Microsoft has responded to the repeated success of attackers pursuing horizontal kill chains via pass-the-hash and related attacks with a reference architecture and other best practices that seek to isolate privileged credentials outside the reach of bad guys and deny bad guys from using the credentials they do succeed in collecting.
A key feature of this this guidance is a 3-tier Enhanced Security Admin Environment (ESAE) in which admin accounts are divided into 3 levels of security
- Tier 0 – Basically Enterprise Admins, forest level admin authority
- Tier 1 – Server, application and cloud admin authority
- Tier 3 – Administrative control of workstation and device
For these tiers to actually enhance security it's important to understand and enforce restrictions on what's permissible at each level in terms of:
- Authentication
- Logon type
- Originating computer
- Target computer
- Actions
- Crossing of tiers
We are hearing the term “red forest” lately and that is the informal name of a special administrative forest Microsoft recommends for holding the accounts that have Tier 0 authority of your production forest. In this webinar, I'll explain what the reasons for why you might go to this extra trouble. And I'll discuss the limitations with it as well.
Within these tiers I'll explain the benefit of implementing horizontal security zones for containment of risk.
And I'll explain an important principle that is so important to understanding security in a distributed environment: that of control transitivity. Microsoft describes it this way: “Any subject in control of an object is a security dependency of that object. If an adversary can control anything in effective control of a target object, they can control that target object. Because of this, you must ensure that the assurances for all security dependencies are at or above the desired security level of the object itself.” I'll try to simplify that using some visuals and real world examples.
2 other important aspects of this strategy we will cover:
- Clean source
- Privileged Administrative Workstations (PAWs)
But is it worth all this effort? We are talking about some serious architectural and operational rip and repair costs. Plus Microsoft is the first to point out that many applications just don't support some of these measures – such as administration from a separate forest. I'm not saying that the concepts aren't solid. But are there ways to apply the same principles and address the same risks without all the rip-and-repair while securing a wider array of applications and technologies? I think you will find it valuable to compare and contrast the foregoing with privilege management solutions from my sponsor for this real training for free ™ event - Quest Software. These Quest technologies are complimentary or possible alternative ways to apply the concepts in this strategy.
Please register now!