The organization must have a sophisticated security program to measure risk, monitor risk, and apply consistent operational rigor to the usage and maintenance of the ESAE implementation. In these exception cases, the organization must accept the increased technical complexity and operational costs of the solution. While not a mainstream recommendation, this architectural pattern is valid in a limited set of scenarios. The cloud based privileged access strategy provides protections and monitoring for a much larger set of sensitive users, while providing incremental lower-cost steps to rapidly build security assurances. ESAE implementations are designed to protect only Windows Server Active Directory administrators. While still valid for specific use cases, ESAE hardened forest implementations are more costly and more difficult to use, requiring more operational support compared to the newer cloud-based solution (due to the complex nature of that architecture). The privileged access strategy provides protections and monitoring for a much larger set of sensitive users, while providing incremental lower-cost steps to rapidly build security assurances. Microsoft recommends the new cloud-based solutions because they can be deployed more quickly to protect a broader scope of administrative and business-sensitive roles and systems. ESAE / hardened forest implementations focus on protecting Windows Server Active Directory administrators. When ESAE was originally designed 10 years ago, the focus was on on-premise environments with AD as the local identity provider. For more information, see the article Securing privileged access security levels. This complements an existing ESAE implementation and provides appropriate security for roles not already protected by ESAE including Azure AD Global Administrators, sensitive business users, and standard enterprise users. Microsoft also recommends organizations with ESAE / hardened forests adopt the modern privileged access strategy using the rapid modernization plan (RAMP) guidance. As with any enterprise systems, you should maintain the software in it by applying security updates and ensuring software is within support lifecycle. What if I already have ESAE?įor customers that have already deployed this architecture to enhance security and/or simplify multi-forest management, there is no urgency to retire or replace an ESAE implementation if it's being operated as designed and intended. The ESAE hardened administrative forest pattern (on-prem or cloud-based) is now considered a custom configuration suitable only for exception cases listed below. Microsoft’s recommendation to use this architectural pattern has been replaced by the modern privileged access strategy and rapid modernization plan (RAMP) guidance as the default recommended approach for securing privileged users. The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD) administrators.
0 Comments
Leave a Reply. |