Show Transcript
Hide Transcript
Welcome. This is Quest Unscripted.
A very long series on trending topics
and Quest solutions related to Active Directory,
Office 365,
oh, and don't forget Azure AD.
You're here because you have questions.
We're here because we have answers.
I think.
We will address questions we've received from customers
Who experience the same challenges as you.
All with the goal of helping you confidently move,
Manage
And secure
Your Microsoft environment.
We call the show Quest Unscripted because,
except for this intro,
nothing we say is scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hello, today I'm joined by Dan Conrad with One Identity and we're going to talk about Red Forest, Orange Forest, Green Forest, Blue. I did a blog on that via Quest a few years ago. Dan, what do you know about Red Forest?
I was around during the creation and the invention, and I kind of saw the evolution of why it happened. And I think I understand the intentions of a lot of the Red Forest scenarios.
So why did it happen?
You know, there were some very specific breaches in, you know, several years ago, I guess now. I think time flies but, you know, we started seeing customers ask us questions around how can I-- do you have any solutions that would mitigate past the hash? And like, well, wait a minute. Why are you asking this?
So at that time that was something that flashed me back to the Windows NT days. And I had to go, honestly, relook that vulnerability, and figure out what that was again. And then another customer asked me the same question and we started to see that there was this widespread breach, or a well publicized under the covers breach, that they were prepping for.
And the hashes that were actually living in Active Directory or privileged accounts, the common perspective is, as a domain admin, say for instance, as any account in Active Directory, when you log on interactively to a workstation, a server, what have you, interactively be in control of the lead or through RTP, the hash is cached in memory to make your single sign-on experience better. It's part of the operating system.
When you log off and leave, that hash is still in residual memory. There are specific tools and hacker techniques of extracting that hash, so guessing passwords, whether they're five characters or 500 characters doesn't really matter anymore when they just have the hash. And that's what we started to see, was a movement across those.
So Active Directory Forest being a security boundary, of course, you couldn't go beyond the Forest, so that's when we started to see the separation of highly privileged accounts into Red Forests. The Red Forest is just a term. It's because that top level Forest in a Microsoft drawing was red. But it's called the ESAE-- Enhanced Security--
Administrative Environment.
Yeah, I was going to say agricultural.
You got to pause projects exportation.
Yeah.
Secure Access Workstation. Different people have different acronyms.
Right.
So with that said, I know big tournaments have come up a lot lately. Just in time access.
Right. Microsoft came out what they called a Pam solution that would actually through fim workflows and things like that would create accounts on the fly as you need them. So they-- we'll give them credit for coining the phrase "just-in-time" access, because the accounts that they would use were created 'just in time' for the user. That seemed a little bit extreme to us. So our version of just in time is disabling the accounts when not in use and stripping the group memberships when they're not necessary.
Now, didn't it-- [INAUDIBLE] recently add something with active roles really to do that Just In Time Access.
Right. So it's with our safeguard, which is our Privileged Access Management solution.
Now is that a separate buy or what's going on there?
It's two separate products that work together. So two great tastes that taste great together. The way it would work is you would take Active Directory accounts and you would enroll them in the Pam solution, whether you want to check out passwords, or you simply want to check out sessions to say a domain controller to do a-- apply a patch, or whatever it is you're going to do.
So you would go to safeguard and you would check that out. And if you you're going to check out the password, the account you're checking out has absolutely no group membership other than just the basic domain users group membership. When I check it out, that account is designated to go into the domain admins group upon checkout, or whatever group you predetermined.
So you can have things like workflow approvals and safeguards. I check it out, you know, maybe my manager, maybe the contract lead whatever has to approve that. Once it's approved, it's available for me to use. Upon that approval, it will populate the group membership and act-- using active roles to do that.
And then I go, and know, theoretically go do what I needed to do and then I check it back in and then when I check it back in it strips the group membership, changes the password, and disables the account. So it should be utterly useless at that time. Even if I've left residual hashes, they should not be able to authenticate.
Great. We're going to talk about Orange Forest. I helped coin this concept probably what, 2016, 2017. Dan, I've talked to you about it. From your words, what is I want to see make sure I've communicated effectively, and that you can communicate what it is.
Well, when I first heard you say the word Orange Forest I thought, well, my hunting vest isn't going to be of any value in this Orange Forest. But so it's kind of a hybrid environment where, you know, and