Secure Active Directory Design

Secure Active Directory Design

Microsoft has reported that, every day, 95 million Active Directory accounts and 10 million Azure AD accounts are the target of cyberattacks.

The primary vector has now shifted from direct attack on a compute resource to theft of user credentials, often by means of a phishing attack. Once a user’s credentials are obtained, the attacker has access to a workstation on which to run software that captures the credentials of other accounts. Preferred targets are service accounts and Domain Administrator accounts, allowing the attacker to traverse the infrastructure horizontally and vertically.

An employee stealing intellectual property to take to a new job or a fat-fingered administrator making a critical configuration error are examples of breaches caused by someone inside the network. Often, an outside attacker takes over a legitimate account:

Data breaches and other security incidents over the last few years have caused vulnerabilities such as “Pass the Hash” to resurface. It has been said before but bears repeating that perimeter security alone is no longer sufficient to secure our highly dynamic, connected and mobile enterprises. Instead, organizations must focus on protecting the enterprise at the identity—or the user level. With insider threats on the rise, it’s important that any organization maintain an active insider threat program to protect these identities—most critically, privileged or administrative identities. Because 99% of enterprises rely heavily on Active Directory (AD) as their primary user authentication mechanism, AD has remained the most popular target among bad actors and is a critical component to any insider threat program

NTLM hashes Privileged Account Abuse and escalation

The legacy NTLM hashes generated by AD are specifically a primary focus of nefarious actors. If you’re not familiar with the common “Pass the Hash” attack, here’s a brief synopsis of how it often works:

  • A user’s workstation is compromised, for example, by a phishing attack.
  • The bad actor gains administrative permissions to the user’s workstation and may create a problem with the workstation that will require someone with elevated permissions to fix it.
  • An administrator logs onto the workstation to remedy the issue, leaving the administrator’s hash stored in memory.
  • The bad actor executes software to extract the hash and makes network connections from the workstation to resources, data stores, databases and more sensitive systems and data as the perceived privileged user.

To thwart attackers pursuing horizontal kill chains with pass-the-hash and related methods, Microsoft has delivered a reference architecture and other best practices that seek to isolate privileged credentials. Microsoft recommends a new security model, the Enhanced Security Admin Environment (ESAE), for holding the accounts that require additional security due to their privileged access to the production forest. ESAE is a special administrative forest, also known as a Red Forest, used to manage all privileged identities in AD, making it more secure.

A key principle of the Active Directory Red Forest model is that admin accounts are divided into three levels of security:

  • Tier 0 — Domain Controllers (DCs), identity management resources, administrator user accounts and service accounts
  • Tier 1 — Server, application and cloud admin authority
  • Tier 2 — Standard user accounts, workstations, printers and devices

The basic forest design of the ESAE environment looks something like this:

The recommendations only include Microsoft products (this makes sense as it would be hard to recommend other products that they have no control over). When using this architecture, one component that may not work for most organizations is disabling NTLM authentication. With that said, this may not be practical for all organizations (although I’d highly recommend this model if possible, but you many need to re-architect legacy applications).

Does Multifactor Authentication Help?

Multi-factor authentication (MFA) can add some value for administrators, particularly when it comes to phishing attacks, like the Pass The Hash example.  But the reality is that the vulnerability the ESAE is designed to prevent do not involve passwords.  While a user or administrator authenticates interactively using a password and in some cases MFA, the generated hash—not the credentials themselves—are a target of the bad actor.


Microsoft Security Technologies

Microsoft Security Technologies


Microsoft Cloud Solutions Provider

Microsoft Cloud Solutions Provider


The 1-Tier partner is approved by Microsoft and orders seats on behalf of customers directly from Microsoft, rather than through another partner type. To get that relationship, a partner must have a series of capabilities. To qualify for 1-Tier, a partner must be able to bill, provide 24×7 support, do technical integration and handle customer lifecycle management. Microsoft is also looking for partners with a business model around managed services IP and with broad market reach.

There’s also what Microsoft calls a 2-Tier model. In that one, the distributor or companies that were formerly part of the Microsoft Syndication Partner program handle the capabilities with Microsoft. Those partners are called 2-Tier distributors or cloud distributors. They in turn work with the bulk of Microsoft partners, who are the 2-Tier resellers. Depending on a given cloud distributor’s offering, those resellers may still have control over customer billing and may also be able to outsource white-labeled support services to the distributor. For much more detail on the emerging 2-Tier ecosystem, see the related feature in this section.

New investments will vary based on your current practice. Areas to consider:

  • Local tax implications of selling a subscription product versus a service
  • Adjustments to your sales incentive programs to reflect monthly revenue recognition
  • Management of credit risk and collections
  • Ability to transact billing on a monthly and/or annual basis
  • 24/7 end Customer Billing and Technical Support in local language
  • Pass through Microsoft service credits to customer service.  Approved service credits are provided to Partners, and it’s the Partners’ responsibility to pass through these service credits to their affected Customers since they own the Customer billing relationship.

A critical component of the CSP program is that the partner is the first point of contact for a customer support incident. Some types of support that partners are responsible for providing include:

  • Frontline billing and subscription
  • Provisioning
  • Answers to questions
  • Service and software updates
  • Software configuration
  • Performance issues within a partner’s span of control
  • Client connectivity and client desktop
  • Service availability issues within a partner’s span of control

Some types of incidents can be escalated to Microsoft, such as:

  • Supported tasks that are outside the functionality provided with available tools
  • Break/fix — undocumented problems with the service
  • Availability — service not accessible
  • Not operating according to service descriptions
  • Bugs and other irregularities that affect service appearance or operation
  • Large-scale network disruptions
  • Regional, multi-tenant impact



SPLA for On-Premises Servers – Microsoft’s best kept secret?

SPLA for On-Premises Servers – Microsoft’s best kept secret?

There is much talk about moving your IT into the cloud so you can enjoy the benefits of OPEX.  But what if keeping your servers on-premises still makes sense.  For example:

  • The server has not yet been financially written off
  • The server is still in great shape, but you need updated software
  • Your network bandwidth is not enough for the services you require access to
  • You have contractual or legislative agreements that dictate deployment options
  • You need for quick physical access to the server
  • Etc etc

In these circumstances the most likely response from a software distributor/reseller will be that you need to purchase software through a traditional volume license agreement.  This may be the right answer, however it does lock you into an upfront software purchase cycle.

But what happens if you need the flexibility to adapt to changing circumstances and enjoy a monthly subscription model that allows you to pay-as-you-go and pay-as-you-grow?

Cloud service providers have, for many years, been able to deliver this within their cloud infrastructure, using the Service Provider License Agreement (SPLA). However it was not possible with customer owned hardware deployed in customer premises.

HOWEVER in October 2013 this changed when Microsoft updated the terms of the SPLA.  This now allows your service provider (System integrator, reseller, managed service partner etc) to offer you a Cloud-like consumption model on your existing hardware, deployed in your premises.  This allows you to maximize existing hardware and network investments, within an OPEX model and provides flexibility to adapt to your changing IT needs.  Also by not having to buy licenses upfront you can repurpose you budget into other high value business areas.

What benefits are there with Microsoft SPLA vs Microsoft Open/Select Licensing?

  • Access all the most recent versions of Microsoft software for a standard monthly price. All are available to download, so there is no need to wait to receive physical copies.
  • Pay at the end of the month only for what you have consumed. This allows for minimal startup costs and better cash-flow management.
  • Licensing kept simple: No need for Server and CAL licensing calculation.
    • The per processor and per core model provides an unlimited number of users, access to the server software.  No separate SAL is required.
    • The Subscriber Access License (SAL) model, allocates a license for each unique user or device that is authorised to access the software.  No separate server license is required

So the next time you want to buy any Microsoft license, ask about SPLA and how you can enjoy the benefits of the OPEX way of subscribing and deploying these licenses on your own hardware on your premises

System Center Config Manager 2012 R2 – Windows 2012 R2 OSD Task Sequence

System Center Config Manager 2012 R2 – Windows 2012 R2 OSD Task Sequence



  • Configure PXE boot
  • PXE Boot menu
    • Rescue Disk
    • Dart –
    • Clone
    • Password Crack
  • DHCP PXE Settings
  • DHCP IP Range
  • Import Images
  • Updates
  • Customisation
  • MDT
  • Install VMware Tools

Desktop Support Escalation Tests

Desktop Support Escalation Tests

Level 1 HelpDesk

  • Document the exact error message and process to replicate the issues with the end user or process

Level 2 Desktop Support

  • Can you replicate the problem
  • Can you replicate the problem with another User Account
  • Can you replicate the problem with another Computer
  • Can you replicate the problem with Elevated privileges
  • Can you reset the Profile
  • Is the problem affecting single user or multiply user

Level 3 Server Support

  • Check all existing Settings
  • Check Eventlogs
  • Google the User error message
  • What has changed