SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials
Security expert Randy Franklin Smith will explain the reasons why you might go through the extra trouble of a "red forest" — as well as the limitations of this structure.
Security expert Randy Franklin Smith will explain the reasons why you might go through the extra trouble of a "red forest" — as well as the limitations of this structure.
3.
Preview of key
points
Very important concepts
PtH
Logon types are not created equal
Security dependencies
Clean source
The problem with AD Forests
The 3-tier AD security zone design
DeployingTier 0 in a “red” forest
Completing the Enhanced SecurityAdministrative Environment
Beyond
How far does ESAE get you?
Alternatives and gaps
Privilege management
4.
Pass-the-hash
To view this webcast: https://www.quest.com/webcast-
ondemand/understanding-red-forest-the-3tier-enhanced-
security-admin-environment8121798/
And related to credential artifact theft
Randy Smith/QuestWebinar: Deep Dive: Understanding Pass-
the-Hash Attacks and How to Prevent
https://www.quest.com/webcast-ondemand/-understanding-
pass-the-hash-attacks830251
5.
Logon types
are not
created equal
The difference between interactive and network logons
Same goes for other logon types
Interactive
logon
Network
logon
hash
hash
7.
The problem
withAD
forests
Domains inside a forest are not security boundaries
The forest is the “security boundary”
A lot risks with admin accounts in the same forest they
administer
Privilege escalation
Credential theft
Control over each other
No security zones
8.
The 3-tier
design
Tier 0 – Domain Admins
Tier 1 – Server Admins
Tier 2 –Workstation
Admins
10.
DeployingTier
0 in a “red”
forest
Tier Zero should be in a different forest
Production forest trusts red forest
No domain admin or similarly privileged accounts in production
forest
Except emergency access account – built-in Administrator
Red forest dedicated to simply holdingTier 0 accounts for
administering production forest
Tier 0 accounts do not have privileged access to red forest
Accounts needed for that purpose might be considerTier -1
11.
The parts
Domain Admins
Administrators
Administrator
12.
The parts trust
Domain Admins
Administrators
Administrator
Delegated Permissions
Domain Admins
Administrators
Administrator
13.
The parts trust
Domain Admins
Administrators
Role B
Role A
Role C
Administrator
Domain Admins
Administrators
Administrator
Delegated Permissions
14.
The parts trust
Interactive logon
Domain controller
Network logon
15.
Completing
the Enhanced
Security
Administrative
Environment
Identifying who needs what
Classification into tiers
Creating roles
Cleaning up old accounts
Quest Enterprise Reporter
Training
Privileged AdministrativeWorkstations
16.
Beyond How far does ESAE get you?
Alternatives and gaps
Privilege management
17.
How far does
ESAE get you?
Manages risk for
Active Directory
Windows OS
Doesn’t address
Many applications aren't compatible with being administered
by accounts from an external forest using a standard trust
UNIX/Linux
Devices
18.
Alternatives
and gaps
ESAE doesn’t stop with a red forest
Tier 1 should be secured with a privilege management solution
Check out Quest PAM/PSM solutions
2 factor authentication
MS assumes smart cards
But one time password has significant advantages
Quest Defender
Alternative: proxy technology
Active Roles
GPO Admin
22.
Confidential22
Executive Order 13636 issued February 12, 2013
NIST Framework
23.
Confidential23
Identify applications on assets that require administrative rights
24.
Confidential24
What are some privileged accounts in an environment?
Identify Privileged Accounts
• Domain Admins
• Enterprise Admins
• Local Administrators
• SA
• Helpdesk
• OU Admins
• Service Accounts
• Unknown
25.
Confidential25
Identification of known Privileged Accounts
26.
Confidential26
Identification of unknown Privileged Accounts
27.
Confidential27
Identification of Privileges on computer accounts
28.
Confidential28
Identification of third party software on DC’s
29.
Confidential29
Identification of what accounts are doing
42.
Confidential42
Respond- Quickly search to identify relationships
43.
Confidential43
Respond- Changes through Active Roles
44.
Confidential44
Respond- Changes outside of Active Roles
45.
Confidential45
Pre and post actions enable users to execute custom scripts before or after a
GPOADmin action to facilitate integration with internal processes and systems.
Respond after making a change to a GPO
46.
Confidential46
Respond- use data to change what accounts are allowed to do