Security expert Randy Franklin Smith will explain the reasons why you might go through the extra trouble of a "red forest" — as well as the limitations of this structure.
3. Preview of key
points
Very important concepts
PtH
Logon types are not created equal
Security dependencies
Clean source
The problem with AD Forests
The 3-tier AD security zone design
DeployingTier 0 in a “red” forest
Completing the Enhanced SecurityAdministrative Environment
Beyond
How far does ESAE get you?
Alternatives and gaps
Privilege management
4. Pass-the-hash
To view this webcast: https://www.quest.com/webcast-
ondemand/understanding-red-forest-the-3tier-enhanced-
security-admin-environment8121798/
And related to credential artifact theft
Randy Smith/QuestWebinar: Deep Dive: Understanding Pass-
the-Hash Attacks and How to Prevent
https://www.quest.com/webcast-ondemand/-understanding-
pass-the-hash-attacks830251
5. Logon types
are not
created equal
The difference between interactive and network logons
Same goes for other logon types
Interactive
logon
Network
logon
hash
hash
7. The problem
withAD
forests
Domains inside a forest are not security boundaries
The forest is the “security boundary”
A lot risks with admin accounts in the same forest they
administer
Privilege escalation
Credential theft
Control over each other
No security zones
10. DeployingTier
0 in a “red”
forest
Tier Zero should be in a different forest
Production forest trusts red forest
No domain admin or similarly privileged accounts in production
forest
Except emergency access account – built-in Administrator
Red forest dedicated to simply holdingTier 0 accounts for
administering production forest
Tier 0 accounts do not have privileged access to red forest
Accounts needed for that purpose might be considerTier -1
16. Beyond How far does ESAE get you?
Alternatives and gaps
Privilege management
17. How far does
ESAE get you?
Manages risk for
Active Directory
Windows OS
Doesn’t address
Many applications aren't compatible with being administered
by accounts from an external forest using a standard trust
UNIX/Linux
Devices
18. Alternatives
and gaps
ESAE doesn’t stop with a red forest
Tier 1 should be secured with a privilege management solution
Check out Quest PAM/PSM solutions
2 factor authentication
MS assumes smart cards
But one time password has significant advantages
Quest Defender
Alternative: proxy technology
Active Roles
GPO Admin
24. Confidential24
What are some privileged accounts in an environment?
Identify Privileged Accounts
• Domain Admins
• Enterprise Admins
• Local Administrators
• SA
• Helpdesk
• OU Admins
• Service Accounts
• Unknown
45. Confidential45
Pre and post actions enable users to execute custom scripts before or after a
GPOADmin action to facilitate integration with internal processes and systems.
Respond after making a change to a GPO