Bastion Forest vs Red forest (ESAE)

JMN-2253 636 Reputation points
2021-07-19T21:59:39.967+00:00

Hi there,

I have done one of Bastion forest implementation (PAM /MIM), but I always see on Microsoft Learn something called: Red Forest (ESAE).

I always thought when I'm implementing Bastion forest that ESEA is included in my work.

So, may someone tell me if Bastion and Red are interchangeably used?

If they are not, can just I know what components are used for Red Forest?

Thanks

Windows for business | Windows Server | User experience | Other
Microsoft Security | Microsoft Identity Manager
0 comments No comments
{count} votes

Accepted answer
  1. JiayaoZhu 3,926 Reputation points
    2021-07-20T08:59:32.267+00:00

    Hi,

    Thanks for posting on our forum!

    After my research, it is my pleasure to let me firstly clarify a couple of factors in your question, so that you can solve the confusion by yourself. PAM /MIM should belongs to a feature called the shadow principal and this feature, from my perspective, can be included both in Bastion forest and Red forest. In both forests, PAM /MIM can be used in a custom architecture for isolated environments where Internet access is not available, where this configuration is required by regulation, or in high impact isolated environments like offline research laboratories and disconnected operational technology or supervisory control and data acquisition environments. So you can see, it is PAM /MIM that Red forest contains.

    When it comes to Bastion Forest vs Red forest (ESAE), they can be used interchangeably, and the former is the latter's updated version. The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD) administrators. However, Microsoft’s recommendation to use this architectural pattern has been replaced by the modern privileged access strategy and rapid modernization plan (RAMP) guidance as the default recommended approach for securing privileged users. And bastion forest is a kind of the modern privileged access strategy. If you already have ESAE, there is no urgency to retire or replace an ESAE implementation if it's being operated as designed and intended. Microsoft also recommends organizations with ESAE / hardened forests adopt the modern privileged access strategy using the rapid modernization plan (RAMP) guidance. If you do not have ESAE, we recommend you to directly use Bastion forest, to adopt the modern privileged access strategy .

    Here are some articles that can help you better understand the development of our secruity strategy for AD accounts:
    Understanding Microsoft’s New Privileged Access Management Strategy
    https://www.semperis.com/blog/good-riddance-red-forest-understanding-microsofts-new-privileged-access-management-strategy/

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Planning a bastion environment
    https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment

    ESAE Retirement
    https://learn.microsoft.com/en-us/security/compass/esae-retirement

    ESAE series part 3 – Privileged access management & the shadow principal feature
    https://www.teal-consulting.de/en/2018/08/14/esae-series-part-3-privileged-access-management-and-the-shadow-principal-feature/

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Thanks for your support! Besides, would you please help me Accept Answer. An accepted blog can be put on top of our forum, so that people who have a similar issue can get access to their solution more quickly.

    BR,
    Joan


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. JMN-2253 636 Reputation points
    2021-07-20T17:21:12.17+00:00

    Hi Joan,

    Thank you very much, this is really helpful.

    All appreciation.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.