Book Demo!

Microsoft Enhanced Security Administrative Environment (ESAE) architecture is a an advanced methodology to protect identity systems using a set of buffer zones between full control of the Environment (Tier 0), enterprise servers and applications (Tier 1) and the high risk workstation assets that attackers frequently compromise. The core of the ESAE approach is the deployment of hardened administrative Active Directory forest (often referred as a “Red Forest”) for the purpose of administering production network Active Directory, domains, or domain controllers.

Xton Technologies XTAM Enhanced Security Administrative Environment ESAE

Managing Credential Boundaries

Xton Technologies Access Manager (XTAM) facilitates seamless deployment of credential boundaries by simplifying privilege delegation and credential management. XTAM provides easy to use mapping between administrators, credentials and computers in multi-forest hardened environment. This, in turn, allows administrators to focus on network management instead of looking for the right account to login.

In addition to storing credentials in the secure vault, XTAM leverages multi-protocol network gateway to eliminate the exposure of the privileged credentials to administrators desktops. The solution provides an indexed session recording with session events and an audit trail for analysis and forensic review. This option allows XTAM to reduce a number of dedicated Privileged Access Workstations (PAW) dictated by the ESAE model.

Mapping humans to credentials to assets

The diagram below demonstrates a typical XTAM deployment in a hardened multi-forest environment. Administrators login to XTAM server using their personal AD credentials from the Enterprise Forest optionally protected with multi-factor authentication (MFA) routine.

Dynamic Credentials for Tier 0 Access

Dynamic Credential feature allows XTAM to connect the administrator to Tier 0 asset such as a production Domain Controller using credentials from hardened Red Forest directory.

PAM for Shared Accounts Access

Privileged Account Management (PAM) option allows XTAM to connect the administrator to critical network servers and network devices using shared privileged accounts. This technique allows to minimize attack surface by reducing number of administrative accounts while still tracking access to users.

Pass-Through Credentials for Enterprise Servers Access

Pass-Through Credential feature allows XTAM to connect the administrator to enterprise services using enterprise forest credentials used to login to XTAM server. This technique shields enterprise services access from unapproved locations or accessed at unapproved times. This option also enables access approval workflow, session monitoring and recording as well as advanced auditing.

The Benefits of Securing ESAE with XTAM

XTAM allows organizations to secure, protect and simplify management of complex multi-forest network architecture by

  • Reducing the exposure of privileged credentials to administrators
  • Providing a single interface for assets located in various security zones and tiers using appropriate credentials
  • Maintaining enhanced auditing and session recording
  • Reducing cost of implementing ESAE architecture by simplifying credential management and by reducing a number of Privileged Workstations (PAW)
  • Facilitating the application of ESAE architecture to the entire enterprise network including non-Windows assets.
Categories: xton

Mark Klinchin

I am Co-Founder and CEO of Xton Technologies. I am interested in computers, software development, cyber security, content management, photography, image processing and mathematics.

Related Posts


How to enable Windows Remote Management using domain policy

Xton Access Manager (XTAM) uses Windows Remote Management technology to execute jobs such as password reset on the remote Windows computers. WinRM is enabled on the windows computer using the following command executed from command Read more…


Configuring Windows Server NLB for Multi-Node Deployment

Configuring Windows Server NLB for Multi-Node Deployment Architecture This article discusses details of Windows Network Load Balancer (NLB) configuration to balance two or more XTAM Server nodes. Earlier we discussed XTAM Server multi-node architecture built Read more…


The Challenge of Multi-Factor Authentication and Shared Accounts

Recently, I wrote about the importance of combining multi-factor authentication (MFA) and privileged access management. According to 2018 Global Password Security Report, 45% of organizations are already using two-factor authentication (2FA) and the 451 Group Read more…

Copyright © 2020 Xton Technologies, LLC. All rights reserved.