Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Sponsored byUnderstanding“RedForest”:The3-Tier EnhancedSecurityAdminEnvironment (ESAE)andAlternativeWaystoProtect Privileg...
Thanks to  Made possible by
Preview of key points  Very important concepts  PtH  Logon types are not created equal  Security dependencies  Clean ...
Pass-the-hash  To view this webcast: https://www.quest.com/webcast- ondemand/understanding-red-forest-the-3tier-enhanced-...
Logon types are not created equal  The difference between interactive and network logons  Same goes for other logon type...
Security dependencies  Control relationships create security dependencies Subject Controls Object Security dependency
The problem withAD forests  Domains inside a forest are not security boundaries  The forest is the “security boundary” ...
The 3-tier design Tier 0 – Domain Admins Tier 1 – Server Admins Tier 2 –Workstation Admins
Tier isolation  Accounts  Servers  Workstations  Logon types  Cross-restrictions
DeployingTier 0 in a “red” forest  Tier Zero should be in a different forest  Production forest trusts red forest  No d...
The parts Domain Admins Administrators Administrator
The parts trust Domain Admins Administrators Administrator Delegated Permissions Domain Admins Administrators Administrator
The parts trust Domain Admins Administrators Role B Role A Role C Administrator Domain Admins Administrators Administrator...
The parts trust Interactive logon Domain controller Network logon
Completing the Enhanced Security Administrative Environment  Identifying who needs what  Classification into tiers  Cre...
Beyond  How far does ESAE get you?  Alternatives and gaps  Privilege management
How far does ESAE get you?  Manages risk for  Active Directory  Windows OS  Doesn’t address  Many applications aren't...
Alternatives and gaps  ESAE doesn’t stop with a red forest  Tier 1 should be secured with a privilege management solutio...
Bottom line  Really need to understand security dependencies  Identify control relationships  Implementing ESAE  Need ...
“Red Forest” Bryan Patton, CISSP
Identify who is doing what
Confidential22 Executive Order 13636 issued February 12, 2013 NIST Framework
Confidential23 Identify applications on assets that require administrative rights
Confidential24 What are some privileged accounts in an environment? Identify Privileged Accounts • Domain Admins • Enterpr...
Confidential25 Identification of known Privileged Accounts
Confidential26 Identification of unknown Privileged Accounts
Confidential27 Identification of Privileges on computer accounts
Confidential28 Identification of third party software on DC’s
Confidential29 Identification of what accounts are doing
Protection
Confidential31 Changes to Active Directory via proxy
Confidential32 Protect Active Directory- Enforce Least Privilege Access
Confidential33 Protect Workstations- Enforce Least Privilege Access
Confidential34 Protect hardware- block USB
Confidential35 Protect- Implement Group Policy
Confidential36 Protect- Workflow Approval Process Request Review Approve Commit Immediate Schedule Email Approve? Approve ...
Confidential37 Protect- Prevent “Privileged Users” from performing actions
Detect
Confidential39 Detect- What can we do?
Confidential40 Detect- GPO Changes outside of version control system
Respond
Confidential42 Respond- Quickly search to identify relationships
Confidential43 Respond- Changes through Active Roles
Confidential44 Respond- Changes outside of Active Roles
Confidential45 Pre and post actions enable users to execute custom scripts before or after a GPOADmin action to facilitate...
Confidential46 Respond- use data to change what accounts are allowed to do
Recover
Confidential48 Recovery Active Directory from attribute to Forest level
Confidential49 Recovery a GPO to a specific version
Upcoming SlideShare
Loading in …5
×
Software
6,903 views
Jan. 17, 2017

Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials

Security expert Randy Franklin Smith will explain the reasons why you might go through the extra trouble of a "red forest" — as well as the limitations of this structure.

no profile picture user

  • Login to see the comments

Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials

  1. 1. Sponsored byUnderstanding“RedForest”:The3-Tier EnhancedSecurityAdminEnvironment (ESAE)andAlternativeWaystoProtect PrivilegedCredentials © 2017 Monterey Technology Group Inc.
  2. 2. Thanks to  Made possible by
  3. 3. Preview of key points  Very important concepts  PtH  Logon types are not created equal  Security dependencies  Clean source  The problem with AD Forests  The 3-tier AD security zone design  DeployingTier 0 in a “red” forest  Completing the Enhanced SecurityAdministrative Environment  Beyond  How far does ESAE get you?  Alternatives and gaps  Privilege management
  4. 4. Pass-the-hash  To view this webcast: https://www.quest.com/webcast- ondemand/understanding-red-forest-the-3tier-enhanced- security-admin-environment8121798/  And related to credential artifact theft  Randy Smith/QuestWebinar: Deep Dive: Understanding Pass- the-Hash Attacks and How to Prevent  https://www.quest.com/webcast-ondemand/-understanding- pass-the-hash-attacks830251
  5. 5. Logon types are not created equal  The difference between interactive and network logons  Same goes for other logon types Interactive logon Network logon hash hash
  6. 6. Security dependencies  Control relationships create security dependencies Subject Controls Object Security dependency
  7. 7. The problem withAD forests  Domains inside a forest are not security boundaries  The forest is the “security boundary”  A lot risks with admin accounts in the same forest they administer  Privilege escalation  Credential theft  Control over each other  No security zones
  8. 8. The 3-tier design Tier 0 – Domain Admins Tier 1 – Server Admins Tier 2 –Workstation Admins
  9. 9. Tier isolation  Accounts  Servers  Workstations  Logon types  Cross-restrictions
  10. 10. DeployingTier 0 in a “red” forest  Tier Zero should be in a different forest  Production forest trusts red forest  No domain admin or similarly privileged accounts in production forest  Except emergency access account – built-in Administrator  Red forest dedicated to simply holdingTier 0 accounts for administering production forest  Tier 0 accounts do not have privileged access to red forest  Accounts needed for that purpose might be considerTier -1
  11. 11. The parts Domain Admins Administrators Administrator
  12. 12. The parts trust Domain Admins Administrators Administrator Delegated Permissions Domain Admins Administrators Administrator
  13. 13. The parts trust Domain Admins Administrators Role B Role A Role C Administrator Domain Admins Administrators Administrator Delegated Permissions
  14. 14. The parts trust Interactive logon Domain controller Network logon
  15. 15. Completing the Enhanced Security Administrative Environment  Identifying who needs what  Classification into tiers  Creating roles  Cleaning up old accounts  Quest Enterprise Reporter  Training  Privileged AdministrativeWorkstations
  16. 16. Beyond  How far does ESAE get you?  Alternatives and gaps  Privilege management
  17. 17. How far does ESAE get you?  Manages risk for  Active Directory  Windows OS  Doesn’t address  Many applications aren't compatible with being administered by accounts from an external forest using a standard trust  UNIX/Linux  Devices
  18. 18. Alternatives and gaps  ESAE doesn’t stop with a red forest  Tier 1 should be secured with a privilege management solution  Check out Quest PAM/PSM solutions  2 factor authentication  MS assumes smart cards  But one time password has significant advantages  Quest Defender  Alternative: proxy technology  Active Roles  GPO Admin
  19. 19. Bottom line  Really need to understand security dependencies  Identify control relationships  Implementing ESAE  Need good reporting  How best to address them  Red forest is one way to address those risks in AD and Windows  Privileged Account and Session Management Solutions  Go beyond AD andWindows  Proxy technologies provide a compelling alternative or compliment to isolated red forest  Understand the limitations of smart cards and the advantages of OTP  Check outQuest © 2017 Monterey Technology Group Inc.
  20. 20. “Red Forest” Bryan Patton, CISSP
  21. 21. Identify who is doing what
  22. 22. Confidential22 Executive Order 13636 issued February 12, 2013 NIST Framework
  23. 23. Confidential23 Identify applications on assets that require administrative rights
  24. 24. Confidential24 What are some privileged accounts in an environment? Identify Privileged Accounts • Domain Admins • Enterprise Admins • Local Administrators • SA • Helpdesk • OU Admins • Service Accounts • Unknown
  25. 25. Confidential25 Identification of known Privileged Accounts
  26. 26. Confidential26 Identification of unknown Privileged Accounts
  27. 27. Confidential27 Identification of Privileges on computer accounts
  28. 28. Confidential28 Identification of third party software on DC’s
  29. 29. Confidential29 Identification of what accounts are doing
  30. 30. Protection
  31. 31. Confidential31 Changes to Active Directory via proxy
  32. 32. Confidential32 Protect Active Directory- Enforce Least Privilege Access
  33. 33. Confidential33 Protect Workstations- Enforce Least Privilege Access
  34. 34. Confidential34 Protect hardware- block USB
  35. 35. Confidential35 Protect- Implement Group Policy
  36. 36. Confidential36 Protect- Workflow Approval Process Request Review Approve Commit Immediate Schedule Email Approve? Approve Deny View Details Rejection Comments Email Approve? Approve Deny View Details Rejection Comments Email
  37. 37. Confidential37 Protect- Prevent “Privileged Users” from performing actions
  38. 38. Detect
  39. 39. Confidential39 Detect- What can we do?
  40. 40. Confidential40 Detect- GPO Changes outside of version control system
  41. 41. Respond
  42. 42. Confidential42 Respond- Quickly search to identify relationships
  43. 43. Confidential43 Respond- Changes through Active Roles
  44. 44. Confidential44 Respond- Changes outside of Active Roles
  45. 45. Confidential45 Pre and post actions enable users to execute custom scripts before or after a GPOADmin action to facilitate integration with internal processes and systems. Respond after making a change to a GPO
  46. 46. Confidential46 Respond- use data to change what accounts are allowed to do
  47. 47. Recover
  48. 48. Confidential48 Recovery Active Directory from attribute to Forest level
  49. 49. Confidential49 Recovery a GPO to a specific version

×