Security expert Randy Franklin Smith will explain the reasons why you might go through the extra trouble of a "red forest" — as well as the limitations of this structure.

1. Sponsored byUnderstanding“RedForest”:The3-Tier
EnhancedSecurityAdminEnvironment
(ESAE)andAlternativeWaystoProtect
PrivilegedCredentials
© 2017 Monterey Technology Group Inc.

2. Thanks to
 Made possible by

3. Preview of key
points
 Very important concepts
 PtH
 Logon types are not created equal
 Security dependencies
 Clean source
 The problem with AD Forests
 The 3-tier AD security zone design
 DeployingTier 0 in a “red” forest
 Completing the Enhanced SecurityAdministrative Environment
 Beyond
 How far does ESAE get you?
 Alternatives and gaps
 Privilege management

4. Pass-the-hash
 To view this webcast: https://www.quest.com/webcast-
ondemand/understanding-red-forest-the-3tier-enhanced-
security-admin-environment8121798/
 And related to credential artifact theft
 Randy Smith/QuestWebinar: Deep Dive: Understanding Pass-
the-Hash Attacks and How to Prevent
 https://www.quest.com/webcast-ondemand/-understanding-
pass-the-hash-attacks830251

5. Logon types
are not
created equal
 The difference between interactive and network logons
 Same goes for other logon types
Interactive
logon
Network
logon
hash
hash

6. Security
dependencies
 Control relationships create security dependencies
Subject Controls Object
Security dependency

7. The problem
withAD
forests
 Domains inside a forest are not security boundaries
 The forest is the “security boundary”
 A lot risks with admin accounts in the same forest they
administer
 Privilege escalation
 Credential theft
 Control over each other
 No security zones

8. The 3-tier
design
Tier 0 – Domain Admins
Tier 1 – Server Admins
Tier 2 –Workstation
Admins

9. Tier isolation
 Accounts
 Servers
 Workstations
 Logon types
 Cross-restrictions

10. DeployingTier
0 in a “red”
forest
 Tier Zero should be in a different forest
 Production forest trusts red forest
 No domain admin or similarly privileged accounts in production
forest
 Except emergency access account – built-in Administrator
 Red forest dedicated to simply holdingTier 0 accounts for
administering production forest
 Tier 0 accounts do not have privileged access to red forest
 Accounts needed for that purpose might be considerTier -1

11. The parts
Domain Admins
Administrators
Administrator

12. The parts trust
Domain Admins
Administrators
Administrator
Delegated Permissions
Domain Admins
Administrators
Administrator

13. The parts trust
Domain Admins
Administrators
Role B
Role A
Role C
Administrator
Domain Admins
Administrators
Administrator
Delegated Permissions

14. The parts trust
Interactive logon
Domain controller
Network logon

15. Completing
the Enhanced
Security
Administrative
Environment
 Identifying who needs what
 Classification into tiers
 Creating roles
 Cleaning up old accounts
 Quest Enterprise Reporter
 Training
 Privileged AdministrativeWorkstations

16. Beyond  How far does ESAE get you?
 Alternatives and gaps
 Privilege management

17. How far does
ESAE get you?
 Manages risk for
 Active Directory
 Windows OS
 Doesn’t address
 Many applications aren't compatible with being administered
by accounts from an external forest using a standard trust
 UNIX/Linux
 Devices

18. Alternatives
and gaps
 ESAE doesn’t stop with a red forest
 Tier 1 should be secured with a privilege management solution
 Check out Quest PAM/PSM solutions
 2 factor authentication
 MS assumes smart cards
 But one time password has significant advantages
 Quest Defender
 Alternative: proxy technology
 Active Roles
 GPO Admin

19. Bottom line
 Really need to understand security dependencies
 Identify control relationships
 Implementing ESAE
 Need good reporting
 How best to address them
 Red forest is one way to address those risks in AD and Windows
 Privileged Account and Session Management Solutions
 Go beyond AD andWindows
 Proxy technologies provide a compelling alternative or
compliment to isolated red forest
 Understand the limitations of smart cards and the advantages
of OTP
 Check outQuest
© 2017 Monterey Technology Group Inc.

20. “Red Forest”
Bryan Patton, CISSP

21. Identify who is doing
what

22. Confidential22
Executive Order 13636 issued February 12, 2013
NIST Framework

23. Confidential23
Identify applications on assets that require administrative rights

24. Confidential24
What are some privileged accounts in an environment?
Identify Privileged Accounts
• Domain Admins
• Enterprise Admins
• Local Administrators
• SA
• Helpdesk
• OU Admins
• Service Accounts
• Unknown

25. Confidential25
Identification of known Privileged Accounts

26. Confidential26
Identification of unknown Privileged Accounts

27. Confidential27
Identification of Privileges on computer accounts

28. Confidential28
Identification of third party software on DC’s

29. Confidential29
Identification of what accounts are doing

30. Protection

31. Confidential31
Changes to Active Directory via proxy

32. Confidential32
Protect Active Directory- Enforce Least Privilege Access

33. Confidential33
Protect Workstations- Enforce Least Privilege Access

34. Confidential34
Protect hardware- block USB

35. Confidential35
Protect- Implement Group Policy

36. Confidential36
Protect- Workflow Approval Process
Request Review Approve Commit
Immediate
Schedule
Email
Approve?
Approve
Deny
View
Details
Rejection
Comments
Email
Approve?
Approve
Deny
View
Details
Rejection
Comments
Email

37. Confidential37
Protect- Prevent “Privileged Users” from performing actions

38. Detect

39. Confidential39
Detect- What can we do?

40. Confidential40
Detect- GPO Changes outside of version control system

41. Respond

42. Confidential42
Respond- Quickly search to identify relationships

43. Confidential43
Respond- Changes through Active Roles

44. Confidential44
Respond- Changes outside of Active Roles

45. Confidential45
Pre and post actions enable users to execute custom scripts before or after a
GPOADmin action to facilitate integration with internal processes and systems.
Respond after making a change to a GPO

46. Confidential46
Respond- use data to change what accounts are allowed to do

47. Recover

48. Confidential48
Recovery Active Directory from attribute to Forest level

49. Confidential49
Recovery a GPO to a specific version