![]() Windows Servers should not be domain joined or leverage software or settings distribution from the existing environment. In order to ensure that the bastion environment is not impacted by existing or future security incidents in the organizational Active Directory, the following guidelines should be used when preparing systems for the bastion environment: See Configuring Selective Authentication Settings for more information. For maintaining domain controllers and delegating rights in Active Directory, this typically requires granting the “Allowed to logon” right for domain controllers to designated Tier 0 admin accounts in the admin forest. Selective authentication should be used to ensure that accounts in the admin forest only use the appropriate production hosts. The admin forest domain does not need to trust the managed domains and forests to manage Active Directory, though additional applications may require a two-way trust relationship, security validation, and testing. This trust can be a domain trust or a forest trust. ![]() The production CORP forest should trust the administrative PRIV forest, but not the other way around. If a forest is in tier 1, consider restricting it to a particular scope of application (e.g., finance apps) or user community (e.g., outsourced IT vendors). The objective is to limit the functions of the forest to keep the attack surface minimal.Īccording to the Tier model of partitioning administrative privileges, the accounts in a dedicated administrative forest should be in a single tier, typically either tier 0 or tier 1. The forest can house additional management functions and applications, but each increase in scope will increase the attack surface of the forest and its resources. The value of an admin forest is the high level of security assurance and reduced attack surface. Furthermore, since this forest is separated and does not trust the organization's existing forests, a security compromise in another forest would not extend to this dedicated forest.Īn administrative forest design has the following considerations: Limited scope A benefit to using administrative forests and domains is that they can have more security measures than production forests because of their limited use cases. Best practice considerationsĪ dedicated administrative forest is a standard single domain Active Directory forest used for Active Directory management. These include restricting where administrative credentials are exposed, limiting role privileges of users in that forest, and ensuring administrative tasks are not performed on hosts used for standard user activities (for example, email and web browsing). In situations in which a greater level of assurance is desired for the production forest without incurring the cost and complexity of a complete rebuild, an administrative forest can provide an environment that increases the assurance level of the production environment.Īdditional techniques can be used in addition to the dedicated administrative forest. This architecture also enables the use of the selective authentication feature of a trust as a means to restrict logons (and credential exposure) to only authorized hosts. ![]() That includes provisioning accounts as standard non-privileged users in the administrative forest that are highly privileged in the production environment, enabling greater technical enforcement of governance. ![]() This architecture enables controls that aren’t possible or easily configured in a single forest architecture. If your Active Directory is part of an Internet-connected environment, see securing privileged access for more information on where to start. The PAM approach with a bastion environment provided by MIM is intended to be used in a custom architecture for isolated environments where Internet access is not available, where this configuration is required by regulation, or in high impact isolated environments like offline research laboratories and disconnected operational technology or supervisory control and data acquisition environments.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |