Helpdesk/ Desktop Support
These accounts provide admin access
to specific servers and resources. An
example would be someone who only
has admin access to DevOps servers
and resources
Tier 2 Control of user workstations and devices. Tier 2 administrator accounts have
administrative control of a significant amount of business value that ishosted on
user workstations and devices. Examples include Help Desk and computer support
administrators because they can impact the integrity of almost any user data.
Access usually cannot and should
not extend Tiers.
This improves security posturce
and reduces attack surface.
Server/Resource
Admins
Used for small administrative tasks
like password resets, group
creation, user accounts, group
member
Tier 1 assets include server operating systems, cloud services,and enterprise
applications. Tier 1 administrator accounts have administrative control of a significant
amount of business value that is hosted on these assets. A common example role is
server administrators who maintain specific servers and resources.
These accounts should be
accessible only when needed and
Require MFA for checkout
Domain, Global, and Privileged
Admins
ESAE/Red Forest
Based on an Active Directory administrative tier model design
- The purpose of this tiered model is to protect Identity Systems(AD,
Azure AD) by using a set of buffer zones between full control of the
Environment (Tier 0) and the high-risk workstation assets that
attackers frequently compromise(Tier1, Tier 2) Tier 0 includes accounts, groups, services, and other assets that have direct or indirect
administrative control of the Active Directory forest, domains,or domain controllers, and it's
assets. The security sensitivity of all Tier 0 assets is equivalent as they are all effectively in
control of each other.
Tier 1
Tier 2
Web Server File Server
Domain controller AD Connect Server
Workstation client
Workstation client
Key Vault

More Related Content

PDF
Understanding MicroSERVICE Architecture with Java & Spring Boot
PDF
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
PDF
Top 5 Event Streaming Use Cases for 2021 with Apache Kafka
PDF
APIs in a Microservice Architecture
PPTX
Microservices Decomposition Patterns
PDF
Kong Summit 2018 - Microservices: decomposing applications for testability an...
PDF
Workshop on CIFS / SMB Protocol Performance Analysis
PDF
MySQL GTID Concepts, Implementation and troubleshooting
Understanding MicroSERVICE Architecture with Java & Spring Boot
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Top 5 Event Streaming Use Cases for 2021 with Apache Kafka
APIs in a Microservice Architecture
Microservices Decomposition Patterns
Kong Summit 2018 - Microservices: decomposing applications for testability an...
Workshop on CIFS / SMB Protocol Performance Analysis
MySQL GTID Concepts, Implementation and troubleshooting

What's hot (17)

PDF
MySQL InnoDB Cluster - A complete High Availability solution for MySQL
PDF
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
PPT
Svetlin Nakov - Database Transactions
PDF
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
PPTX
IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...
PDF
Software architecture for developers by Simon Brown
PDF
Why MySQL Replication Fails, and How to Get it Back
PPTX
Migration to ClickHouse. Practical guide, by Alexander Zaitsev
PDF
Agile Integration eBook from 2018
PPTX
Infoblox Secure DNS Solution
PPTX
Azure Synapse Analytics Overview (r1)
PDF
GlusterFS CTDB Integration
PDF
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
PPTX
VMware Tanzu Kubernetes Connect
PDF
Replication Troubleshooting in Classic VS GTID
PDF
Managing privileged account security
PDF
AE Spot'On - Chris Potts - Enterprise investment: Combining EA and Investment...
MySQL InnoDB Cluster - A complete High Availability solution for MySQL
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
Svetlin Nakov - Database Transactions
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...
Software architecture for developers by Simon Brown
Why MySQL Replication Fails, and How to Get it Back
Migration to ClickHouse. Practical guide, by Alexander Zaitsev
Agile Integration eBook from 2018
Infoblox Secure DNS Solution
Azure Synapse Analytics Overview (r1)
GlusterFS CTDB Integration
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
VMware Tanzu Kubernetes Connect
Replication Troubleshooting in Classic VS GTID
Managing privileged account security
AE Spot'On - Chris Potts - Enterprise investment: Combining EA and Investment...
Ad

Similar to Red forest Design ESAE (20)

PPTX
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
PDF
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
PPTX
Module2jxcnckvjzdxcnvkzjxnvkdsnfkvzsdf.pptx
PPTX
Secure Active Directory in one Day Without Spending a Single Dollar
PDF
Identity Security - Azure Active Directory
PDF
Azure Active Directory Interview Questions PDF By ScholarHat
PPTX
Hitchhiker's Guide to Azure AD - SPSKC
PDF
10 Steps to Better Windows Privileged Access Management
PDF
Who will guard the guards
PDF
Bcd Securing Active Directory v1 3
PPTX
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
PPTX
Is the door to your active directory wide open and unsecure
PDF
Exploiting Active Directory Administrator Insecurities
PPTX
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
PPTX
Secure active directory in one day without spending a single dollar
PPT
Microsoft Active Directory
PPTX
Administer Active Directory
PPTX
Escalation defenses ad guardrails every company should deploy
PDF
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
PPTX
Creating a fortress in your active directory environment
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
Module2jxcnckvjzdxcnvkzjxnvkdsnfkvzsdf.pptx
Secure Active Directory in one Day Without Spending a Single Dollar
Identity Security - Azure Active Directory
Azure Active Directory Interview Questions PDF By ScholarHat
Hitchhiker's Guide to Azure AD - SPSKC
10 Steps to Better Windows Privileged Access Management
Who will guard the guards
Bcd Securing Active Directory v1 3
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Is the door to your active directory wide open and unsecure
Exploiting Active Directory Administrator Insecurities
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
Secure active directory in one day without spending a single dollar
Microsoft Active Directory
Administer Active Directory
Escalation defenses ad guardrails every company should deploy
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
Creating a fortress in your active directory environment
Ad

More from Mario Worwell (6)

PDF
Azure Data Loss Prevention
PDF
Azure Sentinel Tips
PDF
Microsoft Teams Security and Roles
PDF
Azure Just in Time Privileged Identity Management
PDF
Azure AD Synchronization Data Flow
PDF
Exchange Role Based Access using Role Groups
Azure Data Loss Prevention
Azure Sentinel Tips
Microsoft Teams Security and Roles
Azure Just in Time Privileged Identity Management
Azure AD Synchronization Data Flow
Exchange Role Based Access using Role Groups

Recently uploaded (20)

PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
PDF
4 layer Arch & Reference Arch of IoT.pdf
PPTX
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
PDF
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
PPTX
Microsoft User Copilot Training Slide Deck
PDF
Co-training pseudo-labeling for text classification with support vector machi...
PDF
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
PDF
LMS bot: enhanced learning management systems for improved student learning e...
PPTX
future_of_ai_comprehensive_20250822032121.pptx
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
PDF
Advancing precision in air quality forecasting through machine learning integ...
PDF
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
PDF
Lung cancer patients survival prediction using outlier detection and optimize...
PDF
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
PPTX
Module 1 Introduction to Web Programming .pptx
PDF
Comparative analysis of machine learning models for fake news detection in so...
DOCX
Basics of Cloud Computing - Cloud Ecosystem
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
4 layer Arch & Reference Arch of IoT.pdf
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Microsoft User Copilot Training Slide Deck
Co-training pseudo-labeling for text classification with support vector machi...
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
LMS bot: enhanced learning management systems for improved student learning e...
future_of_ai_comprehensive_20250822032121.pptx
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Advancing precision in air quality forecasting through machine learning integ...
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Lung cancer patients survival prediction using outlier detection and optimize...
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Module 1 Introduction to Web Programming .pptx
Comparative analysis of machine learning models for fake news detection in so...
Basics of Cloud Computing - Cloud Ecosystem
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf

Red forest Design ESAE

  • 1. Helpdesk/ Desktop Support These accounts provide admin access to specific servers and resources. An example would be someone who only has admin access to DevOps servers and resources Tier 2 Control of user workstations and devices. Tier 2 administrator accounts have administrative control of a significant amount of business value that ishosted on user workstations and devices. Examples include Help Desk and computer support administrators because they can impact the integrity of almost any user data. Access usually cannot and should not extend Tiers. This improves security posturce and reduces attack surface. Server/Resource Admins Used for small administrative tasks like password resets, group creation, user accounts, group member Tier 1 assets include server operating systems, cloud services,and enterprise applications. Tier 1 administrator accounts have administrative control of a significant amount of business value that is hosted on these assets. A common example role is server administrators who maintain specific servers and resources. These accounts should be accessible only when needed and Require MFA for checkout Domain, Global, and Privileged Admins ESAE/Red Forest Based on an Active Directory administrative tier model design - The purpose of this tiered model is to protect Identity Systems(AD, Azure AD) by using a set of buffer zones between full control of the Environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise(Tier1, Tier 2) Tier 0 includes accounts, groups, services, and other assets that have direct or indirect administrative control of the Active Directory forest, domains,or domain controllers, and it's assets. The security sensitivity of all Tier 0 assets is equivalent as they are all effectively in control of each other. Tier 1 Tier 2 Web Server File Server Domain controller AD Connect Server Workstation client Workstation client Key Vault