• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
WebSetNet

WebSetNet

Technology News

  • Technology News
    • Mobile
    • Games
  • Internet Marketing
  • System Admin
    • Windows 11
    • Linux
    • Mac & Apple
    • Website Scripts
      • Wordpress

Windows Server 2016: Understanding Microsoft’s Enhanced Security Administrative Environment

August 5, 2020 by Martin6

 

Microsoft to Fix Zero-Day Windows Flaw That Was Outed by Google

In today’s Ask the Admin, I’ll look at Microsoft’s recommendations for securing Active Directory forests using its Enhanced Security Administrative Environment (ESAE) model.

It is no secret that security is a major headache for organizations in today’s Internet-connected landscape but securing existing production Active Directory (AD) forests can be difficult for two reasons. In many cases, production forests may already be compromised. And the only way to be sure that hackers no longer have control is to rebuild the forest from scratch. This is a task that is costly and unrealistic in many cases. Secondly, it may not be possible to harden production forests enough to provide sufficient protection for highly privileged domain accounts. Doing so would break functionality in the domain.

To address these issues, new features in Windows Server 2016, including Shadow Principals and short-lived AD groups, help businesses take control of production Active Directory (AD) forests by implementing a specially hardened AD forest for administration. Microsoft’s complete solution for this is ESAE. Not only does ESAE allow better security to be applied to privileged accounts but it also allows the provisioning of standard user accounts in the administrative forest that are granted Just-in-Time (JIT) administrative access to production forests.

Enhanced Security Administrative Environment admin forest (Image Credit: Microsoft)

Enhanced Security Administrative Environment Admin Forest (Image Credit: Microsoft)

For more information on JIT administration, short-lived AD groups, and Privileged Identity Management (PIM) trusts, see Windows Server vNext Privileged Access Management and Windows Server 2016: Set Up Privileged Access Management on the Petri IT Knowledgebase.

ESAE Administration Forest Best Practices

In Windows Server 2016: Set Up Privileged Access Management on Petri, I outlined the technical steps for setting up an ESAE admin forest, configuring a PIM trust with an existing production forest, and setting up Shadow Principals to allow users in the ESAE admin forest to get time-limited access to the production forest.

Scope and Hardening

Because the admin forest controls access to production forests, it is essential to ensure that the admin forest is secure. One way of doing that is to limit its scope. The admin forest shouldn’t be used to host applications or services not related to the forest’s primary function. Keeping the scope of the admin forest limited to administration of privileged accounts also ensures that adding an additional forest doesn’t increase complexity in your environment beyond what is unavoidable.

The production forest should be configured with a one-way PIM cross-forest or domain trust to the admin forest. Some applications in the production forest may require that a two-way trust is established with the admin forest.

Users in the admin forest that are granted privileged access to production forests should never have privileged accounts in the admin forest. They should always be standard users. And administrative access to the admin forest must be strictly controlled using a manual process. The admin forest should be locked down using the security settings provided in Microsoft’s Security Compliance Toolkit and OS updates applied as soon as they are available.

Access to the admin forest should be performed from Privileged Access Workstations. I.e. workstations specially hardened for use with admin forest accounts. Other security best practices should be used to secure the admin forest, including BitLocker full-drive encryption, network isolation, USB port restrictions, Secure Boot, multi-factor authentication, physical security, and antimalware.

Group Policy

Using Shadow Principals, you can grant admin forest users BUILT-INAdministrators or Domain Admins access to production forests. One restriction is that admin forest users granted this access won’t be able to modify Group Policy as users from an external forest. Because Domain Admins is a global group, users from external forests can’t be added. What this means in practice is that while you can add an admin forest user to a Shadow Principal that represents the Domain Admins group in a production forest, when the admin forest user logs in to the production domain, they will be assigned BUILT-INAdministrators privileges.

To allow admin forest users to modify existing Group Policy Objects (GPOs), you will need to modify the security permissions on the AD container for each GPO (CN={GPO_GUID},CN=System,DC=domain…) using ADSI Edit. To ensure that admin forest users can create and modify new GPOs in the production forest, you will need to modify the DefaultSecurityDescriptor attribute on the Group Policy container classScema object in the production forest schema. For more information about changing GPO permissions, see Microsoft’s website here.

Microsoft Identity Manager

Privileged access to production forests should be controlled using a workflow. Microsoft Identity Manager (MIM) is naturally the recommended solution but it needs to be licensed separately.

MIM allows organizations to create groups with ‘prospective’ membership. When a user requires privileged access to a production forest, their prospective group membership in the admin forest can be ‘enabled’ for a limited period of time using MIM.

The technical components required to implement ESAE are included out-of-the-box in Windows Server 2016. The production forest must be running Windows Server 2012 R2 or Windows Server 2016 forest-level Active Directory. MIM isn’t a requirement. You could implement your own homegrown solution to implement a workflow or use a third-party identity management system.

Get a Grip on Security

In an ideal world, Active Directory and server security would be a top priority and baked in from the get-go. Complex enterprise systems often evolve without due consideration for security. And starting over is rarely an option. Microsoft’s ESAE solution is a compromise because while it adds complexity, which can be reined in by limiting the forest’s scope. It can also improve security for production domains.

ESAE may work for many companies but it won’t work everywhere. Not all applications can be managed by users from external forests. In these cases, you could consider a partial ESAE implementation. Microsoft isn’t sharing exactly how it does its own ESAE. And while the technical requirements are easy enough to implement, ESAE is only valuable if you carefully follow best practices to secure the admin forest.

If you want more information on how to set up ESAE using Windows Server 2016 Shadow Principals and a PIM trust, be sure to check out Windows Server 2016: Set Up Privileged Access Management on the Petri IT Knowledgebase.

The post Windows Server 2016: Understanding Microsoft’s Enhanced Security Administrative Environment appeared first on Petri.

Related posts:

  1. Windows Server 2016: Set Up Privileged Access Management
  2. Microsoft Windows Security Updates February 2019 overview
  3. Microsoft Windows Security Updates September 2020 overview
  4. Microsoft Windows Security Updates April 2018 release overview
  5. Microsoft Security Updates February 2018 release
  6. 3 Options for Domain Registration in 2020
  7. Microsoft Windows Security Updates November 2020 overview
  8. Microsoft Windows Security Updates December 2019 overview
  9. Microsoft Windows Security Updates July 2021 overview
  10. Microsoft Windows Security Updates June 2019 overview

Filed Under: Uncategorized Tagged With: enhanced, microsoft's, server, understanding, windows

Primary Sidebar

Trending

  • 5 Ways to Fix “Your SIM sent a Text Message” Issue on iPhone
  • 3 Ways to Disable GetApps on Xiaomi, Redmi, and Poco Phones Running MIUI
  • 8 Best Sites to Read Manga Online for Free
  • How To Extract & Install tar.gz Files In Ubuntu
  • How to find a lost Apple Pencil using your iPad (1st and 2nd gen)
  • Discord Stream Has No Sound? 6 Ways to Fix
  • How to Highlight Duplicates in Google Sheets
  • GeForce Experience not finding games? Fix it fast
  • Exclamation Mark on Network Signal, Mobile Data Not Working? 8 Ways to Fix
  • How To Calculate CAGR in Excel
  • How to Track a Stolen or Lost Nintendo Switch
  • How to Fix YouTube Server Connection Error [400] on Android
  • What is Android System Intelligence, and why is it on your phone?
  • How to check if your Android device supports Widevine DRM
  • Troubleshooting “E: Unable to locate package” Error on Ubuntu [Beginner’s Tutorial]
  • How to Make Any Wired Printer Wireless in 6 Different Ways
  • 17 Cool Arduino Project Ideas for DIY Enthusiasts
  • How to enable and validate Digital Signature for PDF in Microsoft Edge

Footer

Tags

Amazon android Apple Asus available download: edge feature features first free from galaxy Game games gaming gets google install Intel iPhone launches linux Microsoft more OnePlus phone release released review: samsung series support this Ubuntu update using video watch what will windows with xbox your

Archives

  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org