Beginner’s Guide to the Active Directory Tier Model

Posted on by tmack
Soapbox Banner Image

The Lateral Movement Highway

Computer post Image

If you read one of the latest States of Cybercrime report by Microsoft, one finding stands out above the rest: the leading factor in ransomware incidents is “insufficient privilege access and lateral movement controls.”

Just so we are all on page 12 with each other, I am saying that Lateral Movement is the technique attackers use to move from a low-level compromise (like a phishing email on a sales, HR, or admin assistant’s laptop) to other computers on the network, searching for higher credentials.  For many organizations, if an attacker controls your Active Directory (AD), then they control your entire environment.

While we may not be able to stop attackers from getting in 100% of the time, we can lengthen the time it takes them to move laterally. By increasing the friction and steps required to move, we force the adversary to make mistakes, creating “noise” that alerts your monitoring teams and maybe detecting them if they are noisy enough.

The AD Administrative Tier Model

The most effective way to stop lateral movement is the Clean Source Principle, often implemented via the AD Tier Model.  The logic is simple: Credentials from a high-security zone must never be exposed to a low-security zone.  We divide the network into zones:

  • Tier 0: The “Crown Jewels” (Domain Controllers, PKI, AD FS).
  • Tier 1: Enterprise Servers (Applications, Databases).
  • Tier 2: Workstations (User laptops, Desktops).

If a Domain Admin logs into a Tier 2 infected laptop to fix a printer, that laptop can “scrape” the Admin’s credentials from memory. The attacker now has the keys to the kingdom. The Tier Model is designed to prevent this activity.

Tier 0 Is Bigger Than You Think

Tier 0 isn’t just the “Domain Admins” group. You must identify Indirect Control:

  • Virtualization Admins: If a Domain Controller is virtualized, the admin of the virtualization host can dump the memory of the DC and steal password hashes. Therefore, the Hyper-V/ VMware admin is also Tier 0.
  • Help desk Delegates: If a support staffer has the right to reset any password (including Admins), they are effectively Tier 0.
  • GPO Managers: If you can edit a Group Policy that controls Tier 0 assets, you are Tier 0.

The 3 Commandments of the Tier Model

  1. Rule #1: Credentials from a higher tier must not be exposed to lower-tier systems.
  2. Rule #2: Lower-tier credentials can access higher-tier services (e.g., a user accessing a file share), but higher-tier credentials cannot sit on lower-tier boxes.
  3. Rule #3: Any system or user that can manage a higher tier is automatically a member of that tier.

How to Implement: Beyond Group Policy

Computer Post Image

Historically, admins tried to enforce these tiers using complex Group Policies (GPOs) to restrict logons. This is often messy and prone to error. A more modern approach is to use Authentication Policies and Silos.  Think of an Authentication Policy Silo as a VIP container. You place your critical users, computers, and services inside this Silo. You then apply a policy that dictates exactly where and how these accounts can be used.  With these policies, you can enforce that a Tier 0 account can only log on to a Tier 0 host. If an attacker tries to use that account from a stolen laptop, the authentication fails at the protocol level.

To make this architecture work, we can rely on two key mechanisms:

The “Protected Users” Security Group

This is a critical security group built into Active Directory. Members of this group:

  • Cannot use NTLM: They must use Kerberos (a more secure protocol).
  • No Caching: Their credentials are not cached on the local machine. If the machine is rebooted or disconnected, the credentials are gone. This prevents “credential dumping” attacks.
  • Encryption: It forces the use of stronger encryption types (AES).

Kerberos Armoring and Claims Authentication Policies use “claims” to verify the device making the request.

  • When a user tries to log in, the Domain Controller checks the user’s Silo.
  • It asks: “Is this user allowed to request a Ticket from this specific computer?”
  • If the computer is not in the allowed list, the Domain Controller rejects the request immediately.

Balancing Security and Usability

A common concern is friction. If we stop caching credentials and force strict login paths, will users revolt?

If you make a user type a 20-character password every time they access a service because caching is disabled, they will find a workaround.  Think of all the passwords on sticky notes, or on little notes, kept under the keyboard. This is why a Tier Model strategy must be paired with modern Identity Governance, such as Windows Hello for Business or FIDO2 Security Keys. These tools provide strong, multi-factor authentication without the friction of constant password entry.

Securing Tier 0 is the first critical step in your Active Directory hardening journey. By utilizing Authentication Silos and the Protected Users group, we move beyond simple policy documents and enforce strict technical barriers. We limit high-value accounts to high-value hosts, ensuring that when an attacker lands on a workstation, they have nowhere left to go.

Leave a Reply

Your email address will not be published. Required fields are marked *