I’d like to learn more from SecFrame! Enter your email below

By David Rowe
read

What is Microsoft ESAE and Red Forest

ESAE, or Enhanced Security Administrative Environment, is Microsoft’s complete framework to protect Active Directory (AD). AD, in short, is the asset in your network that holds passwords, credentials, users, computers, groups. AD controls your access to resources across your network. Information, applications, and resources. Deploying the ESAE steps are a foundation for a long term identity security solution.

ESAE Methodology

Information can be as simple as

  • emails in your organization
  • privileged research data
  • credit card numbers
  • trade secrets.

Information can be of many different types of classifications too; Unclassified, Secret, Top Secret. Information is oftentimes what attackers target once they penetrate your network. Attackers want to take that information and monetize their attack.

 

The term privileged credentials are often used to talk about the users or administrators in your environment that have access to this sensitive data. Attackers often target these privileged administrative credentials to gain access to the confidential data. The ESAE framework outlines several quick wins, as well as a number of long term plans to secure privileged credentials. With these privileged credentials secure, attackers are less likely to move laterally and vertically through your network

User to Group

Microsoft has open-sourced much of the documentation on deploying the architecture. The documentation dispersed across TechNet, GitHub, youtube videos, and other media. Piecing together the documentation can be a bit of a hassle. Many pieces of the puzzle that need to be picked up to begin.

The most basic outline for starting the deployment time buckets the security items. The three buckets outlined are; The first 30 days, The first 90 days, and Beyond 90 days.

Phase 1: The first 30 days

The quick wins: The design of these 30 days is to stop attackers' shortest and cheapest path across a domain. These are steps that can be taken without any additional purchases or staff. These steps can be done quickly to rapidly increase the security footprint of your These extremely short routes are profitable for attackers and easy for them to exploit.

 

Interested in Learning More?

Phase 1 Outline:

  1. Separate Admin accounts for admin tasks
    1. Workstation admin accounts
    2. Server admin accounts
    3. Domain Admin accounts
  2. Deploy Privileged Access Workstations
    1. Phase 1 - PAWS for Active Directory Administrators
  3. Create Unique Local Admin Passwords for Workstations
  4. Create Unique Local Admin Passwords for Servers

ESAE Red Forest Phase 1

 source

Phase 2: The first 90 days

The items listed in this phase are very important and high impact. However, completing these steps takes longer than phase 1. The steps in this phase take a bit of planning and often change controls or change management needs to be involved.

Phase 2 Outline:

  1. Deploy Privileged Access Workstations for all admins
  2. Time-bound privileges (PAM, no permanent admins)
  3. Multi-factor for elevation
  4. Just enough administration
  5. Lower attack surface of domain and DCs
  6. Attack Detection

 ESAE Red Forest Phase 1

source

Phase 3: Beyond 90 days

The third and final phase of the ESAE framework shifts you, the defender, to a more proactive security stance. Some of these steps are intensive and create a large amount of administrative overhead. It is a best practice to completely deploy these steps, but depending on the size of the organization and the risk appetite of an organization, completing these steps is not cost-effective.

Phase 3 Outline:

  1. Modernize Roles and Delegation Model
  2. Smartcard or Passport Authentication for all admins
  3. Admin forest for Active Directory Administrators (Red Forest/ESAE)
  4. Code Integrity Policy for DCs
  5. Shielded VMs for virtual DCs

 ESAE Red Forest Phase 3

source

As you begin to deploy the pieces of securing your privileged accounts, you find that there isn't one hammer you can swing to fix everything. You need to think of securing your network in stages, steps, and pieces. Putting all these pieces together enhances your security footprint in a way so that you can feel like your most critical resources are protected against cyber threats.

 

Interested in Learning More?

 


First 30 days links

  1. Separate Admin accounts for admin tasks
    1. Workstation admin accounts 
    2. Server admin accounts
    3. Domain Admin accounts

For further reading on the admin account series, please visit the following links:

Who needs an admin account? 

What is an admin account? (What are the tiers?) 

Where do you put an admin account?

 


 

Deploy Privileged Access Workstations

    1. Phase 1 - PAWS for Active Directory Administrators
      1. http://Aka.ms/CyberPAW
  1. Create Unique Local Admin Passwords for Workstations
    1. http://Aka.ms/LAPS
  2. Create Unique Local Admin Passwords for Servers
    1. http://Aka.ms/LAPS

 

First 90 Days links

  1. Deploy Privileged Access Workstations for all admins
    1. http://Aka.ms/CyberPAW
  2. Time-bound privileges (PAM, no permanent admins))
    1. http://aka.ms/PAM
    2. http://aka.ms/AzurePIM
  3. Multi-factor for elevation
  4. Just enough administration
    1. http://aka.ms/JEAdocs
  5. Lower attack surface of domain and DCs
    1. http://aka.ms/HardenAD
  6. Attack Detection
    1. http://aka.ms/ata

 How to remove passwords

Beyond 90 Days links:

  1. Modernize Roles and Delegation Model
    1. https://github.com/davidprowe/AD_Sec_Tools/tree/master/Create%20Tiers
  2. Smartcard or Passport Authentication for all admins
    1. http://aka.ms/Passport
  3. Admin Forest for Active Directory Administrators (Red Forest/ESAE)
    1. http://aka.ms/ESAE
  4. Code Integrity Policy for DCs
  5. Shielded VMs for virtual DCs
    1. http://aka.ms/shieldedvms

 

Anatomy of an attack:

  • aka.ms/credtheftdemo - An unlisted youtube video on credential theft

 

 

 

Tags: ESAE, Microsoft, Framework, Red Forest

Interested in threat hunting?

BadBlood fills a domain with countless vulnerabilities. Every time it's run your domain is different! Download Badblood here.

Badblood download zip