Red Forest

What is Microsoft’s ESAE and Red Forest?

The Enhanced Security Administrative Environment

ESAE is Microsoft’s complete framework to protect Active Directory (AD). AD, in short, is the identity and access management tool in your business network that holds passwords, credentials, users, computers, groups. AD controls your access to resources across your network;

Information and ApplicationsPrivileged CredentialsResources and Servers

The conference presentation that I could find that talks about ESAE, is from an RSA conference from February in 2017 Critical Hygiene for Preventing Major Breaches ::: Presentation PDF download

Deploying ESAE is a foundation for a long term identity security solution. Below is a timeline provided by Microsoft to deploy this security structure.


We define information as can be as anything that holds data such as emails in your organization, research data, credit card numbers, trade secrets. Information is often chopped up into different classifications depending on its importance: Unclassified, Secret, and Top Secret. Often the Secret and Top Secret information is the information attackers want so they can monetize their attack.

Privileged Credentials

The term ‘privileged credentials’ is often used to talk about the user accounts, service accounts, or administrators in your environment. These people and processes often have access to sensitive information. Attackers often specifically target these privileged administrative credentials to gain access to the confidential data.

Resources and Servers

One of ESAE’s aim is to secure the data that is on your network. By securing the locations where the information is stored, file shares, servers, workstations, a company makes it hard for attackers become successful.

The ESAE framework outlines several quick wins, as well as a number of long term plans to secure privileged credentials. With these privileged credentials secure, attackers are less likely to move laterally and vertically through your network

Microsoft open-sourced much of the documentation for deploying the architecture. The documentation dispersed across TechNet, GitHub, YouTube videos, and other media. Piecing together the documentation can be a bit of a hassle. The goal of this page and its structure is to put the main building blocks of the framework into an easily deployable structure.

The basic outline for starting the deployment buckets the security items into sections via deployment time. The three buckets outlined are; The First 30 days, 90 days, and Beyond 90 days.

ESAE Timeline

The First 30 Days

ESAE Phase 1 zero risk of operational downtime ESAE Phase 2 single investments leads to significant positive impact

90 Days

ESAE Phase 2 single investments leads to significant positive impact ESAE Phase 2 single investments leads to significant positive impact

Beyond 90 Days

ESAE Phase 3 build meaningful active directory security resilience from long term threats

Starting Microsoft’s Phased Approach

Where to begin?

I’d like to begin the journey. I want to understand the terms and prep my domain. Let’s get started with phase 1.
Take me to phase 1
I’ve already done some admin work and want to know what to do next. Let’s get started with phase 2.
Take me to phase 2
Time for an investment! let’s bring out the super secure stuff.
Take me to phase 3