Red forest is gone, now what?

September 24, 2021

Given that approximately 90% of the world’s enterprises use Active Directory (AD) as their primary authentication and authorization platform for organizations running Windows, it is no surprise that AD is a key target for cybercriminals. Most known attacks targeting AD accounts are conducted by attackers pursuing horizontal kill chains with pass-the-hash, golden-ticket and related techniques that utilize authentication protocols such as NTLM and Kerberos.

To prevent these types of attacks, Microsoft developed a reference architecture designed to isolate privileged credentials in what they called Enhanced Security Administrative Environment (ESAE), or Red Forest. ESAE is a layered security approach that requires creating a special administrative forest to manage all privileged identities in AD by dividing and tiering access of administrator accounts into three levels: Tier 0, Tier 1 and Tier 2. By tiering and controlling where admins can log in, organizations can reduce the risk of privilege escalation by preventing bad guys from accessing privileged credentials or using the credentials if they gain access.

Microsoft recently announced that they’re retiring the 10-year old ESAE/Red Forest model and are replacing it with a modern, cloud-based privileged access strategy that can be implemented using their new guidance — Rapid Modernization Plan (RAMP). This is good news for AD administrators, given that migrating to a Red Forest architecture was never something easy to do. RAMP allows organizations to rapidly deploy security strategies that offer the same level of AD protection, if not more, more efficiently.

Why the Red Forest is Not a Panacea

The Red Forest approach is not practical for most organizations, although great in principle. It requires an extremely complex architecture which can be costly and cumbersome. Implementing ESAE is time-consuming as most organizations don’t want to risk causing downtime due to breaking something in the process. Disabling NTLM Authentication is a challenge, and most businesses can’t do that because they rely on NTLM applications to provide revenue-generating products and services. While you may be more secure without NTLM, it’s not realistic. It also requires additional infrastructure, making it costly and messy, and organizations are already struggling to keep up with basic configurations. ESAE operates on “assume breach” principles. This sometimes requires a full migration of an existing environment to another environment to mitigate risk, which is another costly and time-consuming process.

Is It Really Gone?

Red Forest is going away, but not in its entirety. There are very specific use cases that are still recommended, such as in isolated on-premises environments like SCADA and industrial control systems or highly regulated environments that require an administrative forest configuration. And not everyone will make the shift to the cloud. In these scenarios, ESAE implementation is advisable. For organizations that don’t fall into any of these exceptions, it is recommended that they follow RAMP, which allows you to rapidly deploy privileged identity security strategies in a modern AD environment, including those that run both AD and Azure AD. RAMP is more efficient and effective to implement and provides more protection since AD and Azure AD can now be joined to prevent lateral movement in an attack. The key is to do something now and do it fast, as leaving AD credentials unprotected is not an option.

Speaking of RAPID – the proxy approach

The keyword in RAMP is RAPID. Organizations need to change rapidly, and part of that modernization plan could include the Orange Forest approach, which achieves much of the same functionality but in a faster time. With this approach, Quest has seen customers do ActiveRoles implementation in less than two weeks. It doesn’t require disabling NTLM Authentication but instead requires removing native rights and enabling admins to proxy their access into their directory.

The Orange Forest provides the additional benefit of extra provisioning capabilities for objects and the added ability to have workflow approval for changes in the directory or in Group Policies. The proxy method ensures that nobody has more rights than they need and that no one account has full rights. After all, should any one person really have absolute power?

Bryan Patton, CISSP, is a Principal Strategic Systems Consultant at Quest Software. For nearly 20 years, he has helped customers shape their Microsoft environments. With particular emphasis on Active Directory and Office 365 environments, Patton specializes in Identity and Access Management, Data Governance, Migration and Security.

In this webinar, we review the results of a benchmark study that asked security professionals about their past, present and future outlook on manned guarding. Want to know what your peers are saying about their weekly billed hours? Join us to find out!

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Poll

Comparison Metrics

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Red forest is gone, now what?

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Red forest is gone, now what?

Related Articles

Related Products

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.