The Microsoft Enhanced Security Administrative Environment (ESAE) is a secured, bastion forest reference architecture designed to manage the Active Directory (AD) infrastructure. This methodology focuses on “Tier 0” assets and identities, which have direct or indirect administrative control over a given AD forest and all of the assets within it, such as domain controllers, domain administrator accounts, critical servers and workstations.
One popular technique in advanced cyber attacks is the exploitation of privileged accounts and their associated credentials to reach a Tier 0 domain controller – the central authority of trust within the Windows environment. Once a domain controller is compromised, the attacker has unrestricted access to the entire domain-joined IT infrastructure – all while eluding visibility or awareness of the organization. Based on what CyberArk has seen in the field, it can take an attacker who has hijacked a privileged credential less than 12 minutes from initial infiltration to being able to take over a domain controller, which hosts the services that constitute AD.
Critical to the overall strength of an ESAE deployment is the hardening of the control relationships among these powerful credentials, assets and humans. But managing Tier 0 assets and protecting against credential theft is demanding and difficult, particularly because organizations often try to juggle multiple account management solutions from Microsoft, including Local Administrative Password Solution (LAPS) and Microsoft Identity Manager (MIM).
CyberArk has designed practical solutions for the administration of ESAE and has been deployed alongside the architecture to maximize security and eliminate pain points by reducing administrative overhead and decreasing total cost of ownership.
Learn how CyberArk can help secure privileged access, create credential boundaries and provide enhanced auditing and recording within the ESAE and production environments by downloading this solution brief.