Post on 07-Feb-2017
Sponsored byUnderstanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect
Privileged Credentials
© 2017 Monterey Technology Group Inc.
Thanks to
Made possible by
Preview of key points
Very important concepts PtH Logon types are not created equal Security dependencies Clean source
The problem with AD Forests
The 3-tier AD security zone design
Deploying Tier 0 in a “red” forest
Completing the Enhanced Security Administrative Environment
Beyond How far does ESAE get you? Alternatives and gaps Privilege management
Pass-the-hash
To view this webcast: https://www.quest.com/webcast-ondemand/understanding-red-forest-the-3tier-enhanced-security-admin-environment8121798/
And related to credential artifact theft
Randy Smith/Quest Webinar: Deep Dive: Understanding Pass-the-Hash Attacks and How to Prevent https://www.quest.com/webcast-ondemand/-understanding-
pass-the-hash-attacks830251
Logon types are not created equal
The difference between interactive and network logons
Same goes for other logon types
Interactivelogon
Networklogon
hash
hash
Security dependencies
Control relationships create security dependencies
Subject Controls Object
Security dependency
The problem with AD forests
Domains inside a forest are not security boundaries
The forest is the “security boundary”
A lot risks with admin accounts in the same forest they administer Privilege escalation Credential theft Control over each other No security zones
The 3-tier design
Tier 0 – Domain Admins
Tier 1 – Server Admins
Tier 2 – Workstation Admins
Tier isolation Accounts
Servers
Workstations
Logon types
Cross-restrictions
Deploying Tier 0 in a “red” forest
Tier Zero should be in a different forest
Production forest trusts red forest
No domain admin or similarly privileged accounts in production forest Except emergency access account – built-in Administrator
Red forest dedicated to simply holding Tier 0 accounts for administering production forest
Tier 0 accounts do not have privileged access to red forest
Accounts needed for that purpose might be consider Tier -1
The parts
Domain Admins
Administrators
Administrator
The parts trust
Domain Admins
Administrators
Administrator
Delegated Permissions
Domain Admins
Administrators
Administrator
The parts trust
Domain Admins
Administrators
Role B
Role A
Role C
Administrator
Domain Admins
Administrators
Administrator
Delegated Permissions
The parts trust
Interactive logon
Domain controller
Network logon
Completing the Enhanced Security Administrative Environment
Identifying who needs what
Classification into tiers
Creating roles
Cleaning up old accounts
Quest Enterprise Reporter
Training
Privileged Administrative Workstations
Beyond How far does ESAE get you?
Alternatives and gaps
Privilege management
How far does ESAE get you?
Manages risk for Active Directory Windows OS
Doesn’t address Many applications aren't compatible with being administered
by accounts from an external forest using a standard trust UNIX/Linux Devices
Alternatives and gaps
ESAE doesn’t stop with a red forest Tier 1 should be secured with a privilege management solution
Check out Quest PAM/PSM solutions
2 factor authentication MS assumes smart cards But one time password has significant advantages
Quest Defender
Alternative: proxy technology Active Roles GPO Admin
Bottom line
Really need to understand security dependencies
Identify control relationships
Implementing ESAE Need good reporting
How best to address them Red forest is one way to address those risks in AD and Windows Privileged Account and Session Management Solutions
Go beyond AD and Windows
Proxy technologies provide a compelling alternative or compliment to isolated red forest
Understand the limitations of smart cards and the advantages of OTP
Check out Quest
© 2017 Monterey Technology Group Inc.
“Red Forest”Bryan Patton, CISSP
Identify who is doing what
Confidential22
Executive Order 13636 issued February 12, 2013NIST Framework
Confidential23
Identify applications on assets that require administrative rights
Confidential24
What are some privileged accounts in an environment?Identify Privileged Accounts
• Domain Admins• Enterprise Admins• Local Administrators• SA• Helpdesk• OU Admins• Service Accounts• Unknown
Confidential25
Identification of known Privileged Accounts
Confidential26
Identification of unknown Privileged Accounts
Confidential27
Identification of Privileges on computer accounts
Confidential28
Identification of third party software on DC’s
Confidential29
Identification of what accounts are doing
Protection
Confidential31
Changes to Active Directory via proxy
Confidential32
Protect Active Directory- Enforce Least Privilege Access
Confidential33
Protect Workstations- Enforce Least Privilege Access
Confidential34
Protect hardware- block USB
Confidential35
Protect- Implement Group Policy
Confidential36
Protect- Workflow Approval Process
Request Review Approve Commit
ImmediateSchedule
EmailApprove?
Approve
Deny
ViewDetails
Rejection
CommentsEmail
Approve?
Approve
Deny
ViewDetails
Rejection
CommentsEmail
Confidential37
Protect- Prevent “Privileged Users” from performing actions
Detect
Confidential39
Detect- What can we do?
Confidential40
Detect- GPO Changes outside of version control system
Respond
Confidential42
Respond- Quickly search to identify relationships
Confidential43
Respond- Changes through Active Roles
Confidential44
Respond- Changes outside of Active Roles
Confidential45
Pre and post actions enable users to execute custom scripts before or after a GPOADmin action to facilitate integration with internal processes and systems.
Respond after making a change to a GPO
Confidential46
Respond- use data to change what accounts are allowed to do
Recover
Confidential48
Recovery Active Directory from attribute to Forest level
Confidential49
Recovery a GPO to a specific version