Thank you for your interest in our newsletters. You will receive an email shortly to confirm your subscription.
Katie Knowles
7 min read
An attacker with access to AD may configure insecure domain policies, create hidden backdoors, and access sensitive systems. Preventing these attacks can be difficult, and any hope of easily recovering from an AD compromise can be lost without the right configurations in place. [2]
There have been a number of significant changes in best practice with regards to AD. For your organization to resist current AD attacks, striving towards a modern AD environment is critical. We’ve tested the following recommendations for migrating to a "Red Forest" architecture, with each step making significant improvements to your organization’s security.
When an attacker slips through perimeter defenses using common attack methods – such as phishing or password compromise – an organization's AD systems will quickly be targeted.
Attacks may include:
Additional offensive strategies, such as Attack Path Mapping (APM)[3][4], oraganizational mapping [5] and persistence [6], allow attackers to quickly plot the most direct privilege escalation path to domain compromise, whilst avoiding detection.
To eliminate these attacks without third-party tooling, Microsoft has developed and recommended new domain architectures using built-in AD features and Microsoft Identity Manager (MIM). The most well-known of these is the Enhanced Security Administrative Environment (ESAE)[7], also known as the “Red Forest” model. It was created to dramatically reduce the possibility of a damaging domain compromise by eliminating common AD attack strategies through resilience.
ESAE implementation can be daunting. To be successful, an approach of several steps is recommended to deliver quick, meaningful improvements to the business over time. Each step adds its own improvements — including elimination of Pass the Hash attacks, managed service account passwords, and administration of the domain from a separate forest to prevent a full administrative compromise.
To maximize the benefits this journey has to offer, we recommend the following approach:
Understanding local account credentials is critical to ensuring administrative systems and user workstations are prepared for a shift to higher security. Microsoft’s Local Administrator Password Solution (LAPS) solves the issue of shared-credential local administrator accounts by providing each local account with a unique, complex password.
This password is then stored securely in AD for access by specified administrative accounts on a “need to know” basis. This helps prevent attackers from accessing several systems at once with a Pass-the-Hash style attack or password cracking.
More information: https://technet.microsoft.com/en-us/mt227395.aspx
Isolation of administrative systems is a fundamental principle of ESAE architecture. The first step to creating this separation comes through implementation of Microsoft’s Privileged Access Workstations (PAWs).
This architecture eliminates the risks of shared-use workstations by separating an individual’s user and administrative logins to separate contexts, preventing user-targeted attacks like phishing, drive-by browser exploits, and unverified software. New administrative workstations will later be managed as the highest-security “Tier 0” of devices within the ESAE model.
More information: https://aka.ms/paws
Once preparation of local accounts and systems has taken place, Microsoft Identity Manager (MIM)’s Privileged Access Management (PAM) builds out the foundation of the ESAE model.
These tools create a fully separate forest with a one-way trust for management of all production domains, ensuring a compromise of production administrator credentials doesn’t signal full compromise of the enterprise domain and network. During this stage, all PAWs created for administrative use can be joined to management domain(s) created within this new forest.
More information: https://aka.ms/mim, https://aka.ms/pam
MIM contains tools to manage which permissions administrators have at certain times, limiting the power an attacker with access to these accounts can have. Just Enough Administration (JEA) adds a granular method of controlling which accounts can request which administrative permissions.
Meanwhile, Just In Time Administration (JIT) provides the ability to grant administrators access to these permissions temporarily on a per-request basis. These features provide an easily-auditable framework to make sure accounts only make changes when they’re expected and authorized to do so.
More information: https://aka.ms/pam, https://msdn.microsoft.com/en-us/library/dn896648.aspx
By the final stage of implementation, the majority of requirements to operate a full ESAE domain have been met. The remaining fundamentals of ESAE are achieved through the creation of tiers for device management.
Tiers organize systems and accounts by level of risk to create security controls around critical areas of the domain. Low-risk tiers are restricted from accessing those of higher risk, greatly increasing the level of effort required for a privilege escalation attack within the domain. These tiers also allow for simple, ongoing application of advanced security controls such as application whitelisting, multi-factor authentication, and local firewall rules to specific device groups.
More information: https://aka.ms/esae
[1] “Success with Enterprise Mobility Identity”, https://cloudblogs.microsoft.com/enterprisemobility/2014/10/14/success-with-enterprise-mobility-identity/
[2] “Planning for Compromise”, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise
[3] "Attack Path Mapping" https://www.f-secure.com/en/consulting/our-thinking/what-is-attack-path-mapping
[4] “BloodHound AD”, https://github.com/BloodHoundAD/BloodHound
[5] “Visualising Organisational Charts from Active Directory”, https://labs.mwrinfosecurity.com/blog/visualising-organisational-charts-from-active-directory/
[6] “Sneaky Active Directory Persistence Tricks”, https://adsecurity.org/?p=1929
[7] “Active Directory Red Forest Design aka Enhanced Security Administrative Environment (ESAE)”, https://social.technet.microsoft.com/wiki/contents/articles/37509.active-directory-red-forest-design-aka-enhanced-security-administrative-environment-esae.aspx
F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.