Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials
Transcript of Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials
![Page 1: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/1.jpg)
Sponsored byUnderstanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect
Privileged Credentials
© 2017 Monterey Technology Group Inc.
![Page 2: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/2.jpg)
Thanks to
Made possible by
![Page 3: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/3.jpg)
Preview of key points
Very important concepts PtH Logon types are not created equal Security dependencies Clean source
The problem with AD Forests
The 3-tier AD security zone design
Deploying Tier 0 in a “red” forest
Completing the Enhanced Security Administrative Environment
Beyond How far does ESAE get you? Alternatives and gaps Privilege management
![Page 4: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/4.jpg)
Pass-the-hash
To view this webcast: https://www.quest.com/webcast-ondemand/understanding-red-forest-the-3tier-enhanced-security-admin-environment8121798/
And related to credential artifact theft
Randy Smith/Quest Webinar: Deep Dive: Understanding Pass-the-Hash Attacks and How to Prevent https://www.quest.com/webcast-ondemand/-understanding-
pass-the-hash-attacks830251
![Page 5: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/5.jpg)
Logon types are not created equal
The difference between interactive and network logons
Same goes for other logon types
Interactivelogon
Networklogon
hash
hash
![Page 6: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/6.jpg)
Security dependencies
Control relationships create security dependencies
Subject Controls Object
Security dependency
![Page 7: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/7.jpg)
The problem with AD forests
Domains inside a forest are not security boundaries
The forest is the “security boundary”
A lot risks with admin accounts in the same forest they administer Privilege escalation Credential theft Control over each other No security zones
![Page 8: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/8.jpg)
The 3-tier design
Tier 0 – Domain Admins
Tier 1 – Server Admins
Tier 2 – Workstation Admins
![Page 9: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/9.jpg)
Tier isolation Accounts
Servers
Workstations
Logon types
Cross-restrictions
![Page 10: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/10.jpg)
Deploying Tier 0 in a “red” forest
Tier Zero should be in a different forest
Production forest trusts red forest
No domain admin or similarly privileged accounts in production forest Except emergency access account – built-in Administrator
Red forest dedicated to simply holding Tier 0 accounts for administering production forest
Tier 0 accounts do not have privileged access to red forest
Accounts needed for that purpose might be consider Tier -1
![Page 11: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/11.jpg)
The parts
Domain Admins
Administrators
Administrator
![Page 12: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/12.jpg)
The parts trust
Domain Admins
Administrators
Administrator
Delegated Permissions
Domain Admins
Administrators
Administrator
![Page 13: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/13.jpg)
The parts trust
Domain Admins
Administrators
Role B
Role A
Role C
Administrator
Domain Admins
Administrators
Administrator
Delegated Permissions
![Page 14: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/14.jpg)
The parts trust
Interactive logon
Domain controller
Network logon
![Page 15: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/15.jpg)
Completing the Enhanced Security Administrative Environment
Identifying who needs what
Classification into tiers
Creating roles
Cleaning up old accounts
Quest Enterprise Reporter
Training
Privileged Administrative Workstations
![Page 16: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/16.jpg)
Beyond How far does ESAE get you?
Alternatives and gaps
Privilege management
![Page 17: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/17.jpg)
How far does ESAE get you?
Manages risk for Active Directory Windows OS
Doesn’t address Many applications aren't compatible with being administered
by accounts from an external forest using a standard trust UNIX/Linux Devices
![Page 18: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/18.jpg)
Alternatives and gaps
ESAE doesn’t stop with a red forest Tier 1 should be secured with a privilege management solution
Check out Quest PAM/PSM solutions
2 factor authentication MS assumes smart cards But one time password has significant advantages
Quest Defender
Alternative: proxy technology Active Roles GPO Admin
![Page 19: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/19.jpg)
Bottom line
Really need to understand security dependencies
Identify control relationships
Implementing ESAE Need good reporting
How best to address them Red forest is one way to address those risks in AD and Windows Privileged Account and Session Management Solutions
Go beyond AD and Windows
Proxy technologies provide a compelling alternative or compliment to isolated red forest
Understand the limitations of smart cards and the advantages of OTP
Check out Quest
© 2017 Monterey Technology Group Inc.
![Page 20: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/20.jpg)
“Red Forest”Bryan Patton, CISSP
![Page 21: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/21.jpg)
Identify who is doing what
![Page 22: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/22.jpg)
Confidential22
Executive Order 13636 issued February 12, 2013NIST Framework
![Page 23: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/23.jpg)
Confidential23
Identify applications on assets that require administrative rights
![Page 24: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/24.jpg)
Confidential24
What are some privileged accounts in an environment?Identify Privileged Accounts
• Domain Admins• Enterprise Admins• Local Administrators• SA• Helpdesk• OU Admins• Service Accounts• Unknown
![Page 25: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/25.jpg)
Confidential25
Identification of known Privileged Accounts
![Page 26: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/26.jpg)
Confidential26
Identification of unknown Privileged Accounts
![Page 27: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/27.jpg)
Confidential27
Identification of Privileges on computer accounts
![Page 28: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/28.jpg)
Confidential28
Identification of third party software on DC’s
![Page 29: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/29.jpg)
Confidential29
Identification of what accounts are doing
![Page 30: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/30.jpg)
Protection
![Page 31: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/31.jpg)
Confidential31
Changes to Active Directory via proxy
![Page 32: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/32.jpg)
Confidential32
Protect Active Directory- Enforce Least Privilege Access
![Page 33: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/33.jpg)
Confidential33
Protect Workstations- Enforce Least Privilege Access
![Page 34: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/34.jpg)
Confidential34
Protect hardware- block USB
![Page 35: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/35.jpg)
Confidential35
Protect- Implement Group Policy
![Page 36: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/36.jpg)
Confidential36
Protect- Workflow Approval Process
Request Review Approve Commit
ImmediateSchedule
EmailApprove?
Approve
Deny
ViewDetails
Rejection
CommentsEmail
Approve?
Approve
Deny
ViewDetails
Rejection
CommentsEmail
![Page 37: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/37.jpg)
Confidential37
Protect- Prevent “Privileged Users” from performing actions
![Page 38: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/38.jpg)
Detect
![Page 39: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/39.jpg)
Confidential39
Detect- What can we do?
![Page 40: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/40.jpg)
Confidential40
Detect- GPO Changes outside of version control system
![Page 41: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/41.jpg)
Respond
![Page 42: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/42.jpg)
Confidential42
Respond- Quickly search to identify relationships
![Page 43: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/43.jpg)
Confidential43
Respond- Changes through Active Roles
![Page 44: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/44.jpg)
Confidential44
Respond- Changes outside of Active Roles
![Page 45: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/45.jpg)
Confidential45
Pre and post actions enable users to execute custom scripts before or after a GPOADmin action to facilitate integration with internal processes and systems.
Respond after making a change to a GPO
![Page 46: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/46.jpg)
Confidential46
Respond- use data to change what accounts are allowed to do
![Page 47: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/47.jpg)
Recover
![Page 48: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/48.jpg)
Confidential48
Recovery Active Directory from attribute to Forest level
![Page 49: Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect Privileged Credentials](https://reader034.fdocuments.us/reader034/viewer/2022051300/5899dd231a28ab4a0b8b6fc5/html5/thumbnails/49.jpg)
Confidential49
Recovery a GPO to a specific version