https://docs.microsoft.com/en-us/security/compass/esae-retirement
”We have found that ESAE projects are often detrimental to overall security posture as they are high cost, difficult to use and support, and provide a limited set of security (only Active Directory administrators and only preventive controls).”
What took so long to figure that out? Oh, they knew, they just didn’t have something else to sell.
Some of the ideas make some sense, a lot of it doesn’t. I never thought the cost value equation made sense. It assumes you run your main forest for shit with idiots and that you somehow magically do it right with intelligent people for the Red Forest. This was all designed by consultants who don’t perform any long term support of AD anywhere and likely never have. Now don’t get me wrong, there are people who do understand AD Support and have set up some Red Forest Hybrids that are worth looking at. If you want something like that, talk to my friend and co-author Brian Desmond. Brian actually has a clue how AD Security works and he can set up something realistic for you that actually works and is manageable.
My all time favorite moment when there was a special Red Forest MCS team in a Fortune X company setting up Red Forest and I heard the MCS guy say to someone, “Just add the Gold card ID from the Red Forest to the destination forest Domain Admins group…”. I started laughing and walked away knowing I would never speak to that person as it wasn’t my job to teach MCS Consultants, again. The Red Forest implementations I saw showed that the MCS people positively don’t actually know how AD Security works.
I don’t even know why MSFT is talking about a Cloud model for this now. They don’t even give a shit about AD anymore, they think everyone is just going to go to Azure AD (bad assumption), so AD is currently dying on the vine. I have found multiple bugs in AD and ADLDS and those DCRs/Bug filings go no where. Hopefully they eventually realize not everyone is going full Cloud. Hopefully they will figure out that the real sweet spot where large companies will eventually land is a Cloud hybrid model. A model where they have the ability to transparently shift workloads between on-premises internal “Cloud” and the hyper-converged “Cloud” depending on what makes the most sense for the workload requirements and for cost effectiveness.
joe
How this post made me laugh ! Having had a “healthy” debate with one of our CSOs in a multinational 35k seater org, this resonates so true…and thankfully seeing ESAE deprecated puts the story to bed once and for all. #stupididea
I disagree. I’ve been a directory services admin for many large (500,000+ object) organizations for the last 20 years and I push and use the tiered model everywhere I go. The idiots you speak of should never be admins at all. We use the tiered model along with jea/jit to control access to all tiered services, not just AD administrative functions. When used properly and understood, it works great. You left out the part where MS says “most organizations” and “we still use it internally” and cherry picked the parts that fit your dialog. Reading your comments makes me think YOU don’t understand security boundaries.
500k+ objects? All objects? Users? Users and Computers? 500K+ of all objects isn’t that large, 500k users+computers is decent.
What is funny about your MSFT using it internally is that not even the AD Product Group was behind the Red Forest model. I have had several discussions with several devs about it over the last few years and when asking for certain things to be fixed for Red Forest model none of which I can speak of because of NDA the responses back form the PG were not complimentary of what MCS did with Red Forest.
I agree that thinking everyone will just go to Azure AD is a bad assumption, for several reasons:
1. Azure AD doesn’t seem to be, to my mind, a fully functional or 1:1 replacement of on-premise Active Directory.
2. Having domain controllers that you can’t manage which aren’t ultimately yours is too great of a risk for many organizations.
3. Going all in on a single public cloud provider is risky, but punching holes between Azure and AWS for Azure AD was cumbersome when I last did it.
4. Many of the organizations I’ve worked for were led by folks who were reluctant to expose too much to the cloud, or to utilize a single public cloud provider too heavily.
Anyway, long time fan with a question. What do you think the future holds for Active Directory or directories or IAM applications/systems on-premise in general over the next 10, 20 or 30 years?
Best Regards,
CHS
P.S. Thanks for putting in some work on AdFind. She’s still the fastest in the land so far as I know.
Sorry for slow response. 🙂
Your question is the same question I have been asking myself. I would love to say that AD has another 20 years in her but she doesn’t. When I think about even the next five years of AD I inevitably think back to the last five years of AD and that has been horrible. They are, IMO, letting it die on the vine. I have submitted several AD and LDS bugs, none of them have been looked at and the writing on the wall is basically, if it is a change to on-premises systems and it doesn’t help drive Azure subscriptions, we aren’t doing it.
Some of us have no choice but to have some sort of on-premises Identity system because we simply cannot rely 100% on Cloud systems running on someone else’s hardware. You have no control over what happens day to day. There could be system issues, there could be political issues, there could be hackers, there could be so many things that could put your business completely at risk and if you are a substantially large org and are normally assessing risk, I don’t know how you swallow that risk that Cloud only gives you even if you find some way to do Identity across multiple providers.
I keep visualizing some sort of on premises system that is the Domain Controller 2.0 of the future which is based entirely on open standards / open source software… Maybe OpenLDAP coupled with MIT Kerberos coupled with some sort of Cert Authority coupled with some sort of SAML/OAUTH provider coupled with some sort of SCIM provider. That way you can support the older protocols but have easy migration to newer Modern Auth and Directory mechanisms, etc.
Having read the *New documentation and the justifications for retiring ESAE I have the following to say. For those that have seen the old docs, the justifications come across as a marketing pitch for MS cloud services, an abandonment of on-prem, and a failure to acknowledge that hybrid solutions will continue to be the norm for most corporations. I was especially frustrated at how they refer to the complexity and then expand on the ESAE concepts in their *New docs while not providing any prescriptive implementation advice.
Ok, so now that I’ve had my little rant let’s talk about the elephant in the room that MS only hints at. The architectural foundation for securing AD is out of the box not compliant with current best practices. The foundation exists to correct issues like Builtin groups so that they adhere to the least privilege model, so why have those changes not been forced into new AD deployments? What about providing better tools to manage and govern DSACLS in bulk? What about providing a more compartmentalized OU structure by default.
The answers, IMO, to your questions tie back to a complete lack of understanding of your earlier comment “failure to acknowledge that hybrid solutions will continue to be the norm for most corporations”.
For many companies, the answer may be full Cloud all the time but not for all and for some time, likely that isn’t the answer for even most, and also likely, for some companies, it never will be the answer.
What makes this cluelessness even worse, IMO, is the complete loss of most of the lessons of the prior 20 years with how they did and are doing many of the things in Azure in terms of Security and Scale.
One thing I like about Azure and Cloud in general is that it has shown people that the automation of everything that I have been pitching since the 90s is feasible. It could have been done on-premises in all companies decades ago. When I see someone open ADUC to perform a password change for someone, for example, I start itching and twitching and thinking no wonder the hackers are eating companies alive.