This guest blog was contributed by Mickey Bresman, CEO of Semperis.
If you haven't heard, Microsoft recently retired the Red Forest (aka Enhanced Security Admin Environment, or ESAE), a practice that has been recommended by Microsoft for the past decade and has gained higher interest from organizations in recent years. Microsoft introduced the Red Forest concept to address the problem of lateral movement and privilege escalation in an on-premises Active Directory (AD) environment. The idea behind the Red Forest was to create a separate, trusted AD forest where administrative credentials would reside.
The Red Forest architecture gained interest as a response to ever-rising cyber-attacks, especially because many attackers gain entry to companies’ systems through weak spots in identity systems. The most recent—and the most widespread to date—is the Microsoft Exchange Server attack by Hafnium that involved attackers gaining access to Exchange Servers either through bugs or stolen credentials. This attack reportedly affected at least 30,000 companies. But although the interest in protecting credentials is now top of mind for every organization, the Red Forest approach hasn’t been a cure-all. The trouble was that although the Red Forest approach was promising in theory, the harsh reality was that the architecture wasn’t viable because of its complexity and operational costs. It’s time to reconsider the approach.
What follows the Red Forest?
What follows after Red Forest depends on your specific organization. If you have already deployed a Red Forest in your organization, no need to rush and change. The architecture works, and Microsoft will continue to support it. In fact, Microsoft specifies a limited number of use cases in which the Red Forest approach still makes sense:
On-premises environments where cloud services aren’t available such utilities or public-sector entities that rely on on-premises technology
Highly regulated environments such as those in government sectors
Environments with high-level security mandates
In Microsoft’s guidance, for these types of scenarios, the additional complexity and resource cost of maintaining the Red Forest implementation. But if you were in a planning/consideration stage of deploying a Red Forest, now would be a good time to reconsider.
What I’ve seen in IT over decades is that basic security and configuration advice—often as old as the product the device was developed for—is still rarely implemented. Though the advice may not be as trendy as the latest security buzzwords, it still applies. The Microsoft guidance “Protect & Monitor Identity Systems” is not new, but it remains a key initiative in the Microsoft privileged access strategy.
The reality is that the original intent and the reason behind the Red Forest architecture—the rise in cyber-attacks targeting Active Directory and the need for companies to do a better job in protecting it—haven’t improved. On the contrary, the number of cyber-attacks has only grown, with about 80% of them involving the abuse of identity systems. Red Forest was a great concept that simply turned out to be too complicated to manage and couldn’t meet the needs of most organizations.
With the above in mind, I feel very comfortable with echoing Microsoft recent recommendation to protect and monitor identity systems, including directories, identity management, admin accounts, and consent grants. Active Directory is at the heart of your business and the impact of it being compromised is as high as it gets.
The Microsoft warnings outlined in the privileged access management document are urgent. As John Flores wrote, “It is difficult to overstate the potential business impact and damage of a loss to privileged access. Attackers with privileged access effectively have full control of all enterprise assets and resources, giving them the ability to disclose any confidential data, stop all business processes, or subvert business processes and machines to damage property, hurt people, or worse.”
Take steps to secure Active Directory
With the demise of the Red Forest approach to addressing privilege escalation, I recommend that organizations follow these practices for securing Active Directory, the identity system used by 90 percent of companies.
Assess the security state of your AD environment on an ongoing basis. Implement frequent red-teaming activities combined with third-party solutions that scan your environment for vulnerabilities in configuration, looking for incidents of compromise (IOCs) and incidents of exposure (IOEs). Ensure that you are notified before the advisory turns into an attack. In addition to implementing security patches, scanning your system for IOCs and IOEs is one of the top recommendations from Microsoft for guarding against the fallout from attacks like the Exchange Server Hafnium breach.
Deploy a third-party solution that can help you with detecting attacks in your environment, especially when those are more sophisticated and not hitting the standard Event Viewer (DCshadow is one of the examples that come to mind). A good solution should be able to provide a high level of data integrity, notification mechanism, and, ideally, automated incident response capabilities. (Sometimes, by the time that a human analyst sees the notification, it’s already too late.)
Because many of the recent attacks are damaging in nature (ransomware), make sure you have a good backup/disaster recovery solution in place. Test it regularly so you can feel confident in your ability to have a speedy recovery when required. Trust me, no one wants to pay ransom, but it’s a hard decision to make unless you have a choice.
Don’t neglect tried-and-true AD security measures
In the end, any organization’s most valuable information assets will be vulnerable to attack if basic security measures aren’t defined and—most important—followed. Regardless of whether you continue to use the Red Forest approach—despite the complexity and resource costs—protecting Active Directory from intrusion is a fundamental building block in a comprehensive security strategy.