The cybersecurity landscape is complex and ever evolving. Organizations face difficult decisions around what to prioritize for protection and recovery in the face of advanced threats.
There are a few things that can be done to dramatically strengthen one’s security. That begins with prioritizing Tier 0 assets and deploying a tiered administration model. We will discuss both of these concepts in detail in this post.
What is Tier 0?
Tier 0 assets represent the most critical IT assets to an organization, like domain controllers in an on-premises Active Directory environment. Tier 0 assets are considered to be the most privileged assets and accounts in an IT environment, making them a primary target of threat actors and – thus – vulnerable to attacks. The compromise of a Tier 0 account can, and often will, result in the complete compromise of an organization’s IT infrastructure, causing significant damage to an organization’s operations, reputation and even financial stability.
To mitigate this risk, Tier 0 assets and accounts should be strictly managed, and access to them should be limited to a small group of authorized personnel, and management of Tier 0 systems should be segregated from other systems using dedicated accounts. In some very specific cases, organizations may choose to deploy a separate Active Directory forest to further isolate the management of accounts used to administer Tier 0 assets.
It goes without saying that strict access controls, monitoring and security controls should be in place. Amongst other things, this may also include the use of privileged access management (PAM) solutions.
How does a tiered administration work?
Tiered administration refers to the practice of organizing IT support personnel and the administration of servers and platforms into different levels or tiers, each with a specific set of responsibilities and skills. The most common model is a multi-tiered approach, whereby each level (tier) represents a specific set of systems, and the management thereof is (highly) segregated from one another. In terms of an on-premises Active Directory environment, this means that separate accounts are used to manage systems in each tier. To be effective, privileged accounts in one tier should not be able to administer systems in another tier.
- Tier 0 we covered this above, but it is the most important tier to nail down and includes the most mission-critical IT assets.
- Tier 1 assets are often systems critical to the functioning of an organization’s IT infrastructure, but less critical than Tier 0 assets. The breach of a Tier 1 assets also does not immediately constitute a breach of other systems, provided that they are sufficiently secured. Examples include e-mail servers, file servers, administration servers, and so on.
- Tier 2 systems are typically all other systems that are not included in the previous tiers. Often, Tier 2 systems are end user computing devices such as desktops, laptops, etc.
There is no rule that determines how many levels a tiered administration should contain. However, it is recommended to keep your administration model simple so that it does not become a management nightmare.
The biggest security threats today
When we look at the vast threat landscape, cyber threats and security standards come in all shapes and sizes, with varying degrees of impact. Some of the biggest threats today include:
- The number and sophistication of cyberattacks, including ransomware, phishing, pass the hash, etc.
- Supply chain attacks, whereby compromised vendors development assets lead to an increased security risk for them and their clients
- Cloud-based resources. The security complexity, diversity and proliferation of cloud solutions increases the risk of misconfiguration and the overall attack surface of an organization
- IoT and OT device security – as these become an increasingly common attack target
- The rise of AI, used both for offensive and defensive elements of cybersecurity
- The shortage of skills and training
- Increased regulations and demand for compliance
Benefits of a tiered administration model
Now that we’ve established the complex threat landscape, what tiered administration is, and what each tier constitutes, let’s explore the benefits of this model. While this approach adds some administrative overhead to create and manage separate accounts, the benefits outweigh the overhead. With it deployed, you can:
- Reduce the risk of lateral movement within the environment. Lateral movement in an on-premises Active Directory environment refers to the technique used by attackers to move laterally from one system to another within the network, often using privileged accounts that have access to multiple systems. To perform lateral movement, attackers use several techniques, including credential theft or pass-the-hash.
- Reduce the risk of unauthorized access. By implementing a tiered administration model, organizations can limit the access of lower-tiered staff to sensitive data and systems. This reduces the risk of unauthorized access and data breaches.
- Enhance control of system configurations. With tiered administration, each tier has specific responsibilities and access levels. This can help prevent unauthorized changes to system configurations and reduce the risk of system failures or data loss.
- Gain more effective management of privileged accounts. Tiered administration can help organizations manage privileged accounts more effectively. Higher-tiered staff can be given the responsibility of managing privileged accounts, ensuring that they are only used for authorized purposes and reducing the risk of misuse.
- Improve visibility into your systems with security monitoring. By assigning specific security monitoring responsibilities to higher-tiered admins, organizations can detect security threats and address them in a timely manner. This reduces the risk of identity security incidents going unnoticed and limiting potential damage to the organization.
Although the use of a tiered administration model does not guarantee any of the above techniques cannot be abused, it helps to greatly reduce the likelihood and the impact, should it occur. For example, without tiering, the breach of a single account could allow an attacker to easily move from one tier to another. This would be the case whereby a domain administrator account is used to perform administrative tasks on, for example, a desktop computer. A breach of the latter grants attackers access to, not only to the computer, but potentially also to the domain administrator account, which can then be re-used to move laterally to any other system in the domain. Considering that the likelihood of end-user devices being compromised is much higher than from a system that is not used to actively navigate the internet, it seems only sensible that privileged accounts are not used on these systems, right? After all, if you limit the administration of laptops and desktops to dedicated administrative accounts, that otherwise have no permissions elsewhere, you limit the risk of lateral movement to said devices. Even better, of course, would be if every device had its own, and different, administrative account. But that’s a story for another time.
What should the tier model in Active Directory look like?
Implementing a tiered administration model in Active Directory can be both straightforward and challenging at the same time. Technically, you only need a few Group Policy Objects to control which accounts are permitted to log in to specific systems. This allows you to restrict Tier 0 accounts to Tier 0 assets, Tier 1 accounts to Tier 1 assets, and so on.
In addition to implementing the various tiers, several other tasks must be performed, such as identifying which assets belong to which tier and creating, distributing, maintaining and monitoring the use of administrative accounts in each tier. It is not enough to just segregate the administration, you must also ensure that the systems in each tier are adequately protected.
To achieve this, you need to deploy security baselines for each type of application, implement the necessary security controls and solutions, such as anti-malware, firewall, and Endpoint Detection & Response (EDR). Additionally, you must monitor the use of the tiered model and be vigilant for any potential breaches of a tier or abnormal use of administrative accounts, detecting and alerting to any such events.
Identifying Tier 0 assets
As stated previously, Tier 0 assets represent systems that are the most critical to an organization’s environment, such as systems that are responsible for authentication, like Active Directory, Active Directory Federation Services and Active Directory Certificate Services.
However, that is not all. Other systems which, by virtue of the permissions they may hold within Active Directory, are considered highly-privileged should also be considered Tier 0 assets. Some examples include the following:
Reduce your AD attack surface.
- Microsoft Exchange Server, especially when no Active Directory split-permissions have been configured. In such case, the Exchange Trusted Subsystem has so many privileges in Active Directory that the compromise of an Exchange Server almost always leads to the compromise of the entire directory.
- Microsoft System Center Configuration Manager (SCCM) or equivalent. Any server that is used to manage other assets, especially Tier 0 assets, should automatically be considered a Tier 0 system, if they have the ability to modify the configuration of the managed Tier 0 asset, or if and when they hold local administrative privileges over such an asset.
- Microsoft Azure AD Connect (Sync). Depending on the configuration of Azure AD Connect, it may be directly involved in the authentication of – and to – cloud systems. Tampering with the configuration of Azure AD Connect might allow attackers to pivot to cloud systems or make those systems unavailable to users.
Note that the number and type of systems you include in your Tier 0 will vary on what systems you have deployed, what they are used for, which privileges they leverage, and so on.
A final word
Implementing a tiered administration model with multiple tiers can be a complex task, and it will take time to implement. Take it one step at a time and start with identifying Tier 0 resources. First, determine which systems belong to this tier, and then create new administrative accounts to ensure that the (new) Tier 0 accounts can no longer directly log in to or administer lower-level systems. Once you have completed this step, repeat the same process for Tier 1, Tier 2, and so on.
By dividing your systems into tiers, you make it more difficult for attackers to move through the environment, disrupting any potential attack paths they may have discovered. With tools such as BloodHound, you should see immediate benefits from implementing tiers in your on-premises Active Directory.
It’s important to remember that even with segregated management in tiers, it’s not possible to entirely stop attackers, but you will considerably slow them down. As such, consider tiered administration to be an important part of your security strategy. The benefits of improved security largely outweigh any downsides of additional administrative efforts for your IT department.