Given that approximately 90% of the world’s enterprises use Active Directory (AD) as their primary authentication and authorization platform for organizations running Windows, it is no surprise that AD is a key target for cybercriminals. Most known attacks targeting AD accounts are conducted by attackers pursuing horizontal kill chains with pass-the-hash, golden-ticket and related techniques that utilize authentication protocols such as NTLM and Kerberos.
To prevent these types of attacks, Microsoft developed a reference architecture designed to isolate privileged credentials in what they called Enhanced Security Administrative Environment (ESAE), or Red Forest. ESAE is a layered security approach that requires creating a special administrative forest to manage all privileged identities in AD by dividing and tiering access of administrator accounts into three levels: Tier 0, Tier 1 and Tier 2. By tiering and controlling where admins can log in, organizations can reduce the risk of privilege escalation by preventing bad guys from accessing privileged credentials or using the credentials if they gain access.
Microsoft recently announced that they’re retiring the 10-year old ESAE/Red Forest model and are replacing it with a modern, cloud-based privileged access strategy that can be implemented using their new guidance — Rapid Modernization Plan (RAMP). This is good news for AD administrators, given that migrating to a Red Forest architecture was never something easy to do. RAMP allows organizations to rapidly deploy security strategies that offer the same level of AD protection, if not more, more efficiently.
Why the Red Forest is Not a Panacea
The Red Forest approach is not practical for most organizations, although great in principle. It requires an extremely complex architecture which can be costly and cumbersome. Implementing ESAE is time-consuming as most organizations don’t want to risk causing downtime due to breaking something in the process. Disabling NTLM Authentication is a challenge, and most businesses can’t do that because they rely on NTLM applications to provide revenue-generating products and services. While you may be more secure without NTLM, it’s not realistic. It also requires additional infrastructure, making it costly and messy, and organizations are already struggling to keep up with basic configurations. ESAE operates on “assume breach” principles. This sometimes requires a full migration of an existing environment to another environment to mitigate risk, which is another costly and time-consuming process.
Is It Really Gone?
Red Forest is going away, but not in its entirety. There are very specific use cases that are still recommended, such as in isolated on-premises environments like SCADA and industrial control systems or highly regulated environments that require an administrative forest configuration. And not everyone will make the shift to the cloud. In these scenarios, ESAE implementation is advisable. For organizations that don’t fall into any of these exceptions, it is recommended that they follow RAMP, which allows you to rapidly deploy privileged identity security strategies in a modern AD environment, including those that run both AD and Azure AD. RAMP is more efficient and effective to implement and provides more protection since AD and Azure AD can now be joined to prevent lateral movement in an attack. The key is to do something now and do it fast, as leaving AD credentials unprotected is not an option.
Speaking of RAPID – the proxy approach
The keyword in RAMP is RAPID. Organizations need to change rapidly, and part of that modernization plan could include the Orange Forest approach, which achieves much of the same functionality but in a faster time. With this approach, Quest has seen customers do ActiveRoles implementation in less than two weeks. It doesn’t require disabling NTLM Authentication but instead requires removing native rights and enabling admins to proxy their access into their directory.
The Orange Forest provides the additional benefit of extra provisioning capabilities for objects and the added ability to have workflow approval for changes in the directory or in Group Policies. The proxy method ensures that nobody has more rights than they need and that no one account has full rights. After all, should any one person really have absolute power?