Microsoft Enhanced Security Administrative Environment (ESAE) architecture is a an advanced methodology to protect identity systems using a set of buffer zones between full control of the Environment (Tier 0), enterprise servers and applications (Tier 1) and the high risk workstation assets that attackers frequently compromise. The core of the ESAE approach is the deployment of hardened administrative Active Directory forest (often referred as a “Red Forest”) for the purpose of administering production network Active Directory, domains, or domain controllers.
Managing Credential Boundaries
Xton Technologies Access Manager (XTAM) facilitates seamless deployment of credential boundaries by simplifying privilege delegation and credential management. XTAM provides easy to use mapping between administrators, credentials and computers in multi-forest hardened environment. This, in turn, allows administrators to focus on network management instead of looking for the right account to login.
In addition to storing credentials in the secure vault, XTAM leverages multi-protocol network gateway to eliminate the exposure of the privileged credentials to administrators desktops. The solution provides an indexed session recording with session events and an audit trail for analysis and forensic review. This option allows XTAM to reduce a number of dedicated Privileged Access Workstations (PAW) dictated by the ESAE model.
Mapping humans to credentials to assets
The diagram below demonstrates a typical XTAM deployment in a hardened multi-forest environment. Administrators login to XTAM server using their personal AD credentials from the Enterprise Forest optionally protected with multi-factor authentication (MFA) routine.
Dynamic Credentials for Tier 0 Access
Dynamic Credential feature allows XTAM to connect the administrator to Tier 0 asset such as a production Domain Controller using credentials from hardened Red Forest directory.
PAM for Shared Accounts Access
Privileged Account Management (PAM) option allows XTAM to connect the administrator to critical network servers and network devices using shared privileged accounts. This technique allows to minimize attack surface by reducing number of administrative accounts while still tracking access to users.
Pass-Through Credentials for Enterprise Servers Access
Pass-Through Credential feature allows XTAM to connect the administrator to enterprise services using enterprise forest credentials used to login to XTAM server. This technique shields enterprise services access from unapproved locations or accessed at unapproved times. This option also enables access approval workflow, session monitoring and recording as well as advanced auditing.
The Benefits of Securing ESAE with XTAM
XTAM allows organizations to secure, protect and simplify management of complex multi-forest network architecture by
- Reducing the exposure of privileged credentials to administrators
- Providing a single interface for assets located in various security zones and tiers using appropriate credentials
- Maintaining enhanced auditing and session recording
- Reducing cost of implementing ESAE architecture by simplifying credential management and by reducing a number of Privileged Workstations (PAW)
- Facilitating the application of ESAE architecture to the entire enterprise network including non-Windows assets.