Well Managed Active Directory – The Red Forest

Data breaches and other security incidents have caused vulnerabilities such as “Pass the Hash” to resurface. Perimeter security alone is therefore no longer sufficient to secure our highly dynamic, connected and mobile enterprises. Instead, organizations must focus on protecting the enterprise at the identity level. Because 99% of enterprises rely heavily on Active Directory (AD) as their primary user authentication mechanism, AD has remained the most popular target among bad actors and is a critical component to any insider threat program.

Active Directory
Active Directory

The AD Compromise & Privileged Account Abuse

A brief synopsis of how AD is specifically a primary focus of nefarious actors is as follows

  • A user’s workstation is compromised via a phishing attack.
  • The bad actor gains administrative permissions to the user’s workstation and may create a problem that will require someone with elevated permissions to fix it.
  • An administrator logs onto the workstation to remedy the issue, leaving the administrator’s hash stored in memory.
  • The bad actor executes software to extract the hash and makes network connections from the workstation to resources, data stores, databases and more sensitive systems and data as the perceived privileged user.

To provide an additional level of assurance with accounts, passwords and credentials, Microsoft has submitted the Enhanced Security Administrative Environment (ESAE), which is also known as the “Red Forest” AD architecture.

Active Directory (AD) is trusted by 90% of businesses around the world for identity management.
- Microsoft

PLANTING THE RED FOREST

An attacker with access to AD may configure insecure domain policies, create hidden backdoors, and access sensitive systems. To eliminate these attacks without third-party tooling, Microsoft has developed and recommended new domain architectures using built-in AD features and Microsoft Identity Manager (MIM). The most well-known of these is the “Red Forest” model. 

Planting the forest with a simple 5 step approach

To ensure that administrative systems and user workstations are prepared for a shift to higher security, Microsoft’s Local Administrator Password Solution (LAPS) solves the issue of shared-credential local administrator accounts by providing each local account with a unique, complex password. This password is then stored securely in AD for access by specified administrative accounts on a “need to know” basis.

Isolation of administrative systems is a fundamental principle of ESAE architecture. The first step to creating this separation comes through implementation of Microsoft’s Privileged Access Workstations (PAWs). This architecture eliminates the risks of shared-use workstations by separating an individual’s user and administrative logins to separate contexts, preventing user-targeted attacks and unverified software.

Once preparation of local accounts and systems has taken place, Microsoft Identity Manager (MIM)’s Privileged Access Management (PAM) builds out the foundation of the ESAE model. These tools create a fully separate forest with a one-way trust for management of all production domains, ensuring a compromise of production administrator credentials doesn’t signal full compromise of the enterprise domain and network.

Just Enough Administration (JEA) adds a granular method of controlling which accounts can request which administrative permissions. Meanwhile, Just In Time Administration (JIT) provides the ability to grant administrators access to these permissions temporarily on a per-request basis. These features provide an easily-auditable framework to make sure accounts only make changes when they’re expected and authorized to do so.

By the final stage of implementation, the majority of requirements to operate a full ESAE domain have been met. The remaining fundamentals of ESAE are achieved through the creation of tiers for device management. Tiers organize systems and accounts by level of risk to create security controls around critical areas of the domain. Low-risk tiers are restricted from accessing those of higher risk, greatly increasing the level of effort required for a privilege escalation attack within the domain.

Contact us today to discuss how Active Directory Security enforces authentication and protects administrative rights and restricted information within an enterprise.