Planting the Red Forest: Improving AD on the Road to ESAE

Active Directory (AD) is trusted by 90% of businesses around the world for identity management.[1] This authentication protects administrative rights and restricted information within the enterprise, making AD a common target for attackers. An attacker with access to AD may configure insecure domain policies, create hidden backdoors, and access sensitive systems. Preventing these attacks can be difficult, and any hope of easily recovering from an AD compromise can be lost without the right configurations in place.[2]

There have been a number of significant changes in best practice with regards to AD. For your organization to resist current AD attacks, it is critical to strive towards a modern AD environment. The following recommendations for migrating to a "Red Forest" architecture have been tested by MWR, with each step making significant improvements to your organization’s security. 


The Forest Fire of AD Compromise

When an attacker has slipped through edge defenses using common attack methods – such as phishing or password compromise – the AD systems of a business will quickly be targeted.

Dangerous AD attacks may include:

  • “Pass the Hash” to pivot to administrative systems
  • “Kerberoasting” domain service tickets to compromise administrative accounts
  • Targeted attack of administrative workstations
  • Abuse of weak service account passwords

These attacks can be difficult to eliminate without the right tools. Additionally, recent offensive strategies such as AD path mapping[3] and persistence[4] have allowed attackers and penetration testers to quickly plot the most direct course to domain compromise and avoid detection on the network.


Eliminating Attacks with ESAE

To eliminate these attacks without third-party tooling, Microsoft has suggested new domain architectures using built-in AD features and Microsoft Identity Manager (MIM). The most well-known of these is the Enhanced Security Administrative Environment (ESAE),[5] also known as the “Red Forest” model. This model is created to dramatically reduce the possibility of a damaging domain compromise by building resilience into the forest, eliminating common AD attack strategies.

ESAE and its accompanying improvements can be daunting to implement. To be successful, an approach of several steps is recommended to deliver quick, meaningful improvements to the business over time. Each step of the process contributes its own improvements— including elimination of Pass the Hash attacks, managed service account passwords, and administration of the domain from a separate forest to prevent a full administrative compromise.


Planting the Forest with Simple Strategies

To maximize the benefits this journey has to offer, MWR recommends the following approach:

Group 2 1


1. Securing Local Credentials: LAPS

Getting a handle on local account credentials is critical to ensuring both administrative systems and user workstations are prepared for a shift to higher security. Microsoft’s Local Administrator Password Solution (LAPS) solves the issue of shared-credential local administrator accounts by providing each local account with a unique, complex password. This password is then stored securely in AD for access by specified administrative accounts on a “need to know” basis to prevent attackers from accessing several systems at once with a Pass-the-Hash style attack or password cracking.

More Information:


2. Separating Administrative Access: PAW

Isolation of administrative systems is a fundamental principle of ESAE architecture. The first step to creating this separation comes through implementation of Microsoft’s Privileged Access Workstations (PAWs). This architecture eliminates the risks of shared-use workstations by separating an individual’s user and administrative logins to separate contexts, preventing user-targeted attacks like phishing, drive-by browser exploits, and unverified software. New administrative workstations will later be managed as the highest-security “Tier 0” of devices within the ESAE model.

More Information:


3. Isolating Administrative Permissions: PAM

Once preparation of local accounts and systems has taken place, Microsoft Identity Manager (MIM)’s Privileged Access Management (PAM) builds out the foundation of the ESAE model. These tools create a fully separate forest with a one-way trust for management of all production domains, ensuring that a compromise of production administrator credentials does not signal full compromise of the enterprise domain and network. During this stage, all PAWs created for administrative use can be joined to management domain(s) created within this new forest.

More Information:,


4. Limiting Administrative Availability: JEA and JIT

MIM also contains tools to provide simple management of what permissions administrators have at what times, limiting what power an attacker with access to these accounts have. Just Enough Administration (JEA) adds a granular method of controlling which accounts can request which administrative permissions. Meanwhile, Just In Time Administration (JIT) provides the ability to grant administrators access to these permissions temporarily on a per-request basis. These features provide an easily auditable framework to ensure accounts make changes only when they are expected and authorized to do so.

More Information:,


5. Reducing Breach Impact: ESAE

By the final stage of implementation, the majority of requirements to operate a full ESAE domain have been met. The remaining fundamentals of ESAE are achieved through the creation of tiers for device management. Tiers organize systems and accounts by level of risk to create security controls around critical areas of the domain. Low-risk tiers are restricted from accessing those of higher risk, greatly increasing the level of effort required for a privilege escalation attack within the domain. These tiers also allow for simple, ongoing application of advanced security controls such as application whitelisting, multi-factor authentication, and local firewall rules to specific device groups.

More Information:


[1] “Success with Enterprise Mobility Identity”,,

[2] “Planning for Compromise”,,

[3] “Visualising Organisational Charts from Active Directory”,;

[4] “BloodHound AD”,, [4] “Sneaky Active Directory Persistence Tricks”,,

[5] “Securing Privileged Access”,



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.