Thank you for your interest in our newsletters. You will receive an email shortly to confirm your subscription.
7 min read
An attacker with access to AD may configure insecure domain policies, create hidden backdoors, and access sensitive systems. Preventing these attacks can be difficult, and any hope of easily recovering from an AD compromise can be lost without the right configurations in place. 
There have been a number of significant changes in best practice with regards to AD. For your organization to resist current AD attacks, striving towards a modern AD environment is critical. We’ve tested the following recommendations for migrating to a "Red Forest" architecture, with each step making significant improvements to your organization’s security.
When an attacker’s slipped through edge defenses using common attack methods – such as phishing or password compromise – the AD systems of a business will quickly be targeted.
Dangerous AD attacks may include:
These attacks can be difficult to eliminate without the right tools. Additionally, recent offensive strategies, such as AD path mapping  and persistence , have allowed attackers and penetration testers to quickly plot the most direct course to domain compromise and avoid detection on the network.
To eliminate these attacks without third-party tooling, Microsoft’s suggested new domain architectures using built-in AD features and Microsoft Identity Manager (MIM). The most well-known of these is the Enhanced Security Administrative Environment (ESAE) , also known as the “Red Forest” model. It was created to dramatically reduce the possibility of a damaging domain compromise by building resilience into the forest, eliminating common AD attack strategies.
ESAE and its accompanying improvements can be daunting to implement. To be successful, an approach of several steps is recommended to deliver quick, meaningful improvements to the business over time. Each step of the process adds its own improvements— including elimination of Pass the Hash attacks, managed service account passwords, and administration of the domain from a separate forest to prevent a full administrative compromise.
To maximize the benefits this journey has to offer, we recommend the following approach:
Understanding local account credentials is critical to ensuring administrative systems and user workstations are prepared for a shift to higher security. Microsoft’s Local Administrator Password Solution (LAPS) solves the issue of shared-credential local administrator accounts by providing each local account with a unique, complex password.
This password’s then stored securely in AD for access by specified administrative accounts on a “need to know” basis. This helps prevent attackers from accessing several systems at once with a Pass-the-Hash style attack or password cracking.
More information: https://technet.microsoft.com/en-us/mt227395.aspx
Isolation of administrative systems is a fundamental principle of ESAE architecture. The first step to creating this separation comes through implementation of Microsoft’s Privileged Access Workstations (PAWs).
This architecture eliminates the risks of shared-use workstations by separating an individual’s user and administrative logins to separate contexts, preventing user-targeted attacks like phishing, drive-by browser exploits, and unverified software. New administrative workstations will later be managed as the highest-security “Tier 0” of devices within the ESAE model.
More information: https://aka.ms/paws
Once preparation of local accounts and systems has taken place, Microsoft Identity Manager (MIM)’s Privileged Access Management (PAM) builds out the foundation of the ESAE model.
These tools create a fully separate forest with a one-way trust for management of all production domains, ensuring a compromise of production administrator credentials doesn’t signal full compromise of the enterprise domain and network. During this stage, all PAWs created for administrative use can be joined to management domain(s) created within this new forest.
MIM also contains tools to provide simple management of which permissions administrators have at what times, limiting the power an attacker with access to these accounts can have. Just Enough Administration (JEA) adds a granular method of controlling which accounts can request which administrative permissions.
Meanwhile, Just In Time Administration (JIT) provides the ability to grant administrators access to these permissions temporarily on a per-request basis. These features provide an easily auditable framework to make sure accounts only make changes when they’re expected and authorized to do so.
More information: https://aka.ms/pam, https://msdn.microsoft.com/en-us/library/dn896648.aspx
By the final stage of implementation, the majority of requirements to operate a full ESAE domain have been met. The remaining fundamentals of ESAE are achieved through the creation of tiers for device management.
Tiers organize systems and accounts by level of risk to create security controls around critical areas of the domain. Low-risk tiers are restricted from accessing those of higher risk, greatly increasing the level of effort required for a privilege escalation attack within the domain. These tiers also allow for simple, ongoing application of advanced security controls such as application whitelisting, multi-factor authentication, and local firewall rules to specific device groups.
More information: https://aka.ms/esae
 “Success with Enterprise Mobility Identity”, https://cloudblogs.microsoft.com/enterprisemobility/2014/10/14/success-with-enterprise-mobility-identity/
 “Planning for Compromise”, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise
 “Visualising Organisational Charts from Active Directory”, https://labs.mwrinfosecurity.com/blog/visualising-organisational-charts-from-active-directory/
 “Securing Privileged Access”, https://docs.microsoft.com/en-za/windows-server/identity/securing-privileged-access/securing-privileged-access
F-Secure Consulting is a value-added supplier and have a B-BBEE procurement recognition level of 100%. Learn more