Understanding "Red Forest" to Protect Privileged Credentials

Events and breaches over the last few years such as WannaCry and NotPetya have caused particular vulnerabilities to surface posing significant security risks to businesses. 

In today’s highly dynamic, connected and mobile organisations, perimeter security alone is no longer sufficient. With insider threats on the rise, it’s important that any organisation maintain an active insider threat program to protect these identities—most critically, privileged or administrative identities. Additional drivers such as “Insider Threat” programs are starting to identify the need to protect the identity or user level.  Since 99% of enterprises rely heavily on Active Directory (AD), as their primary authentication mechanism, AD has remained the most popular target. 

The AD Compromise and Privileged Account Abuse

The legacy NTLM hashes generated by AD are a primary focus of bad actors who can carry out a “Pass the Hash” attack by stealing a hashed user credential and reuse it to trick an authentication system into creating a new authenticated sessions on the same network.

Hence, the need to protect the privileged accounts applies to AD just as it would in any system.  The accounts, passwords, and credentials will always be a primary target regardless of the system being protected or the guards that have been implemented.  To provide an additional level of assurance, Microsoft has submitted the “Enhanced Security Administrative Environment (ESAE)” which is also known as the “Red Forest” AD architecture. 

The basic forest design of the ESAE environment looks something like this.

In this ESAE design the user and resource and application forests trust the authentication from the Red Forest through a one-way trust relationship.  The administration is then separated into tiers.

• Tier 0:  Administrator accounts and groups live in the Red Forest and have control of enterprise identities. 
• Tier 1:  Administrator accounts that live in the resource (or application) forest and should only logon interactively to systems in that forest. 
• Tier 2:  Administrator accounts that control user workstations and other devices that live in the User forest.

Segmenting administration in this way provides the ability to isolate a compromise.  For instance, if a Tier 2 administrator account is compromised then it will be limited to the assets in the Users Forest.  As we move up (or down) the tiers to Tier 0 accounts, the protections and policies around the use of these accounts must be drastically more restrictive.

The ESAE provides some risk management for AD and the Windows operating systems within the enterprise.  If a compromise is detected), the entire enterprise doesn’t need to be rebuilt from the ground up.  The design effectively creates “disposable” admin accounts or links that can be severed to limit the scope of the breach.  The breached forest can then be removed from the trust relationship to protect the assets. 

Does Multifactor Authentication Help?

Multi-factor authentication (MFA) can add some value for administrators, particularly when it comes to phishing attacks.  The vulnerability the ESAE is designed to prevent is Pass-the-Hash type attacks and do not involve passwords.  When a user or admin authenticates interactively, using a username, password or in some case MFA, the generated hash, not the credentials themselves -are a target of the bad actor. 

Overcoming Common Red Forest Challenges with Automation

Implementing an ESAE design presents different challenges for many different sizes of enterprises.  The extremely large enterprise will have many administrators at all tiers and all of this administration must be managed very strictly.  Any variation or “one-off” permission can create a vulnerability that will render the entire design vulnerable. 

In mid-size and smaller organisations, it is very common for administrators to perform duties at many different tiers so they may require separate accounts at different tiers.  This administration must be compartmentalised and may prove difficult to separate.  Any variation or combining of permissions can jeopardise the entire enterprise.

Due to ESAE being so complex to implement correctly, it can be more effective to use automated security tools to accomplish the same goals, without ESAE.

Another important step to simplify the security of the administrator hashes is to make them irrelevant by cycling passwords with an automated solution.  Doing so allows enrolment of accounts to be checked and cycled after each use, thus making any credential artefact that is left behind useless. 

Automated solutions provide the single point of administration for all of platforms and provide the audit trail to show who used an account, where they went with it, and actions taken.  These solutions are specifically designed to secure the enterprise without the overhead of the ESEA.  The targeted admin accounts are enrolled in the solution and the Pass-the-Hash vulnerability is virtually eliminated.

Combined with session management technology adds the capability to replay and audit administrator sessions. Modern session management technologies include analytics capabilities which provide the ability to profile administrator sessions and track deviations from normal behaviour such as location, screen resolution, systems accessed, commands run, time of day, and keyboard and mouse patterns while the session is in progress. If an anomaly is detected action can be taken to alert security, suspend or even terminate the session.  

Additionally, administrator roles should be controlled by automation and those accounts should only be in the administrator groups while tasks are being accomplished.  Automated solutions provide workflow approval, dynamic and temporal group memberships.  With this functionality administrator accounts will only be populated to privileged groups when the permission is required to accomplish an administrative task.  Then that group membership will only be valid for the specified period to complete the task.  This prevents the admin account from being a target for exploit and significantly reduces the attack surface of the directory. 

Whether an organisation is multinational with millions of users or has a single-forest architecture it’s important to understand how administration tasks are done, the permissions required to accomplish those tasks and to whom the permissions and access are granted.  While complex, the ESAE architecture does provide greater security and resiliency than a single AD forest with native permissions and roles but the complexity of the overall solution may prohibit a successful implementation exposing the organisation vulnerabilities. Critical to any effective AD management is leveraging automation to employ effective controls—from administrative password cycling to session management—to protect the enterprise from growing privileged account attacks.