This blog post was authored by Andrej Budja, Frank Brinkmann, Heath Aubin, Jon Sabberton and Jörg Finkeisen from the Cybersecurity Protection Team, part of the Enterprise Cybersecurity Group.

The security landscape has changed.

Attackers often know more about the target network and all the ways they can compromise an organization than the targeted organization itself. As John Lambert writes in his blog, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win”.

Attackers do think in graphs. Unfortunately, most organizations still think in lists and apply defenses based on asset value, rather than the security relationships between the assets.

So, what can you do to level the playing field? Use the attackers’ playbook against them!

Get ahead by creating your own graph

Start by reading John Lambert’s blog post, then do what attackers do – graph your network. At Microsoft, we are using graphs to identify potential attack paths on our assets by visualizing key assets and security relationships.

While we have not published our internal tools (you can find some similar open source tools on the Internet), we have created a special cybersecurity engagement delivered by our global Microsoft Services team, called Active Directory Hardening (ADH).

The ADH offer uses our tools to help discover and analyze privileged account exposure and provide transition assistance for deviations from the privileged administration recommendations used at Microsoft. The ADH provides assistance by reducing the number of highly privileged Active Directory (AD) administrative accounts and transitioning them into a recommended AD administration model.

Break connections in your graph

Once you have the graph for your AD accounts, you will notice clusters as well as the different paths attackers can use to move laterally on your network. You will want to implement security controls to close those paths. One of the most effective ways to reduce the number of paths is by reducing the number of administrators (this includes users that are local administrators on their workstations) and by using dedicated, hardened workstations for all privileged users – we call these Privileged Access Workstations (PAWs).

These PAWs are deployed from a clean source and make use of modern security controls available in Windows 10. Because PAWs are not used as general purpose workstations (no email and Internet browsing allowed), they provide high security assurances for sensitive accounts and block popular attack techniques. PAWs are recommended for administration of identity systems, cloud services, and private cloud fabric as well as sensitive business functions.

You can develop and deploy PAWs on your own by following our online guide, or you can engage Microsoft Services to help accelerate your adoption of PAWs using our standard PAW offering.

Bolster your defenses

PAWs provide excellent protection for your privileged users. However, they are less effective when your highest privileged accounts (Domain Administrators and Enterprise Administrators) have already been compromised. In this situation, you need to provide Domain Administrators a new, clean, and trusted environment from which they can regain control of the compromised network.

Enhanced Security Administrative Environment (ESAE) builds upon guidance and security controls from PAWs and adds additional controls by hosting highly-privileged accounts and workstations in a dedicated administrative forest. This new, minimal AD forest provides stronger security controls that are not possible in the production environment with PAWs. These controls are used to protect your most privileged production domain accounts. For more information about the ESAE administrative forest and security concepts, please read ESAE Administrative Forest Design Approach.


“If you know your enemy and know yourself you need not to fear the results of hundreds of battles”, Sun Tzu, Chinese general, military strategist, 6th Century BCE.

Protecting your valuable assets against sophisticated adversaries is challenging, but it can be made easier by learning from attackers and using their playbook. Our teams are working daily on the latest cybersecurity challenges and sharing our knowledge and experience. Discover more information in the following resources:

About the Cybersecurity Protection Team

Microsoft invests more than a billion dollars each year to build security into our products and services. One of the investments is the global Enterprise Cybersecurity Group (ECG) which consists of cybersecurity experts helping organizations to confidently move to the cloud and modernize their enterprises.

The Cybersecurity Protection Team (CPT) is part of ECG, and is a global team of Cybersecurity Architects that develops, pilots, and maintains cybersecurity offerings that protect your critical assets. The team works closely with other Microsoft teams, product groups, and customers to develop guidance and services that help protect your assets.