The Active Directory (AD) is the ID management system used by most major enterprises around the globe. It controls all users on the network and manages access to restricted information. To initiate an attack on a given network, attackers need to steal credentials or compromise a high privilege admin account with malware. If this is done successfully, they can then have access to a company’s IP, financial information and sensitive data. This makes AD a prime target for malicious attacks on the network. If you don’t have proper security controls for your company’s AD, attackers could hide and steal any data they wanted, without you even knowing.

Microsoft released the ambitious Red Forest system architecture as a solution to the more complex AD attacks. Red Forest eliminates most AD attack strategies and if there is a breach, Red Forest architecture stops the attacker moving within the network and limits the spread of the attack. Implementing a Red Forest-style environment is a huge challenge, but if done correctly it provides great wins and a major uplift in network security.

Tackle the Red Forest challenge on your own network with these five manageable steps:

1. Keep passwords complex, unique and regularly refreshed.
2. Separate administrative access to eliminate the risk of shared-use workstations.
3. Isolate all administrative systems in a fully separated forest with one-way trust.
4. Limit users’ ability to request permissions by account group, and only grant access for a limited time.
5. Sort the rest of your systems and accounts into tiers based on risk levels and permissions.

Effective use of a group policy can limit the possibility of outsiders getting access to confidential information in case an account is compromised. Group policy is a hierarchical infrastructure that allows a network administrator in charge of a company’s AD to implement specific configurations for users and computers. Monitoring AD activity is important and tracking this data daily will inform you if someone creates a new account incorrectly, an attacker has changed the encryption type as well as various other indicators of a cyberattack.