Securing Privileged Access within Microsoft’s Enhanced Security Administrative Environments (ESAE)


July 3, 2018 | Events Security and Risk | Corey O'Connor

The Microsoft Enhanced Security Administrative Environment (ESAE) is a secured, bastion forest reference architecture designed to manage the Active Directory (AD) infrastructure. This methodology focuses on “Tier 0” assets and identities, which have direct or indirect administrative control over a given AD forest and all of the assets within it, such as domain controllers, domain administrator accounts, critical servers and workstations.

 One popular technique in advanced cyber attacks is the exploitation of privileged accounts and their associated credentials to reach a Tier 0 domain controller – the central authority of trust within the Windows environment. Once a domain controller is compromised, the attacker has unrestricted access to the entire domain-joined IT infrastructure – all while eluding visibility or awareness of the organization. Based on what CyberArk has seen in the field, it can take an attacker who has hijacked a privileged credential less than 12 minutes from initial infiltration to being able to take over a domain controller, which hosts the services that constitute AD.

Critical to the overall strength of an ESAE deployment is the hardening of the control relationships among these powerful credentials, assets and humans. But managing Tier 0 assets and protecting against credential theft is demanding and difficult, particularly because organizations often try to juggle multiple account management solutions from Microsoft, including Local Administrative Password Solution (LAPS) and Microsoft Identity Manager (MIM).

CyberArk has designed practical solutions for the administration of ESAE and has been deployed alongside the architecture to maximize security and eliminate pain points by reducing administrative overhead and decreasing total cost of ownership.

Learn how CyberArk can help secure privileged access, create credential boundaries and provide enhanced auditing and recording within the ESAE and production environments by downloading this solution brief. For even more detail, check out our on-demand “On The Front Lines” webinar here for insights and best practices from our security consulting team.

Based upon customer feedback, we will address this topic in technical breakout sessions at our 12th annual conference, CyberArk Impact 2018:

  • CyberArk Impact EMEA: Wednesday, July 4th from 10:30am to 11:15am
  • CyberArk Impact Americas: Tuesday, July 17th from 2:30pm to 3:15pm

Customers and partners planning to attend can view the details about Impact here.



Share This