Skip to main content
Active Directory PAM Compliance (v1)

Enforcing access within an existing Active Directory environment

Craig Medland avatar
Written by Craig Medland
Updated over 3 years ago

When creating and managing a Remote Desktop Services (RDS) deployment, the itopia CAS provisions a set of service accounts with the Active Directory (AD) domain.   These accounts are used to support various administrative functions within the Operating System (OS), AD and the RDS environment.

Privileged Access Management (PAM)

CAS supports Privileged Access Management (PAM) for these service accounts in AD.  PAM is a solution to help organizations restrict privileged access within an existing Active Directory (AD) environment.  

PAM reduces opportunities for malicious users to get access to a customer’s AD environment while also increasing your control and awareness of the environment.  To learn more, read this Microsoft article.

CAS Support for PAM

CAS supports PAM in several ways.

The service accounts are programmatically generated for each CAS deployment and only have access to resources inside each specific CAS deployment. The accounts' credentials are encrypted and periodically rotated in accordance with itopia's Key Vault design.

The service accounts are implemented using a ‘least permissions’ model.  These service accounts only have the limited AD access/permissions required to perform their specific privileges, functions.

The service accounts automatically have passwords with a minimum of 8 characters, must have special characters (*, &, etc) and are changed every 90-days.

Overview of CAS Service Accounts

CAS automatically creates, manages and uses these service accounts.

  1. Itoadmin01:  used to create and manage the RDS deployment. It requires a minimal set of permissions and is used for virtually all tasks related to the actual RDS environment.

  2. Itoadmin02:  used to perform all administration of domain users and groups, as well as to join member servers to the domain. 

  3. Itoadmin03:  a highly-privileged account used to perform domain-level configurations such as adding domain controllers.

  4. Itoadmin04:  the highest-privileged account and only used to perform several actions that require Enterprise Admin membership in the AD forest to perform.

  5. itoadmin-Servers:  used to perform all general administrative tasks on member servers (not domain controllers). It is only granted local Administrator membership on each of the member servers, including RDS servers, file servers, and any APP servers the customer may deploy.

Related Articles
Active Directory Implementation in CAS
CAS Administrative (Service) Accounts
AD DNS Name

Did this answer your question?