, you can leverage the security of your connection through Kerberos protocol by creating a group Managed Service Account in your Active Directory environment for the CoreView docker container.
For more information about group Managed Service Account (gMSA) and containers, please refer to the Microsoft documentation.
CoreView Hybrid Connector runs two separate docker containers for performing management actions and importing objects from your on-premises environment.
The docker container in charge of importing objects from the on-premises environment turns on every 6 hours, imports objects through the steps described in the document “CoreView Hybrid Connector - How On-Premises import process works” and turns off independently on the further docker container running for executing CoreView native management actions and custom actions.
You can assign a gMSA configuration to each of the two containers used. If you need to assign a gMSA configuration to the container used for importing on-premises data in addition to the first one, we recommend creating two different gMSA accounts into your Active Directory, to avoid Kerberos conflicts when both are running and authenticating against your domain.
Once you created your gMSA accounts, you should set up their configuration in the CoreView Hybrid Connector settings file by adding the following keys to the file:
located in the following folder:
C:\Program Files (x86)\CoreView Agent
For configuring the docker container which runs management actions, you should add and configure the following keys in the section “AppSettings”:
<add key="gMSAEnabled" value="true" /> <add key="gMSAName" value="your_gMSA_accountname" />
To configure gMSA for the container in charge of object import, please add and configure the following keys:
<add key="gMSAImporterEnabled" value="true" /> <add key="gMSAImporterName" value="your_second_gMSA_accountname" />
If any gMSA configuration is needed in your scenario, please set the following keys to false or just leave the config file with the standard keys:
<add key="gMSAEnabled" value="false" /> <add key="gMSAImporterEnabled" value="false" />
Please be sure to run at least CoreView Hybrid Connector version 1.0.6 to support gMSA configuration.