none
Question about ESAE : What is the benefit to have a dedicated forest ?

    Question

  • Hi,

    I have a basic question. I always read that having a dedicated forest for admin purpose is "the best".

    I read it too with the ESAE concept (http://aka.ms/esae).

    In this scenario, the admin users located on ESAE Admin forest can connect to the Tiers 0 (domain controller of the Production AD, etc..) through RDP for example.

    But, if they can connect with RDP to "Tiers 0", what is the benefit of such admin forest as the admin will leave their credentials on the remote host as written here : https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#a-nameatltbmaadministrative-tools-and-logon-types

    And so mimidogz, blah blah blah ;-)

    So, basic question. Why ESAE admin forest if those admins can connect with RDP to Production DCs ? 

    Thanks 


    Monday, February 27, 2017 10:12 PM

Answers

  • This is a good and fundamental question.

    Well in order to answer this, we have to mention that a security approach should be taken into account when all other security approaches are considered also. Yes you are right, Mimikatz can destroy the admins account by reveling it's password, but having that said, can we say then what is the point of physical security of domain controllers when mimikatz can mess he passwords? No, because each step in security is mostly dependent on the next step and previous step. We can not just enable a strict IPSec policy but have weak password policy. it does not make any sense.

    The point of keeping administrative accounts in a separate forest is because of security boundaries. AFAIK the approach is to keep admin accounts in a separate forest and have a one-way trust relationship which makes things a bit harder. In case of mimikatz, there are couple of ways that you can defend your enterprise against it. One is to have 2012 R2 functional level which as a result will let you have a new group called 'Protected Users'. Users who resides in this group won't have their credential cached. Also do not forget, no admin will do all the job with its admin account. You do not need domain admin of forest A in order to have a successful to a computer in forest B. Most of the things can be done by local admins and delegation. Read more here:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, February 28, 2017 11:10 AM
    Moderator

All replies

  • Hi,

    >> Why ESAE admin forest if those admins can connect with RDP to Production DCs ? 

    Based on my understanding, ESAE indicates  a attitude that Microsoft will enhance the security of authentication and authorize for AD environment.

    Also, encourages businesses to engage with the Microsoft Cybersecurity team and its partners directly.

    Using RDP connect remote DCs also need to be authenticated by AD domain.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 28, 2017 3:45 AM
    Moderator
  • Thank you Andy.

    Maybe I wasnt explicit enough.

    Forget about ESAE.

    I always read that a security best practice is to have a dedicated forest for admins and thanks to that the credentials of the admins will be protected.

    My question is "why the credentials will protected as admins will open an RDP connexion to Production DCs and so the hash will be on the production DCs (and so mimikatz on DCs will reveal the password exacly as if it was an admin on the Production AD.

    So why we can read that dedicated forest admins will prevent stolen credentials ?

    Tuesday, February 28, 2017 9:06 AM
  • This is a good and fundamental question.

    Well in order to answer this, we have to mention that a security approach should be taken into account when all other security approaches are considered also. Yes you are right, Mimikatz can destroy the admins account by reveling it's password, but having that said, can we say then what is the point of physical security of domain controllers when mimikatz can mess he passwords? No, because each step in security is mostly dependent on the next step and previous step. We can not just enable a strict IPSec policy but have weak password policy. it does not make any sense.

    The point of keeping administrative accounts in a separate forest is because of security boundaries. AFAIK the approach is to keep admin accounts in a separate forest and have a one-way trust relationship which makes things a bit harder. In case of mimikatz, there are couple of ways that you can defend your enterprise against it. One is to have 2012 R2 functional level which as a result will let you have a new group called 'Protected Users'. Users who resides in this group won't have their credential cached. Also do not forget, no admin will do all the job with its admin account. You do not need domain admin of forest A in order to have a successful to a computer in forest B. Most of the things can be done by local admins and delegation. Read more here:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, February 28, 2017 11:10 AM
    Moderator