Planting the Red Forest: Improving AD on the Road to ESAE

An attacker with access to AD may configure insecure domain policies, create hidden backdoors, and access sensitive systems. Preventing these attacks can be difficult, and any hope of easily recovering from an AD compromise can be lost without the right configurations in place. [2]

There have been a number of significant changes in best practice with regards to AD. For your organization to resist current AD attacks, striving towards a modern AD environment is critical. We’ve tested the following recommendations for migrating to a "Red Forest" architecture, with each step making significant improvements to your organization’s security.

The forest fire of AD compromise

When an attacker slips through perimeter defenses using common attack methods – such as phishing or password compromise – an organization's AD systems will quickly be targeted.

Attacks may include:

• “Pass the Hash” to pivot to administrative systems
• “Kerberoasting” domain service tickets to compromise service/administrative accounts
• Targeted attack of administrative workstations
• Abuse of weak service account passwords

Additional offensive strategies, such as Attack Path Mapping (APM)[3][4], oraganizational mapping [5] and persistence [6], allow attackers to quickly plot the most direct privilege escalation path to domain compromise, whilst avoiding detection.

Eliminating attacks with ESAE

To eliminate these attacks without third-party tooling, Microsoft has developed and recommended new domain architectures using built-in AD features and Microsoft Identity Manager (MIM). The most well-known of these is the Enhanced Security Administrative Environment (ESAE)[7], also known as the “Red Forest” model. It was created to dramatically reduce the possibility of a damaging domain compromise by eliminating common AD attack strategies through resilience.

ESAE implementation can be daunting. To be successful, an approach of several steps is recommended to deliver quick, meaningful improvements to the business over time. Each step adds its own improvements — including elimination of Pass the Hash attacks, managed service account passwords, and administration of the domain from a separate forest to prevent a full administrative compromise.

Planting the forest with simple strategies

To maximize the benefits this journey has to offer, we recommend the following approach:

1. Securing local credentials: LAPS

Understanding local account credentials is critical to ensuring administrative systems and user workstations are prepared for a shift to higher security. Microsoft’s Local Administrator Password Solution (LAPS) solves the issue of shared-credential local administrator accounts by providing each local account with a unique, complex password.

This password is then stored securely in AD for access by specified administrative accounts on a “need to know” basis. This helps prevent attackers from accessing several systems at once with a Pass-the-Hash style attack or password cracking.

More information: https://technet.microsoft.com/en-us/mt227395.aspx

2. Separating administrative access: PAW

Isolation of administrative systems is a fundamental principle of ESAE architecture. The first step to creating this separation comes through implementation of Microsoft’s Privileged Access Workstations (PAWs).

This architecture eliminates the risks of shared-use workstations by separating an individual’s user and administrative logins to separate contexts, preventing user-targeted attacks like phishing, drive-by browser exploits, and unverified software. New administrative workstations will later be managed as the highest-security “Tier 0” of devices within the ESAE model.

More information: https://aka.ms/paws

3. Isolating administrative permissions: PAM

Once preparation of local accounts and systems has taken place, Microsoft Identity Manager (MIM)’s Privileged Access Management (PAM) builds out the foundation of the ESAE model.

These tools create a fully separate forest with a one-way trust for management of all production domains, ensuring a compromise of production administrator credentials doesn’t signal full compromise of the enterprise domain and network. During this stage, all PAWs created for administrative use can be joined to management domain(s) created within this new forest.

More information: https://aka.ms/mim, https://aka.ms/pam

4. Limiting administrative availability: JEA and JIT

MIM contains tools to manage which permissions administrators have at certain times, limiting the power an attacker with access to these accounts can have. Just Enough Administration (JEA) adds a granular method of controlling which accounts can request which administrative permissions.

Meanwhile, Just In Time Administration (JIT) provides the ability to grant administrators access to these permissions temporarily on a per-request basis. These features provide an easily-auditable framework to make sure accounts only make changes when they’re expected and authorized to do so.

More information: https://aka.ms/pam, https://msdn.microsoft.com/en-us/library/dn896648.aspx

5. Reducing breach impact: ESAE

By the final stage of implementation, the majority of requirements to operate a full ESAE domain have been met. The remaining fundamentals of ESAE are achieved through the creation of tiers for device management.

Tiers organize systems and accounts by level of risk to create security controls around critical areas of the domain. Low-risk tiers are restricted from accessing those of higher risk, greatly increasing the level of effort required for a privilege escalation attack within the domain. These tiers also allow for simple, ongoing application of advanced security controls such as application whitelisting, multi-factor authentication, and local firewall rules to specific device groups.

More information: https://aka.ms/esae

[1] “Success with Enterprise Mobility Identity”, https://cloudblogs.microsoft.com/enterprisemobility/2014/10/14/success-with-enterprise-mobility-identity/

[2] “Planning for Compromise”, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise

[3] "Attack Path Mapping" https://www.f-secure.com/en/consulting/our-thinking/what-is-attack-path-mapping

[4] “BloodHound AD”, https://github.com/BloodHoundAD/BloodHound

[5] “Visualising Organisational Charts from Active Directory”, https://labs.mwrinfosecurity.com/blog/visualising-organisational-charts-from-active-directory/

[6] “Sneaky Active Directory Persistence Tricks”, https://adsecurity.org/?p=1929

[7] “Active Directory Red Forest Design aka Enhanced Security Administrative Environment (ESAE)”, https://social.technet.microsoft.com/wiki/contents/articles/37509.active-directory-red-forest-design-aka-enhanced-security-administrative-environment-esae.aspx