Successfully reported this slideshow.

Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials

6

Share

Jan. 17, 2017
6 likes 7,284 views
Upcoming SlideShare
Guide IT Delivery Design - Security
Guide IT Delivery Design - Security
Loading in …3
×
1 of 49
1 of 49

Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials

Jan. 17, 2017
6 likes 7,284 views

6

Share

Download to read offline

Software

Security expert Randy Franklin Smith will explain the reasons why you might go through the extra trouble of a "red forest" — as well as the limitations of this structure.

Security expert Randy Franklin Smith will explain the reasons why you might go through the extra trouble of a "red forest" — as well as the limitations of this structure.

Software

Recommended

More Related Content

Similar to Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials

Tips to Remediate your Vulnerability Management Program
BeyondTrust
Cloud Migration, Application Modernization and Security for Partners
Amazon Web Services
Security Best Practices: AWS AWSome Day Management Track
Ian Massingham
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
W982 05092004
Sumit Tambe
Dell Password Manager Introduction
Aidy Tificate
Journey Through The Cloud - Security Best Practices
Amazon Web Services
Accelerating YourBusiness with Security
Amazon Web Services
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CloudIDSummit
Security Best Practices
Amazon Web Services
Network security
Nur Aishah Roslan
From Workstation to Domain Admin: Why Secure Administration isn't Secure and ...
Priyanka Aash
MCSA 70-412 Chapter 04
Computer Networking
10135 a 01
Bố Su
Material modulo01 asf6501(6419-a_01)
JSantanderQ
Securing Windows with Group Policy
Josh Rickard
Cissp Week 23
jemtallon
GDPR Part 4: Better Together Quest & SonicWall
Adrian Dumitrescu
From reactive to automated reducing costs through mature security processes i...
NetIQ

More from Quest

DBA vs Deadlock: How to Out-Index a Deadly Blocking Scenario
Quest
Got Open Source?
Quest
SQL Server 2017 Enhancements You Need To Know
Quest
Quest to the Cloud - Identifying the Barriers to Accelerate Office 365 Adoption
Quest
Top 10 Enterprise Reporter Reports You Didn't Know You Needed
Quest
Migrating to Windows 10: Starting Fast. Finishing Strong
Quest
The Cost of Doing Nothing: A Ransomware Backup Story
Quest
Ensuring Rock-Solid Unified Endpoint Management
Quest
Effective Patch and Software Update Management
Quest
Predicting the Future of Endpoint Management in a Mobile World
Quest
Investigating and Recovering from a Potential Hybrid AD Security Breach
Quest
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Quest
Sounding the Alarm with Real-Time AD Detection and Alerting
Quest
Identifying Hybrid AD Security Risks with Continuous Assessment
Quest
Reducing the Chance of an Office 365 Security Breach
Quest
Office 365 Best Practices That You Are Not Thinking About
Quest
How to Restructure Active Directory with ZeroIMPACT
Quest
How to Secure Access Control in Office 365 Environments
Quest
Your Biggest Systems Management Challenges – and How to Overcome Them
Quest
Top Five Office 365 Migration Headaches and How to Avoid Them
Quest

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
The Inmates Are Running the Asylum (Review and Analysis of Cooper's Book) BusinessNews Publishing
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Algorithms to Live By: The Computer Science of Human Decisions Brian Christian
(4.5/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
The History of the Future: Oculus, Facebook, and the Revolution That Swept Virtual Reality Blake J. Harris
(4.5/5)
Free
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
The Social Life of Information: Updated, with a New Preface-Revised John Seely Brown
(0/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
Targeted: The Cambridge Analytica Whistleblower's Inside Story of How Big Data, Trump, and Facebook Broke Democracy and How It Can Happen Again Findaway
(4/5)
Free

Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials

  1. 1. Sponsored byUnderstanding“RedForest”:The3-Tier EnhancedSecurityAdminEnvironment (ESAE)andAlternativeWaystoProtect PrivilegedCredentials © 2017 Monterey Technology Group Inc.
  2. 2. Thanks to  Made possible by
  3. 3. Preview of key points  Very important concepts  PtH  Logon types are not created equal  Security dependencies  Clean source  The problem with AD Forests  The 3-tier AD security zone design  DeployingTier 0 in a “red” forest  Completing the Enhanced SecurityAdministrative Environment  Beyond  How far does ESAE get you?  Alternatives and gaps  Privilege management
  4. 4. Pass-the-hash  To view this webcast: https://www.quest.com/webcast- ondemand/understanding-red-forest-the-3tier-enhanced- security-admin-environment8121798/  And related to credential artifact theft  Randy Smith/QuestWebinar: Deep Dive: Understanding Pass- the-Hash Attacks and How to Prevent  https://www.quest.com/webcast-ondemand/-understanding- pass-the-hash-attacks830251
  5. 5. Logon types are not created equal  The difference between interactive and network logons  Same goes for other logon types Interactive logon Network logon hash hash
  6. 6. Security dependencies  Control relationships create security dependencies Subject Controls Object Security dependency
  7. 7. The problem withAD forests  Domains inside a forest are not security boundaries  The forest is the “security boundary”  A lot risks with admin accounts in the same forest they administer  Privilege escalation  Credential theft  Control over each other  No security zones
  8. 8. The 3-tier design Tier 0 – Domain Admins Tier 1 – Server Admins Tier 2 –Workstation Admins
  9. 9. Tier isolation  Accounts  Servers  Workstations  Logon types  Cross-restrictions
  10. 10. DeployingTier 0 in a “red” forest  Tier Zero should be in a different forest  Production forest trusts red forest  No domain admin or similarly privileged accounts in production forest  Except emergency access account – built-in Administrator  Red forest dedicated to simply holdingTier 0 accounts for administering production forest  Tier 0 accounts do not have privileged access to red forest  Accounts needed for that purpose might be considerTier -1
  11. 11. The parts Domain Admins Administrators Administrator
  12. 12. The parts trust Domain Admins Administrators Administrator Delegated Permissions Domain Admins Administrators Administrator
  13. 13. The parts trust Domain Admins Administrators Role B Role A Role C Administrator Domain Admins Administrators Administrator Delegated Permissions
  14. 14. The parts trust Interactive logon Domain controller Network logon
  15. 15. Completing the Enhanced Security Administrative Environment  Identifying who needs what  Classification into tiers  Creating roles  Cleaning up old accounts  Quest Enterprise Reporter  Training  Privileged AdministrativeWorkstations
  16. 16. Beyond  How far does ESAE get you?  Alternatives and gaps  Privilege management
  17. 17. How far does ESAE get you?  Manages risk for  Active Directory  Windows OS  Doesn’t address  Many applications aren't compatible with being administered by accounts from an external forest using a standard trust  UNIX/Linux  Devices
  18. 18. Alternatives and gaps  ESAE doesn’t stop with a red forest  Tier 1 should be secured with a privilege management solution  Check out Quest PAM/PSM solutions  2 factor authentication  MS assumes smart cards  But one time password has significant advantages  Quest Defender  Alternative: proxy technology  Active Roles  GPO Admin
  19. 19. Bottom line  Really need to understand security dependencies  Identify control relationships  Implementing ESAE  Need good reporting  How best to address them  Red forest is one way to address those risks in AD and Windows  Privileged Account and Session Management Solutions  Go beyond AD andWindows  Proxy technologies provide a compelling alternative or compliment to isolated red forest  Understand the limitations of smart cards and the advantages of OTP  Check outQuest © 2017 Monterey Technology Group Inc.
  20. 20. “Red Forest” Bryan Patton, CISSP
  21. 21. Identify who is doing what
  22. 22. Confidential22 Executive Order 13636 issued February 12, 2013 NIST Framework
  23. 23. Confidential23 Identify applications on assets that require administrative rights
  24. 24. Confidential24 What are some privileged accounts in an environment? Identify Privileged Accounts • Domain Admins • Enterprise Admins • Local Administrators • SA • Helpdesk • OU Admins • Service Accounts • Unknown
  25. 25. Confidential25 Identification of known Privileged Accounts
  26. 26. Confidential26 Identification of unknown Privileged Accounts
  27. 27. Confidential27 Identification of Privileges on computer accounts
  28. 28. Confidential28 Identification of third party software on DC’s
  29. 29. Confidential29 Identification of what accounts are doing
  30. 30. Protection
  31. 31. Confidential31 Changes to Active Directory via proxy
  32. 32. Confidential32 Protect Active Directory- Enforce Least Privilege Access
  33. 33. Confidential33 Protect Workstations- Enforce Least Privilege Access
  34. 34. Confidential34 Protect hardware- block USB
  35. 35. Confidential35 Protect- Implement Group Policy
  36. 36. Confidential36 Protect- Workflow Approval Process Request Review Approve Commit Immediate Schedule Email Approve? Approve Deny View Details Rejection Comments Email Approve? Approve Deny View Details Rejection Comments Email
  37. 37. Confidential37 Protect- Prevent “Privileged Users” from performing actions
  38. 38. Detect
  39. 39. Confidential39 Detect- What can we do?
  40. 40. Confidential40 Detect- GPO Changes outside of version control system
  41. 41. Respond
  42. 42. Confidential42 Respond- Quickly search to identify relationships
  43. 43. Confidential43 Respond- Changes through Active Roles
  44. 44. Confidential44 Respond- Changes outside of Active Roles
  45. 45. Confidential45 Pre and post actions enable users to execute custom scripts before or after a GPOADmin action to facilitate integration with internal processes and systems. Respond after making a change to a GPO
  46. 46. Confidential46 Respond- use data to change what accounts are allowed to do
  47. 47. Recover
  48. 48. Confidential48 Recovery Active Directory from attribute to Forest level
  49. 49. Confidential49 Recovery a GPO to a specific version

×