Active Directory (AD) is trusted by 90% of businesses around the world for identity management. This authentication protects administrative rights and restricted information within the enterprise, making AD a common target for attackers. An attacker with access to AD may configure insecure domain policies, create hidden backdoors, and access sensitive systems. Preventing these attacks can be difficult, and any hope of easily recovering from an AD compromise can be lost without the right configurations in place.
There have been a number of significant changes in best practice with regards to AD. For your organization to resist current AD attacks, it is critical to strive towards a modern AD environment. The following recommendations for migrating to a "Red Forest" architecture have been tested by MWR, with each step making significant improvements to your organization’s security.
When an attacker has slipped through edge defenses using common attack methods – such as phishing or password compromise – the AD systems of a business will quickly be targeted.
Dangerous AD attacks may include:
These attacks can be difficult to eliminate without the right tools. Additionally, recent offensive strategies such as AD path mapping and persistence have allowed attackers and penetration testers to quickly plot the most direct course to domain compromise and avoid detection on the network.
To eliminate these attacks without third-party tooling, Microsoft has suggested new domain architectures using built-in AD features and Microsoft Identity Manager (MIM). The most well-known of these is the Enhanced Security Administrative Environment (ESAE), also known as the “Red Forest” model. This model is created to dramatically reduce the possibility of a damaging domain compromise by building resilience into the forest, eliminating common AD attack strategies.
ESAE and its accompanying improvements can be daunting to implement. To be successful, an approach of several steps is recommended to deliver quick, meaningful improvements to the business over time. Each step of the process contributes its own improvements— including elimination of Pass the Hash attacks, managed service account passwords, and administration of the domain from a separate forest to prevent a full administrative compromise.
To maximize the benefits this journey has to offer, MWR recommends the following approach:
1. Securing Local Credentials: LAPS
Getting a handle on local account credentials is critical to ensuring both administrative systems and user workstations are prepared for a shift to higher security. Microsoft’s Local Administrator Password Solution (LAPS) solves the issue of shared-credential local administrator accounts by providing each local account with a unique, complex password. This password is then stored securely in AD for access by specified administrative accounts on a “need to know” basis to prevent attackers from accessing several systems at once with a Pass-the-Hash style attack or password cracking.
2. Separating Administrative Access: PAW
Isolation of administrative systems is a fundamental principle of ESAE architecture. The first step to creating this separation comes through implementation of Microsoft’s Privileged Access Workstations (PAWs). This architecture eliminates the risks of shared-use workstations by separating an individual’s user and administrative logins to separate contexts, preventing user-targeted attacks like phishing, drive-by browser exploits, and unverified software. New administrative workstations will later be managed as the highest-security “Tier 0” of devices within the ESAE model.
More Information: https://aka.ms/paws
3. Isolating Administrative Permissions: PAM
Once preparation of local accounts and systems has taken place, Microsoft Identity Manager (MIM)’s Privileged Access Management (PAM) builds out the foundation of the ESAE model. These tools create a fully separate forest with a one-way trust for management of all production domains, ensuring that a compromise of production administrator credentials does not signal full compromise of the enterprise domain and network. During this stage, all PAWs created for administrative use can be joined to management domain(s) created within this new forest.
4. Limiting Administrative Availability: JEA and JIT
MIM also contains tools to provide simple management of what permissions administrators have at what times, limiting what power an attacker with access to these accounts have. Just Enough Administration (JEA) adds a granular method of controlling which accounts can request which administrative permissions. Meanwhile, Just In Time Administration (JIT) provides the ability to grant administrators access to these permissions temporarily on a per-request basis. These features provide an easily auditable framework to ensure accounts make changes only when they are expected and authorized to do so.
More Information:https://aka.ms/pam, https://msdn.microsoft.com/en-us/library/dn896648.aspx
5. Reducing Breach Impact: ESAE
By the final stage of implementation, the majority of requirements to operate a full ESAE domain have been met. The remaining fundamentals of ESAE are achieved through the creation of tiers for device management. Tiers organize systems and accounts by level of risk to create security controls around critical areas of the domain. Low-risk tiers are restricted from accessing those of higher risk, greatly increasing the level of effort required for a privilege escalation attack within the domain. These tiers also allow for simple, ongoing application of advanced security controls such as application whitelisting, multi-factor authentication, and local firewall rules to specific device groups.
 “Success with Enterprise Mobility Identity”, https://cloudblogs.microsoft.com/enterprisemobility/2014/10/14/success-with-enterprise-mobility-identity/,
 “Planning for Compromise”, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise,
 “Visualising Organisational Charts from Active Directory”, https://labs.mwrinfosecurity.com/blog/visualising-organisational-charts-from-active-directory/;
 “Securing Privileged Access”, https://docs.microsoft.com/en-za/windows-server/identity/securing-privileged-access/securing-privileged-access.