Hey all, I haven't posted for a while, so here goes.
A colleague of mine mentioned to me that the Microsoft Exam 70-744 "Securing Windows Server" (https://www.microsoft.com/en-us/learning/exam-70-744.aspx) has the following in the Manage Privilege Identities objectives:
- Implement an Enhanced Security Administrative Environment (ESAE) administrative forest design approach;
- Determine usage scenarios and requirements for implementing ESAE forest design architecture to create a dedicated administrative forest.
Since this is a Microsoft Services solution designed, built and delivered by Microsoft Architects and consultants, there's not a lot of public IP available for this.
Put simply - ESAE is a well protected bastion forest that is used to manage a production forest/domain domain administration functions. It uses publicly available resources as its design foundation (Pass The Hash whitepapers - see https://www.microsoft.com/pth) and of course - this: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ESAE_BM.
The solution we deliver to our customers is highly automated and scripted to try ensure that each delivery that we do is as consistent and repeatable as possible - there are design elements that can be changed, such as smartcards, virtualization platform, number of domains we protect, how we monitor, use of hardware security modules (HSMs) and a few other things.
All of the ESAE solution is based on Microsoft technologies - Windows Server 2016 and Windows 10 Enterprise Edition. We also use some of the following features/concepts: (I'm not listing everything here...) Hyper V, Credential Guard, Applocker, Bitlocker, Gym Locker, Hurtlocker - if we've got a locker in it, it's in the solution....I'm not sure how well humour comes across in black and white...so don't go hunting for the last two "lockers" on TechNet, ok?
And that's as much as I can really post about it for now.