Welcome, this is Quest Unscripted.
A vlog series on trending topics--
And quest solutions related to Active Directory--
Office 365--
--oh, and don't forget Azure AD.
You're here because you have questions.
We're here because we have answers--
--I think.
We will address questions we've received from customers--
Who experience the same challenges as you.
All with the goal of helping you confidently move--
Manage--
--And secure your Microsoft environment.
We call the show Quest Unscripted because--
Except for the central--
Nothing we say is scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hello, today I'm joined by Dan Conrad with One Identity, and we're going to talk about red forest, orange forest, green forest, blue. I did a blog on that via quest a few years ago. Dan, what do you know about red forest?
[LAUGHS] I was around during the creation and the invention, and I kind of saw the evolution of why it happened. And I think I understand the intentions of a lot of the red forest scenarios.
So why did it happen?
You know there were some very specific breaches in-- several years ago I guess now. Think time flies. But we started seeing customers ask us questions around, how can I-- do you have any solutions that would mitigate past the hash? And you're like well, wait a minute, why are you asking this? So at that time, that was something that flashed me back to the Windows NT days, and I had to go, honestly, relook that vulnerability and figure out what that was again. And then another customer ask me the same question.
And we started to see that there was this widespread breach, or a well-publicized under the covers breach, that we-- that they were prepping for. And the hashes that were actually living in active director of privileged accounts, the common perspective is as a domain admin, say for instance, as any account in Active Directory, when you log on interactively to a workstation, a server, what have you-- interactively being control-alt-delete, or through RDP-- that the hash is cached in memory to make your single sign on experience better. It's part of the operating system.
When you log off and leave, that hash is still in residual memory. There's specific tools and the hacker techniques of extracting that hash, so guessing passwords whether they're five characters or 500 characters doesn't really matter anymore when they just have the hash. So-- and that's what we started to see was a movement across those.
So Active Directory forest being a security boundary, of course you couldn't go beyond the forest, so that's when we started to see the separation of highly privileged accounts into red forests. And the red forest is just a term, it's because that top level forest in a Microsoft drawing was red, but it's called, what's the-- ESAE enhanced security--
Administrative environment.
--I was going to say agricultural, but that's not it.
And you got to PAWS projects workstation. The yeah--
Yeah.
--secure access workstation. Different people have different acronyms.
Right.
So with that said, I know a big term that's coming up a lot lately, just in time access.
Right.
So I know--
That was something Microsoft came out with, a what they called a PAM solution that was a-- that would actually through FIM workflows and things like that would create accounts on the fly as you need them. So they-- we'll would give them credit for coining the phrase just in time access because the accounts that they would use were created just in time for the use. That seemed a little bit extreme to us, so our version of just in time is disabling the accounts when not in use, and stripping the group memberships when they're not necessary.
Now, didn't One Identity recently add something with Active Roles really to do that just in time access?
Right, so it's with our Safeguard, which is our privileged access management solution so--
Now is that a separate buy, or what's going on there?
It's two separate products that work together, so two great taste that taste great together. So the way it would work is you would take Active Directory accounts, and you would enroll them in the PAM solution. Whether you want to check out passwords, or you simply want to check out sessions to say a domain controller to do a-- play a patch, or whatever it is you're going to do, so you would go to Safeguard and you would check that out. And if you're going to check out the password the account you're checking out has absolutely no group membership other than just the basic domain users group membership.
When I check it out, that account is designated to go into the domain admins group upon checkout, or whatever group you predetermined. So you can have things like workflow approvals and safeguards. So I check it out, maybe my manager, maybe the contract lead, whatever has to approve that. Once it's approved, it's available for me to use. Upon that approval, it'll populate the group membership and act-- using Active Roles to do that.
And then, I go, you know theoretically, go do what I needed to do and then I check it back in. And then when I check it back in, it strips the group membership, changes the password, and disables the account. So it should be utterly useless at that time. Even if I've left residual hashes, they should not be able to authenticate.
Great, we're going to talk about orange forest. I helped coin this concept probably what, 2016, 2017? Dan, I've talked to you about it. From your words, what is-- I want to see make sure I've communicated effectively, and that you can communicate what it is.
Well, when I first heard you say the word orange forest I thought, well, my hunting vest isn't going to be of