In a recent development, Microsoft has released new guidelines on how organizations should handle privileged access within Active Directory (AD). A crucial aspect of these guidelines involves a transition away from the Tiered Access Model (TAM) and the Enhanced Security Admin Environment (ESAE), more commonly known as the Active Directory Red Forest. Instead, the focus is now on implementing the Enterprise Access Model (EAM). This informative piece sheds light on the limitations of the older models and outlines the fundamental principles underlying EAM.
What is the Active Directory Red Forest Model?
The Active Directory (AD) Red Forest, also known as the Enhanced Security Administrative Environment (ESAE), helps prevent credential theft attacks by limiting exposure of administrative credentials. It operates on an AD administrative tier model that involves buffer zones between full control of the Environment (Tier 0) and high-risk workstation assets that are often targeted by attackers. The model has three levels and includes only administrative accounts, not standard user accounts.
- Tier 0: This tier involves having direct control over the enterprise identities within the system. All accounts, groups, and assets that have administrative control over the Active Directory forest, domains, or domain controllers, fall under Tier 0. Since they are in control of each other, all Tier 0 assets are considered equally sensitive in terms of security.
- Tier 1: This tier includes the control of enterprise servers and applications. The administrator accounts of this tier have the power to control a significant amount of business value. For instance, server administrators who maintain the operating systems can significantly impact enterprise services.
- Tier 2: This tier includes administrative control over user workstations and devices. Any administrator accounts with control over a significant number of user workstations and devices fall under Tier 2. Examples of such roles include Help Desk and computer support administrators who can significantly impair the integrity of user data.
The Limitations of the Red Forest Model
Organizations might opt to use an AD Red Forest to safeguard their most sensitive credentials. However, they may face two significant challenges if they do. The first issue is the high cost of implementation. Using the Red Forest model can put a strain on time and resources, requiring the creation of an administrative forest, setting up the appropriate accounts, arranging system access, carefully managing the forest and maintaining separate infrastructure for patching, backups, and monitoring. The second challenge relates to how hard it is to secure modern IT environments. The Red Forest model was designed for on-premises AD environments. However, these days companies use multiple cloud platforms and identity management providers that stretch beyond the scope of AD. Since privileged access must be controlled across the entire IT environment, security models that only cover local environments will not typically suffice.
The Tiered Access Model
The foundation of the Tiered Access Model (TAM), like ESAE, is built upon the Bell LaPadula model established in the ‘70s. Despite being revamped, TAM still remains in use and can be integrated into Azure AD through mapping distinct access levels to individual Azure AD functions. Although Azure AD has several influential roles with advanced permissions, such as cloud-only accounts with PIM enabled, FIDO2 authentication tokens, and Azure-managed workstations, the application of Conditional Access policies complicates the security process. Moreover, the lack of translation from AD to Azure AD results in a messy transition.
What is the Enterprise Access Model?
One major benefit of using the Enterprise Access Model is that Active Directory does not hold full control over access. Instead, access is determined by three essential layers:
Control plane – The identity systems, networks, and other access-managing locations have a control plane, which only highly trusted devices and credentials can manage.
Management plane – This tier manages data, applications, and services (similar to Tier One). Access is distributed to various vectors, such as cloud-based systems, organizational hierarchy, and data/workload plane.
Data/workload plane – This level handles user access, including employees, contractors, partners, and customers, and the devices they use. Microsoft Intune, part of Microsoft Endpoint Manager, can help to manage these devices.
Core Principles of the Enterprise Access Model
The enterprise access model acknowledges that the scope of Active Directory is limited, and thus incorporates the following security principals to safeguard sensitive data:
The Principle of Least Privilege (PoLP): While advanced cloud-based controls that use AI/ML are effective for detecting and responding to attacks, we still need to tightly control access using the least-privilege model and not just focus on managing user access, but also administrative, service, and application accounts.
Never trust, always verify: In today’s world where IT environments are distributed and dynamic, a Zero Trust architecture is required. Zero Trust uses signals to make decisions about access while also providing a seamless and secure user experience. As an example, if someone with the right permissions tries to access a system but has an outdated device or has disabled their screen lock, their access may be blocked outright, additional verification may be required, or only non-sensitive information may be accessed.
Consistent policy enforcement: It is important to have consistent policies for all users and resources, even across different locations. Access to resources should primarily go through Azure AD, with minimal interaction with legacy infrastructure like AD. Device management should be done through Microsoft Intune (as mentioned above). Passwordless access is a modern way of controlling access and creates a better user experience.
Preventing privilege escalation: In addition to implementing strict access controls, we should also use network segregation and limit service account reuse. It’s important to manage service principals and enterprise apps in Azure AD and closely scrutinize requests for elevated privileges, as vendors may request more privileges than necessary. We should also be cautious about granting Domain Admin membership to prevent adversaries from gaining greater access.
How to Improve Active Directory Forest Design for Better Security
The NIST Cybersecurity Framework can help us develop a strong security strategy, including identifying and safeguarding sensitive data, monitoring for suspicious activity, having a plan to quickly respond to threats and recover from attacks. To achieve these goals, companies should encrypt data, control network access, regularly update security software, and train employees on cybersecurity. They should also create formal policies for device disposal, notifying relevant parties, investigating and containing attacks, and keeping business operations running during recovery.
How Lepide Helps Manage Privileged Access
If the enterprise access model is not sufficient, the Lepide Auditor for Active Directory is a great alternative. It can help you find privileged user accounts in Active Directory and track their activities. Anytime privileged accounts are accessed or used in an atypical manner, real-time alerts can be sent to your inbox or mobile device.
If you’d like to see how the Lepide Auditor can help to secure your AD forest, schedule a demo with one of our engineers.