PROTECT MICROSOFT ACTIVE DIRECTORY

PREVENT THE ULTIMATE www.skyportsystems.com NIGHTMARE

Overview Who Has Access to Privileged Credentials? Your organization probably uses Microsoft Microsoft has recently published detailed Active Directory — 90% of enterprises do so. guidelines for securing privileged access and mitigating credential theft. SkySecure makes it Unfortunately, Active Directory has known Assigned domain issues related to credential hijacking. In 2015, feasible for enterprises of any size to implement admins over 75% of all records that were compromised Microsoft’s advanced recommendations, such were the result of data breaches involving the as building a dedicated management domain, enforcing separation between authoritative loss or theft of a privileged credential. Attackers Anyone with access to use stolen administrative access for weeks and untrusted systems, and ensuring the VCenter Server without detection resulting in breach costs in applications run on trustworthy infrastructure. the millions. SkySecure Safeguards Active Anyone with access to Administrative credentials can be stolen by Directory server hardware any compromised system accessed by an Organizations have

C administrator. Administrative workstations o S expertise managing e m e n c h m u t o i r that cache credentials and are vulnerable e t u e r a n their user policies c t u i ic h Anyone with access to the c l a e e p t S to phishing and website malware. Services p io in Active Directory, A n management network involved in domain controller management, but often encounter patching and backup are themselves subject challenges securing Secure the to vulnerabilities that can become attacks Platform Active Directory Anyone with access to against domain controllers. hosts themselves the backups of the DC and have an even harder time verifying Skyport Systems is the first company founded the job is done. SkySecure automates and to deliver purpose-built secure infrastructure verifies that appropriate microsegmentation for critical applications and computing rules are in place on an appliance to secure Anyone who can send an email that Is opened on environments. Skyport’s award-winning communications only between trusted hosts. the admin workstation SkySecure platform protects your Active The platform is secure by default it is immune Directory infrastructure with our unique to malware and rootkits. In addition, SkySecure rearchitectiure of the x86 hardware and simplifies the adoption of advanced Microsoft software stack into a turnkey, trusted system security safeguards that have proven effective with embedded security. in the Fortune 500. PROTECT MICROSOFT ACTIVE DIRECTORY

TURNKEY SECURITY FOR ACTIVE especially when attacks target the • Two-factor TLS-encrypted browser- DIRECTORY operating system, BIOS, and the hardware. based remote administrative console Creating the secured buffer zones between A verified clean source is necessary to that does not expose domain authority systems and high-risk systems assure the application environment is not administrative Kerberos tickets such as workstations and servers that compromised. SkySecure management • Hardware-based secure credential might be directly exposed to attackers is service continuously revalidates the store based on TPM challenging and the resulting arrangement integrity of infrastructure’s hardware nearly impossible to maintain as and software, The SkySecure platform • Kerberos ticket inspection to detect and deny fraudulent administrator requirements and administrative staff automatically performs many of the logins, golden ticket attacks, and change. SkySecure does the automatically, verification and audit functions that unacceptable use of older NTLM in a comprehensive-but-comprehensible normally must be pulled together from protocol versions way that cannot be bypassed and several different systems. requires no software agents or redesign • Secure boot and with persistent Where to Start? of the network. malware and rootkit prevention You can incrementally deploy Active • A pre-assembled system with always- • Management and maintenance of Directory components, such as on security that deploys in under an cryptographic libraries, reporting production domain controllers and hour functions, BIOS and firmware certificate authorities, on SkySecure • Predefined security templates for updates, and all common low-level using predefined security templates. Active Directory components to speed infrastructure attack vectors Alternatively, you can develop an deployment and reduce configuration • Golden master and booted image approach to implement Microsoft’s errors verification security guidelines, working with • Microsegmentation between Skyport and our professional service • Audit trails for all provisioning and participating servers in the same tier, partners. The first step is to contact us operational activity to provide ongoing such as only allowing web access at www.skyportsystems.com and we validation of best practices and to WindowsUpdate and Activation will identify the best path forward to a complacence requirements services secure Active Directory environment for your organization. • A forensic trail of all administrative and REDUCE CREDENTIAL EXPOSURE operational activity is stored for the In many Active Directory deployments, lifetime of the system privileged credentials are widely shared across trusted and untrusted systems CLEAN SOURCE INFRASTRUCTURE alike, increasing opportunities for theft. It can be challenging to verify that malware SkySecure reduces credential sprawl and and rootkits are not present on a system, detects fraudulent logins.

Limit credential exposure Reduce attack surface area

Do not store admin Requite 2-factor Secure Enclave with Application-layer workstations private DMZs microsegmentation

Administrators Domain Controller

Isolate domain administrators

Automatically maintain Secure boot & Admin Clean Source environment malware prevention “Red Forest” PROTECT MICROSOFT ACTIVE DIRECTORY

Spotlight: Red Forest and of any size to adopt and significantly with securing Microsoft Active Directory Ascent Solutions reduce the risks to their Active Directory for customers big and small. Together environment. we deliver solutions for Active Directory SECURE ACTIVE DIRECTORY forests, cloud access authentication • Limit Active Directory administrative ADMINISTRATIVE SYSTEMS WITH exposure services in the DMZ, and a turnkey A RED FOREST branch office solution. The packages • Restrict logons and credential The cornerstone of a secure Active are inclusive of the hardware, software, exposure Directory environment is a dedicated and services expertise needed to easily, administrative management domain (also • Provide assurance of the production effectively, and rapidly secure your known as a Red Forest*). A Red Forest forest without the complexity and cost Active Directory implementation in any architecture provides the strongest of a rebuild environment. protection by isolating the administrative • Allow only authorized people and systems and credentials from the workstations to conduct administrative To learn more about how Skyport production environment to prevent activities can secure your Active Directory attacks from untrusted systems. environment, visit us at Ascent Solutions: www.skyportsystems.com. Until now, implementing a Red Forest Deploy Quickly and with was only feasible for large enterprises due to the complexity and expense Confidence of the process. Now Ascent Solutions Skyport has partnered with Ascent and Skyport Systems have developed Solutions, a professional services a solution that enables organizations provider with extensive experience

Production Forest Red Forest Physical Vault

Tier 0: Domain Controllers

Server Red SAW Forest SAW Domain Controller

Tier 1: Domain Users

Domain RO Production DC Controller Production Forest SAW

Tier 2: Domain Users

User User

* Microsoft guidance on ESAE: https://technet.microsoft.com/en-US/library/mt631193.aspx#ESAE_BM

©2016 Skyport Systems, Inc