In situations in which a greater level of assurance is desired for the production forest without incurring the cost and complexity of a complete rebuild, an administrative forest can provide an environment that increases the assurance level of the production environment.While this approach does add a forest to an Active Directory environment, the cost and complexity are limited by the fixed design, small hardware/software footprint, and small number of users.This approach works well for administering Active Directory, but many applications aren't compatible with being administered by accounts from an external forest using a standard trust.This figure depicts an ESAE forest used for administration of Tier 0 Assets and a PRIV forest configured for use with Microsoft Identity Manager's Privileged Access Management capability. While they have gone by many names, security zones are a well-established approach that provide containment of security threats through network layer isolation between them. Other trademarks identified on this page are owned by their respective owners. Hackers Users with local administrative privileges can easily infect their devices with malware that’s able to harvest cached credentials from memory. Other methods, like Pass-the-Hash (PtH), also rely on a privileged account logging in to a system that’s been infected by malware using local administrative privileges. All rights reserved. In this Ask the Admin, I’ll discuss setting up Active Directory to support a secure tiered administrative model and Privileged Access Workstations (PAWs).. At the end of last year, I wrote several posts on how to administer Active Directory securely. For more information, see the "Automatically Approve Updates for Installation" section in Approving Updates.Security Baselines should be used as starting configurations.Customers can use the Microsoft Security Compliance Toolkit (SCT) for configuring the baselines on the administrative hosts.Secure Boot to mitigate against attackers or malware attempting to load unsigned code into the boot process.This feature was introduced in Windows 8 to leverage the Unified Extensible Firmware Interface (UEFI).Full volume encryption to mitigate against physical loss of computers, such as administrative laptops used remotely.USB restrictions to protect against physical infection vectors.Network isolation to protect against network attacks and inadvertent admin actions. The “Active Directory Tier Model” is a logical separation of AD assets, having some kind of security boundaries in between. For more information, see In Windows-based computers, all authentications are processed as one of several logon types, regardless of which authentication protocol or authenticator is used. Guidelines include:The Tier columns in this table refer to the Tier level of the administrative account, the control of which typically impacts all assets in that tier.Operational decisions that are made on a regular basis are critical to maintaining the security posture of the environment. But domain controllers are ‘special’ and should be secured for a much higher level of trust. At least one administrative account should be password based to ensure access will work in case the multi-factor authentication process breaks. However, in combination with other best practices, the tiered administrative model is an effective defense. Primary - Use RDP RestrictedAdmin from an admin workstation with a domain account that uses permissions obtained just-in-time from a privileged access management …
As an example, an attacker in control of a DC has no need to steal credentials from logged on administrators as they already have access to all domain credentials in the database.Ensure that the following practices are applied for this scenario:Help Desk and user support organizations perform support for end users (which doesn't require administrative privileges) and the user workstations (which does require administrative privileges).Administrative personnel cannot browse the open Internet while logged on with an administrative account or while logged on to an administrative workstation. Join me in my webinar “Protect Privileged Active Directory Credentials Using a Tiered-Administrative Model” where I’ll explain more about the tiered administrative model and show you how it works in practice, including automating the creation of Microsoft’s recommended OU structure and groups, populating privileged AD groups using AD DS management accounts, and managing domain controllers using Privileged Access Workstations (PAWs). Remote workstation support - The Tier 2 support personnel is physically remote to the workstation. These include the DNS Server service and critical network devices like Internet proxies.The clean source principle requires all security dependencies to be as trustworthy as the object being secured.Any subject in control of an object is a security dependency of that object. The definition from the Administrative Tier Model is: Tier 0 – Direct Control of enterprise identities in the environment. You can adapt these to the specific requirements, available tools, and risk appetite of your organization, but we recommend only minimum modifications to reduce risk. No permissions will be permanently assigned to administrative accounts.Permanently assigned administrative privileges naturally create a "most privilege" strategy because administrative personnel require rapid access to permissions to maintain operational availability if there is an issue. The only authorized exceptions are the emergency access accounts that are protected by the appropriate processes.Link all administrative accounts to a smart card and enable the attribute "A script should be implemented to automatically and periodically reset the random password hash value by disabling and immediately re-enabling the attribute "Allow no exceptions for accounts used by human personnel beyond the emergency access accounts.All accounts with administrative privileges in a cloud service, such as Microsoft Azure and Office 365, must use multi-factor authentication.Operational practices must support the following standards:Ensure that each emergency access account has a tracking sheet in the safe.The procedure documented on the password tracking sheet should be followed for each account, which includes changing the password after each use and logging out of any workstations or servers used after completion.All use of emergency access accounts should be approved by the change approval board in advanced or after-the-fact as an approved emergency usage.Only authorized domain admins can access the emergency access accounts with domain admin privileges.The emergency access accounts can be used only on domain controllers and other Tier 0 hosts.Forest-wide tasks that require enterprise administrative privilegesTopology management including Active Directory site and subnet management is delegated to limit the use of these privileges.All usage of one of these accounts should have written authorization by the security group leadThe procedure on the tracking sheet for each emergency access account requires the password to be changed for each use.
These are commonly configured to manage Tier 0 solutions and Tier 0 assets and should be classified at Tier 0.