In the post "4 Reasons She Needs an Admin Account" best practices for administrator accounts is described in detail. After the "who" decision is complete, the question, "What resources do administrators have access to?" needs to be answered.
A major portion of how to start securing your organization starts by segmenting users from administrators. Next administrators are separated based on what they access.
Microsoft calls this administrative separation "Tiers." Full documentation on Microsoft tiers requires a bit of in depth reading
There are three tiers; Tier 0, Tier 1, and Tier 2
For a beginners definition of Microsoft tiers, see the image below:
Trusted Sec Levels Mapped to Microsoft Tiers:
|Ring # / Tier #||Level of Trust||Trusted Sec Definition||Microsoft Quick and Dirty Definition|
|Most Trusted||Kernel||Domain Controllers|
|Contains Non Trusted Items||System Services||Servers|
|Contains more non trusted||I/O Drivers & Operations - Utilities||Workstations|
As the journey from the outside ring into the center, or from tier 2 down to tier 0, the security level increases. With this increase of security, the number of people with access to each tier decreases. Tier 0, and the kernel ring, should have the least amount of administrators in the Active Directory environment.
Why does tier 0 have the least number of administrators?
Any part of the environment that has access to control the domain controllers is considered part of Tier 0. If someone or something can access to the ntds.dit file, (password hash database), that person or service is a Tier 0 administrator.
This ntds.dit file is so important because it holds all the users and all the passwords of an organization. Whoever controls this file, controls all the users, all the accounts, all the access to everything inside an organization. These people who can control this file can get to any type of data: Research data, PII, trade secrets. The people that can access this file can read every single email inside an organization.
The number of people that can access this file needs to be as small as possible. This file needs to be secured.
How to start securing Tier 0:
Use the following picture to help start the identification process to identify all Tier 0 systems. Anyone with access to any portion of the ntds.dit file is considered a Tier 0 administrator.
Access to the ntds file can come on many different manners: applications installed the servers, agents or services running on the servers, scheduled task or scheduled jobs, hard disk administrators, backup administrators. The list goes on.
This reference picture is a great place to start understanding how many full domain administrators an organization might have. By focusing on all the separate areas that control this precious file, an administrator can begin to identify areas he or she needs to protect.
To begin the identification of tier 0 assets, focus on these three subjects:
- Applications and services running on DCs
- Identity systems that can provision into the various domains
- Hardware the domain controllers run on
Once the list of assets is created, investigate each listed system. Make a list of administrators for each.
Examples to identify administrators:
- VMware - export the administrator list. Which VMware administrator(s) have access to the domain controller vms.
- Provisioning system: provisioning account name. Users with access to the provisioning account
I'll be going into more detail about unraveling Tier 0 administration by digging forget into the built in groups in active directory. Stay tuned
If you need more assistance with identifying access across your organization, please reach out.
For the full ESAE series, please begin with: What is Microsoft ESAE
For further reading on the admin account series, please visit the following links:
When do you use an admin account? Todo
Why do you use an admin account? Todo
How do you use an admin account? Todo