Lead Image © Milos Kojadinovic, 123RF.com

Secure Active Directory with the rapid modernization plan

Shields Up!

Article from ADMIN 82/2024

By Matthias Wübbeling

The rapid modernization plan by Microsoft is a practical guide to securing Active Directory, so criminals cannot gain access to privileged user accounts.

Microsoft defined the logical separation of user accounts with different authorizations at different levels in the Enhanced Security Admin Environment (ESAE) recommendation. Often referred to as "Red Forest," it is still used in many companies today. Privileged company-wide administrator accounts are managed in their own forest and therefore isolated from the local administrator accounts on servers, workstations, and other devices. If attackers gains access to a local administrator account, their scope of action is limited to the validity of this one account; above all, they cannot get up to any mischief in the entire Active Directory (AD) enterprise.

The continuation of this policy in the rapid modernization plan (RaMP) [1] supports admins in implementing the most important steps of Microsoft's privileged access strategy as a replacement for ESAE. This plan and the associated documents offer admins a step-by-step guide for securing access to enterprise resources. Of course, the most important prerequisite is that you are using Microsoft's Entra ID, formerly known as Azure Active Directory.

Separate Admin Accounts

As in ESAE, the various accounts for administrative function are strictly segregated. Figure 1 shows the strategy for breaking accounts by privileged and non-privileged, along with reducing the attack surface.

...

Use Express-Checkout link below to read the full article (PDF).