Tiered Admin Model

So, I know I’ve been quiet on here for a while! But that hasn’t stopped work behind the scenes. I’ve been working away on GPOs that adhere to the MS best practices. Granted, I could just use the secure baselines but where’s the fun in that?!

In preparation for this, which I will add to GitHub and a link explaining on here, it’s important to think about and prepare for the hardening by introducing a Tiered Administration model. What’s this?

A tiered model usually has 3 levels, Tier-0 is your most valuable keys to the kingdom (think Domain/Enterprise admins), Tier-1 will be valuable (think Server Admins) and then Tier-2 will be the least valuable (think Workstation Admins). Saying least valuable doesn’t mean these administrators are not valuable, but if you think of a triangle, Tier-2 will be at the bottom with the largest number of members, Tier-1 will be in the middle with fewer admins and then Tier-0 will be at the top with the fewest members.

One important aspect of a tiered administration model is that an account cannot log on to a device in a different tier. Domain Admins cannot logon to servers or workstations, Server admins cannot log on to workstations or domain controllers. This model is included in the GPOs that I will publish. You will however have to edit these to account for your groups.

This separation is key to slowing down any form of privilege escalation from an attacker. It’s not the sort of thing that you can usually just drop in to your environment, rather it needs building up. As part of the design of your tiered administration model, you need to consider all of your equivalent tier-0 resources. For example, if you use virtual domain controllers, the host that they reside on needs to be protected as a tier-0 resource due to the ability to control the VM. SCCM/SCOM/WSUS which have the ability to alter the configuration or install software on a domain controller, again need to be protected and secured.

When you start looking at introducing this to an existing environment that doesn’t already have it, the amount of work required soon mounts up. But that should not put you off, if you cant remove something like SCCM or Hyper-V from Tier-0, make a note and audit the living daylights out of it, secure it as best you can until you can completely de-scope it.

Introducing the tiered administration is likely to cause pushback from existing admins as instead of 2 accounts (day to day for email etc and administration) they can end up with 4 accounts to manage. When you start explaining why it has to be like this and the benefits though, it begins making sense to them hopefully.

Below are a couple of MS links detailing this model which are well worth a read:

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/defining-roles-for-pam

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.