Shadow Principals (PAM)
Last updated
Was this helpful?
Last updated
Was this helpful?
When a Bastion Forest is compromised, there are multiple ways to obtain persistence on the forest it manages (i.e. called "Production Forest" here).
Mark a low-privilege user from the Production Forest as an Shadow Security Principal in the Bastion Forest
Modify a Shadow Principal Object's DACL: add ACEs over a Shadow Principal Object (at least Read Members and Write Members) allowing a controlled user add and remove principals at will (in the member attribute.
