To respond to incidents, Microsoft created Tiers: a method to segment an Active directory domain to protect the privileged identities. Start securing your organization, starts by segmenting users from administrators.
Microsoft has a methodology called Tiered Administration. Microsoft Services assists many companies across the globe respond to security breaches and incidents. The best and the brightest of various Microsoft teams discussed how companies were being breached, and how Microsoft designs solutions to secure post incidents.
In the post Administrative Accounts best practices for administrator accounts is described in detail. After understanding the process of when a person gets a separate administrative account, understand what resources people access. for that we…
There are different levels of administrator access. Administrators have different accounts based on the resources they access.
Microsoft calls this administrative separation “Tiers.” Full documentation on Microsoft tiers requires a bit of in depth reading
The numbers of the tiers are parallel to the Trusted Computing Base “Protected Ring” security model.
For a very brief pictorial definition of Microsoft tiers, see the image below:
Trusted Sec Levels Mapped to Microsoft Tiers:
As the journey from the outside ring into the center, also from tier 2 down to tier 0, the security level increases. With this increase of security, the number of people with access to the resources decreases. Tier 0, and the kernel ring, has the least amount of administrators in the Active Directory environment.
Since there are three administrator tiers, begin with understanding there is three sets of administrators to add into a domain.
To get started with deploying the tiers, start with the biggest most impactful item that secures the largest section of the domain, and as a bonus, it takes the least amount of time: Tier 0; The Domain Administrators