Securing Privileged Access within Microsoft’s Enhanced Security Administrative Environments (ESAE)

July 3, 2018 Corey O'Connor


The Microsoft Enhanced Security Administrative Environment (ESAE) is a secured, bastion forest reference architecture designed to manage the Active Directory (AD) infrastructure. This methodology focuses on “Tier 0” assets and identities, which have direct or indirect administrative control over a given AD forest and all of the assets within it, such as domain controllers, domain administrator accounts, critical servers and workstations.

 One popular technique in advanced cyber attacks is the exploitation of privileged accounts and their associated credentials to reach a Tier 0 domain controller – the central authority of trust within the Windows environment. Once a domain controller is compromised, the attacker has unrestricted access to the entire domain-joined IT infrastructure – all while eluding visibility or awareness of the organization. Based on what CyberArk has seen in the field, it can take an attacker who has hijacked a privileged credential less than 12 minutes from initial infiltration to being able to take over a domain controller, which hosts the services that constitute AD.

Critical to the overall strength of an ESAE deployment is the hardening of the control relationships among these powerful credentials, assets and humans. But managing Tier 0 assets and protecting against credential theft is demanding and difficult, particularly because organizations often try to juggle multiple account management solutions from Microsoft, including Local Administrative Password Solution (LAPS) and Microsoft Identity Manager (MIM).

CyberArk has designed practical solutions for the administration of ESAE and has been deployed alongside the architecture to maximize security and eliminate pain points by reducing administrative overhead and decreasing total cost of ownership.

Learn how CyberArk can help secure privileged access, create credential boundaries and provide enhanced auditing and recording within the ESAE and production environments by downloading this solution brief



Previous Article
Cracking Service Account Passwords with Kerberoasting
Cracking Service Account Passwords with Kerberoasting

Threat detection is a hot topic in security today. By now, most recognize it’s important to manage administ...

Next Article
Protecting Critical Business Systems: Five SAP Use Cases Protected by CyberArk
Protecting Critical Business Systems: Five SAP Use Cases Protected by CyberArk

In November, we wrote a blog about the “7 types of privileged accounts you should know” to highlight potent...