• Identity Management
    • User Management
    • Delegation
    • Self Service
    • Out of Office Assistant
    • Password Reset
    • Phone book
  • Authorization
    • Access Management
    • Approval Workflow
    • Role-based access
    • Single sign-on (SSO)
    • Automation
  • Systems
    • Active Directory
    • Entra ID – M365
    • HR systems
    • PowerShell
  • Solutions
    • Why IDM-Portal
    • Compliance
    • Editions & prices
    • Further solutions
  • References
    • Our customers
    • Our projects
    • Partnership
    • Press
  • Company
    • About us
    • News
  • Contact
  • English
    • German
FirstWare IDM-PortalFirstWare IDM-Portal
FirstWare IDM-PortalFirstWare IDM-Portal
User Driven
Identity Management
  • Identity Management
    • User Management
    • Delegation
    • Self Service
    • Out of Office Assistant
    • Password Reset
    • Phone book
  • Authorization
    • Access Management
    • Approval Workflow
    • Role-based access
    • Single sign-on (SSO)
    • Automation
  • Systems
    • Active Directory
    • Entra ID – M365
    • HR systems
    • PowerShell
  • Solutions
    • Why IDM-Portal
    • Compliance
    • Editions & prices
    • Further solutions
  • References
    • Our customers
    • Our projects
    • Partnership
    • Press
  • Company
    • About us
    • News
  • Contact
  • English
    • German

Deploying Red Forest and IAM in Active Directory environments

Authorization Management, General, Identity Management |

 

When it comes to Active Directory security, many companies rely on technologies and recommendations from Microsoft. Until now, the Enhanced Security Admin Environment (ESAE) was the approach of choice. Active Directory Red Forests were used for this purpose.

Despite numerous developments in this area, one thing is certain: the Red Forest approach will continue to be used, especially if companies work with Active Directory on-premises and do not use Entra ID in parallel. 

This article gives an overview of the use of Red Forests to run Active Directory more securely, the relevance in today’s world and what the enhancements are all about.

Index

  • Red Forest is ideal for on-premises AD
  • How the Red Forest approach works in Active Directory
  • What are the pros and cons of a Red Forest?
  • User & access management in the Red Forest with IDM-Portal
  • Is a Red Forest also suitable for hybrid environments?
    • Enhancements to the ESAE 
    • Zero trust to protect user accounts
  • Summary

Red Forest is ideal for on-premises AD

The Enhanced Security Admin Environment (ESAE) uses a separate, hardened Active Directory structure. This is called Red Forest, Admin Forest or Hardened Forest.

The main point here is that the workstations of administrators and other privileged user accounts should be particularly secure, as well as the entire infrastructure. This approach is particularly useful for environments that operate an Active Directory on-premises, i.e. completely within their own network.

As more and more companies rely on Entra ID in parallel, this approach is often no longer sufficient to operate a network securely. Here, an extension that transforms many of the security options into the cloud makes sense. Red Forests still remain an ideal choice locally for more security of Active Directory environments. 

ESAE has been established for years. Companies that do not use Entra ID continue to use this method. If cloud technologies are also used in parallel with Active Directory, especially for authentication, two-factor authentications and the use of the Microsoft Authenticator app play an essential role, as does an even better organised structure for managing authorisations. These can be integrated with ESAE and help transform Red Forests to work with Entra ID.

How the Red Forest approach works in Active Directory

If an environment with sensitive network data is to be reliably protected, a Red Forest makes sense. Its use makes sense in highly secure environments that focus on on-premises use. Since basically three overall structures are used, several domain controllers are also necessary, which are part of the various overall structures. These must be optimally managed, secured and monitored in order to maximise security. Therefore, the use of such an infrastructure is worthwhile above all when the complexity of the infrastructure pays off.

In an environment with a Red Forest, the forest with the resources trusts the Red Forest and the forest for the user accounts. The forest with the user accounts also trusts the Red Forest. This protects the NTLM hashes in Active Directory on the resource and user side from attacks. The forest for the users and resources trusts the user accounts in the Red Forest through a one-way trust. This creates a gradation of authentication in different levels:

  • Tier 0 – The user accounts and groups are located in the Red Forest and control the AD accounts. Privileged Access Workstations (PAW), which are configured in a particularly secure way, are used as workstations. User accounts in the Tier 0 area may only log on to devices and systems in the Red Forest, not to other systems. This can be optimally solved via IAM systems such as the IDM-Portal.
  • Tier 1 – Level 1 accounts are located in the overall structures of the resources and the users. Logging in is only possible in the respective overall structure. These accounts may also only be managed on a PAW that is a member of the respective forest.
  • Tier 2 – The level 2 administrator accounts manage the user accounts and computers of the users. 

Levels of authentication in the Red Forest

What are the pros and cons of a Red Forest?

A Red Forest (Enhanced Security Admin Environment, ESAE) offers risk management for local Active Directory environments. This means that the entire environment does not have to be rebuilt in the event of an attack. Since primarily one-way accounts are used here and accounts of complete structures that can be separated from each other, a compromised forest can simply be removed from the environment. The other two forest structures continue to run and are connected to the new forest structure after it has been rebuilt.

The challenges of such an environment are first of all the numerous additional servers, the complexity of the environment and the numerous administrator accounts required for different deployments. The use of Red Forests when using external authentication mechanisms such as Entra ID should be modernised, as more attack vectors are possible. However, this can be quickly implemented with Microsoft recommendations and the Rapid Modernisation Plan (RAMP).

User & access management in the Red Forest with IDM-Portal

When using a Red Forest, therefore, at least three overall structures are used:

  • Red Forest
  • Resource Forest
  • User Forest

In all three overall structures, user accounts must be created uniformly and correctly configured. Authorisations play an important role here as well as the assignment of authorisations for logging on to workstations.

The uniform allocation of authorisations and maintenance of this data should be done in a system that is able to organise all three overall structures uniformly and avoid errors. In this way, companies avoid errors during set-up and administration. With the IDM-Portal, companies can already perform uniform identity and access management when creating new user accounts in Active Directory. Many tasks that are necessary when creating new users can be easily delegated by administrators via the IDM-Portal.

Red Forest and IAM in Active Directory: User management with IDM-Portal

The IDM-Portal does not rely on proprietary technologies, but uses functions that Microsoft has integrated into Windows, Active Directory, Azure and Microsoft 365. To use the user accounts in Azure or Microsoft 365, the user accounts can be synchronised between Active Directory and Entra ID with the Windows tool Microsoft Entra Connect. The integration of standard tools into the IDM-Portal ensures that all tasks are traceable, fast and secure.

This allows the IDM-Portal to be used in environments that use Red Forest as well as in extended environments that use Zero Trust or are on the way to doing so. In all such scenarios, a well-structured user administration plays a crucial role.

Is a Red Forest also suitable for hybrid environments?

Enhancements to the ESAE 

Microsoft recommends modernising with RAMP when using a Red Forest in hybrid environments with Entra ID. This extends the secure operation of Active Directory into the cloud. Multifactor authentication plays an important role here, in conjunction with authentication apps such as Microsoft Authenticator. At this point, it makes sense to implement an extension to the privileged access strategy and the Rapid Modernisation Plan (RAMP). This is where approaches such as the Enterprise Access Model come into play. This can extend the possibilities of the Enhanced Security Admin Environment.

With the new model, companies do not rely exclusively on local AD environments, but in parallel on Entra ID or other authentication models. Here, too, administration is carried out through specially secured devices, the Privileged Access Workstations (PAW). These do not lose their importance in the modern security approach and play an essential role in the Enhanced Security Admin Environment. 

The next level concerns the management of the environment’s data, applications and services. These can be located in the local data centre, but also in the cloud (IaaS, PaaS, SaaS). Controlling users for access to resources themselves can be done with services such as Microsoft Endpoint Manager. Synchronisation between AD and Entra ID is often used here.

Zero trust to protect user accounts

Zero trust plays an important role in all three levels and protection of user accounts with modern technologies from artificial intelligence and machine learning. Policies are increasingly used, in parallel with compartmentalisation, as in the Red Forest approach. This addresses the need for systems to connect across data centres, including to cloud services, and to use user data and workloads locally, on-premises and from the cloud. The IDM-Portal, which supports all security approaches, again helps. 

Summary

In practice, there are many companies that follow, implement or refresh a Red Forest strategy. Not all companies may use the cloud fully and choose a strict on-premises strategy to secure user accounts and data. For this, the Red Forest is still a good choice.

We would be happy to advise you on how to implement identity and access management in a Red Forest. As experts in the field of identity & access management for on-premises and cloud environments, we know what matters when it comes to user and authorisation management. Contact our friendly team.  

Tags: ESAEHardened ForestPAWRed ForestResource Forest
Share

Search

Latest Posts

  • Release of IDM-Portal 5.1 – Management of Entra ID groups
  • Check password rules
  • Central management of guest accounts in hybrid environments – AD and Entra ID
  • Optimize onboarding processes for public administrations
  • IAM system for multitenant environment

Categories

  • Authorization Management
  • Compliance
  • General
  • Identity Management
  • Projects


FirstAttribute

Contact Info

  • FirstAttribute AG
  • Am Büchele 18, 86928 Hofstetten, Germany
  • +49 89 215 442 40
  • https://www.firstattribute.com

Topics

  • Terms of Use & EULA
  • Legal Information
  • Privacy Policy
  • Contact

Latest News

  • Release of IDM-Portal 5.1 – Management of Entra ID groups
  • Check password rules
  • Central management of guest accounts in hybrid environments – AD and Entra ID
  • Optimize onboarding processes for public administrations
  • IAM system for multitenant environment
  • Share calendar permissions

© 2024 · FirstAttribute AG.

Prev Next