Active Directory Red Forest Design aka Enhanced Security Administrative Environment (ESAE)

Overview

When you hear a coworker, a system administrator, or anyone else start talking about the Active Directory Red Forest level they are actually identifying the jargon for "Enhanced Security Administrative Environment" also known as ESAE. The ESAE leverages advanced technologies and recommended practices to provide an administrative environment and workstations with enhanced security protection. 

The Enhanced Security Administrative Environment (ESAE) offering is designed to help thwart a critical element of these credential theft attacks by limiting exposure of administrative credentials.

It is based on an Active Directory administrative tier model design. The purpose of this tiered model is to protect identity systems using a set of buffer zones between full control of the Environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise. The Tier model is composed of three levels and only includes administrative accounts, not standard user accounts:

Tier 0

Direct Control of enterprise identities in the environment. Tier 0 includes accounts, groups, and other assets that have direct or indirect administrative control of the Active Directory forest, domains, or domain controllers, and all the assets in it. The security sensitivity of all Tier 0 assets is equivalent as they are all effectively in control of each other.

Tier 1

Control of enterprise servers and applications. Tier 1 assets include server operating systems, cloud services, and enterprise applications. Tier 1 administrator accounts have administrative control of a significant amount of business value that is hosted on these assets. A common example role is server administrators who maintain these operating systems with the ability to impact all enterprise services.

Tier 2

Control of user workstations and devices. Tier 2 administrator accounts have administrative control of a significant amount of business value that is hosted on user workstations and devices. Examples include Help Desk and computer support administrators because they can impact the integrity of almost any user data.

References

If you wish to dive deeper into this thought process you can access the Microsoft published resources below.

• ​Securing Privileged Access Reference Material
• http://download.microsoft.com/download/A/C/5/AC5D21A6-E04B-4DC4-B1F2-AE060319A4D7/Premier_Support_for_Security/Popis/Enhanced-Security-Admin-Environment-Solution-Datasheet-%5BEN%5D.pdf