Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Red forest Design ESAE
1. Helpdesk/ Desktop Support
These accounts provide admin access
to specific servers and resources. An
example would be someone who only
has admin access to DevOps servers
and resources
Tier 2 Control of user workstations and devices. Tier 2 administrator accounts have
administrative control of a significant amount of business value that ishosted on
user workstations and devices. Examples include Help Desk and computer support
administrators because they can impact the integrity of almost any user data.
Access usually cannot and should
not extend Tiers.
This improves security posturce
and reduces attack surface.
Server/Resource
Admins
Used for small administrative tasks
like password resets, group
creation, user accounts, group
member
Tier 1 assets include server operating systems, cloud services,and enterprise
applications. Tier 1 administrator accounts have administrative control of a significant
amount of business value that is hosted on these assets. A common example role is
server administrators who maintain specific servers and resources.
These accounts should be
accessible only when needed and
Require MFA for checkout
Domain, Global, and Privileged
Admins
ESAE/Red Forest
Based on an Active Directory administrative tier model design
- The purpose of this tiered model is to protect Identity Systems(AD,
Azure AD) by using a set of buffer zones between full control of the
Environment (Tier 0) and the high-risk workstation assets that
attackers frequently compromise(Tier1, Tier 2) Tier 0 includes accounts, groups, services, and other assets that have direct or indirect
administrative control of the Active Directory forest, domains,or domain controllers, and it's
assets. The security sensitivity of all Tier 0 assets is equivalent as they are all effectively in
control of each other.
Tier 1
Tier 2
Web Server File Server
Domain controller AD Connect Server
Workstation client
Workstation client
Key Vault