I’d like to learn more from SecFrame! Enter your email below

By David Rowe

What are tiers and who holds the keys to the kingdom?

In the post "4 Reasons She Needs an Admin Account" best practices for administrator accounts is  described in detail. After the "who" decision is complete, the question, "What resources do administrators have access to?" needs to be answered.

Male and Female Administrator (1)

 Microsoft has a methodology called Tiered administration. The tale of how Microsoft's tiers were created begins windowless conference room. Microsoft Services assists many companies across the globe. Inside this team is a security team that responds to breaches and incidents. The best and the brightest of the teams discussed how companies were being breached, and how Microsoft was designing solutions to secure post incident. In these discussions were security experts across various industries; financial, education, oil and gas, etc. The result of the discussions was the full ESAE framework (What is ESAE).

A major portion of how to start securing your organization starts by segmenting users from administrators. Next administrators are separated based on what they access.

The Tiers

Microsoft calls this administrative separation "Tiers." Full documentation on Microsoft tiers requires a bit of in depth reading


The numbers of the tiers are parallel to the Trusted Computing Base "Protected Ring" security model. (Wiki Link)


secframe.com TCB Diagram



There are three tiers; Tier 0, Tier 1, and Tier 2


Tiers Basic Layout


For a beginners definition of Microsoft tiers, see the image below:

Secframe.com Microsoft Tiered Model Guidelines


Trusted Sec Levels Mapped to Microsoft Tiers:


Ring # / Tier # Level of Trust Trusted Sec Definition Microsoft Quick and Dirty Definition


Most Trusted Kernel Domain Controllers


Contains Non Trusted Items System Services Servers


Contains more non trusted I/O Drivers & Operations - Utilities Workstations 


Least Trusted   N/A


 As the journey from the outside ring into the center, or from tier 2 down to tier 0, the security level increases.  With this increase of security, the number of people with access to each tier decreases. Tier 0, and the kernel ring, should have the least amount of administrators in the Active Directory environment.


Why does tier 0 have the least number of administrators?

Any part of the environment that has access to control the domain controllers is considered part of Tier 0. If someone or something can access to the ntds.dit file, (password hash database), that person or service is a Tier 0 administrator.

This ntds.dit file is so important because it holds all the users and all the passwords of an organization. Whoever controls this file, controls all the users, all the accounts, all the access to everything inside an organization. These people who can control this file can get to any type of data: Research data, PII, trade secrets. The people that can access this file can read every single email inside an organization.

 The number of people that can access this file needs to be as small as possible. This file needs to be secured.


How to start securing Tier 0:

Use the following picture to help start the identification process to identify all Tier 0 systems. Anyone with access to any portion of the ntds.dit file is considered a Tier 0 administrator.


Tier 0 Observed Systems

Access to the ntds file can come on many different manners: applications installed the servers, agents or services running on the servers, scheduled task or scheduled jobs, hard disk administrators, backup administrators. The list goes on.

This reference picture is a great place to start understanding how many full domain administrators an organization might have. By focusing on all the separate areas that control this precious file, an administrator can begin to identify areas he or she needs to protect.



To begin the identification of tier 0 assets, focus on these three subjects:

  1. Applications and services running on DCs
  2. Identity systems that can provision into the various domains
  3. Hardware the domain controllers run on

Once the list of assets is created, investigate each listed system. Make a list of administrators for each.

Examples to identify administrators:

  • VMware - export the administrator list. Which VMware administrator(s) have access to the domain controller vms.
  • Provisioning system: provisioning account name. Users with access to the provisioning account


I'll be going into more detail about unraveling Tier 0 administration by digging forget into the built in groups in active directory. Stay tuned


If you need more assistance with identifying access across your organization, please reach out.

Interested in Consultations?



For the full ESAE series, please begin with: What is Microsoft ESAE


For further reading on the admin account series, please visit the following links:

Who needs an admin account?

What is an admin account? (What are the tiers?) This post!

When do you use an admin account? Todo

Where do you put an admin account?

Why do you use an admin account? Todo

How do you use an admin account? Todo


Tags: ESAE, Microsoft, Framework, Red Forest

Interested in threat hunting?

BadBlood fills a domain with countless vulnerabilities. Every time it's run your domain is different! Download Badblood here.

Badblood download zip