Tiered Administration

What are tiers?

To respond to incidents, Microsoft created Tiers: a method to segment an Active directory domain to protect the privileged identities. Start securing your organization, starts by segmenting users from administrators.

Microsoft has a methodology called Tiered Administration. Microsoft Services assists many companies across the globe respond to security breaches and incidents. The best and the brightest of various Microsoft teams discussed how companies were being breached, and how Microsoft designs solutions to secure post incidents.

In the post Administrative Accounts best practices for administrator accounts is described in detail. After understanding the process of when a person gets a separate administrative account, understand what resources people access. for that we…

Dive into Tiers

There are different levels of administrator access. Administrators have different accounts based on the resources they access.

The Tiers

Microsoft calls this administrative separation “Tiers.” Full documentation on Microsoft tiers requires a bit of in depth reading

The numbers of the tiers are parallel to the Trusted Computing Base “Protected Ring” security model.

ESAE trusted computing base protected ring

There Are Three Tiers For Administrators; Tier 0, Tier 1, and Tier 2

For a very brief pictorial definition of Microsoft tiers, see the image below:

Secframe.com Microsoft Tiered Model Guidelines

Trusted Sec Levels Mapped to Microsoft Tiers:

Ring / Tier #Level of TrustTrusted Sec DefinitionEli5 Definition
0Most TrustedKernelDomain Controllers
1Contains Non Trusted ItemsSystem ServicesServers
2Contains more non trustedI/O Drivers & Operations - UtilitiesWorkstations
3Least TrustedApplicationsAnything Public, Standard Users

As the journey from the outside ring into the center, also from tier 2 down to tier 0, the security level increases. With this increase of security, the number of people with access to the resources decreases. Tier 0, and the kernel ring, has the least amount of administrators in the Active Directory environment.

The Journey to Tiers

Since there are three administrator tiers, begin with understanding there is three sets of administrators to add into a domain.

Tier #Administrator Type
0Domain Admin
1Server Admin
2Workstation Admin

To get started with deploying the tiers, start with the biggest most impactful item that secures the largest section of the domain, and as a bonus, it takes the least amount of time: Tier 0; The Domain Administrators

Back To The Top