Hello Everyone, This is my first blog and today I’ll share with you the importance of the Active Directory Tier Administrative model and the way to implement the solution part of On-Premise Windows Server Active directory security hardening.
Security model intended to protect against elevation of privilege by segregating high-privilege activities from high-risk zones. This model provides a good user experience while still adhering to best practices and security principles.
Tier 0
Manage the identity store and a small number of systems that are ineffective control of it, and:
1) Can manage and control assets at any level as required
2) Can only log on interactively or access assets trusted at the Tier 0 level
Tier 1
Manage enterprise servers, services, and applications, and:
1) Can only manage and control assets at Tier 1 or Tier 2 level
2) Can only access assets (via network logon type) that are trusted at Tier 1 or Tier 0 levels
3) Can only interactively log on to assets trusted at the Tier 1 level
Tier 2
Manage enterprise desktops, laptops, printers, and other user devices, and:
1) Can only manage and control assets at the Tier 2 level
2) Can access assets (via network logon type) at any level as required
3) Can only interactively log on to assets trusted at Tier 2 level
Goal: The tiered administrative model helps organizations to secure environments by protecting against the elevation of privilege. It segregates high-privilege activities from high-risk zones. This model provides a good user experience while still adhering to best practices and security principles.
• The model defines three tiers that create buffer zones to separate administration of high-risk PCs and valuable assets like domain controllers
• Tier T0, T1 & T2 Administrator
1) Can manage and control assets at any level as required
2) Can only log on interactively or access assets trusted at the Tier level
The following flow chart describes the functionality of Tier approaches defined for each level of administrative groups.
High-level plan
Tier 0 — T0
Key Activities –
• Individual’s administrators accounts will be created/reused existing administrator object in AD for all supporting teams to login to T0 assets as Built-in Administrator
• T0 accounts will be granted only to T0 assets. Concurrently denied accessed also get applied, for support admins remotely via T1 and T2 accounts
• DHCP & DNS, GPOs Built-in delegation will be applied to AD support administration through T0_BA groups
• “Default Domain Controller” GPO will be adjusted with revoking certain settings, Allow Logon, Deny Logon (RDP + Locally) appropriately and remove default Built-in groups such as Remote Desktop Users, Server Operator, Account Operator group from default GPO , though that administrator apparently not require to logon to DCs for regular operation effectiveness
• Limiting Domain Administrator privileges to certain administrators depends on business needs and add those administrators indirectly through group membership and apply them to “Domain Admins” group
Tier 1 (T1)
Key Activities –
• Individual’s administrators accounts will be created/reused existing in AD for all supporting teams to login to T1 assets as Built-in Administrator of member servers in the domain
• T1 accounts will be granted only to T1 assets. Concurrently denied accessed also get applied, for support admins remotely via T0 and T2 administrators
• New GPO will be defined in global and link to the domain to Update the GPO settings (Computer Configuration (Enabled)\Policies\Windows Settings\Security Settings\Restricted Groups) restrict group policy settings to Subgroups as Built-in Administrator and link only to Member Servers OU or root domain with GPO WMI filtering as “select * from Win32_OperatingSystem where (ProductType = “3”)”
• Restrict GPO Settings will be configured Deny Logon (RDP + Locally) appropriately for T0, T2, T0_BA administrator to T1 assets
Tier 2 (T2)
Key Activities –
• Individual’s administrators accounts will be created/reused existing in AD for all supporting teams to login to T2 assets as Built-in Administrator
• T2 accounts will be granted only to T2 assets. Concurrently denied accessed also get applied, for support admins remotely via T0 and T0_BA and T1 administrators
• Laptop /Desktop Users whose designated as Local IT administrators and other supporting administrators will be still active as Local administrator-defined through GPO linked to workstation policy as settings (Computer Configuration (Enabled)\Policies\Windows Settings\Security Settings\Restricted Groups) restrict group policy settings to Subgroups as Built-in Administrator
• Workstation based GPOs will be adjusted to Deny Logon (RDP + Locally) appropriately for T0, T1, T0_BA administrator to T2 assets
The outcome of Legacy AD tier model for On-Premise Windows Active directory
• Limiting Domain Administrator Privileged only to certain Support and disaster Administrator
• Revoking unnecessary delegation in AD in where administrators have not been used those activities to perform Domain level tasks
• System administrator is limited to access the only Server rather than Domain Controller access
• Domain & Enterprise password will be never compromised if any Workstation administrator also has DA rights in AD for any tasks performed
Microsoft has evolved the enterprise access model supersedes and replaces the legacy tier model that was focused on containing unauthorized escalation of privilege in an on-premises Windows Server Active Directory environment.
Thanks for reading!
Ramesh Seshadri
