Tier Zero: What It Is, Its Importance, Its Boundaries, and Detecting Out-of-Bounds Activity

Webinar Registration

Every Active Directory environment has Tier 0 systems whether they recognize it or not. Tier 0 systems are those that – if compromised – subsequently the rest of your environment will be compromised because of security dependencies. Tier 0 begins with domain controllers and any other foundation security systems that provide identity, authentication and access control to the rest of your network. That would include:

  • ADFS
  • Multifactor authentication and RADIUS servers
  • Privileged account/session management

But Tier 0 also includes additional systems that foundation security systems like domain controllers depend on for synchronization, management or hosting, including:

  • Azure AD Connect
  • Systems management servers that manage DCs or other Tier 0 systems
  • Hypervisors (and hypervisor management systems) that host Tier 0 systems

Finally, Tier 0 extends to any system where a Tier 0 user account logs on. And that brings us to an important point. Tier 0 isn’t just about systems – it’s equally about user accounts. Tier 0 user accounts are those that have privileged access to any Tier 0 system. So that would include accounts like:

  • Domain Admins
  • Local admin authority on a member server running Azure AD Connect or ADFS
  • Root access on a hyper-visor server hosting domain controller VMs

As soon as a Tier 0 account logs on to a given system, that system essentially becomes Tier 0 even if not intended. That’s because anyone with local admin authority on that system can potentially steal the credentials and/or impersonate that Tier 0 user. So that means Secure Admin Workstations (SAWs) are essential to security. Tier 0 systems and accounts must stay together. But it’s so easy for Tier 0 accounts to get out of bounds.

In this webinar, we will do a deep dive into Tier 0. I’ll show you why it’s so important to recognize Tier 0 for what it is and then identify all systems and accounts that are Tier 0 either directly or indirectly. That can be quite a difficult job because of the complexity of group membership, nested groups, directory synchronization, various permission models, etc. There are so many ways that the bad guys can gain access to Tier 0 assets. As just one example, all it takes is inadvertently assigning someone write permission to the wrong GPO. 

Some of the key MITRE ATT&CK techniques that come into play in our discussion are:

  • T1078 – Valid Accounts
  • 002 – OS Credential Dumping: Security Account Manager
  • T1098 – Account Manipulation

Bryan Patton from our sponsor Quest is using his experience helping customers tackle this problem to help assemble the material for this real training for free session and he will also briefly demonstrate how SpecterOps Bloodhound Enterprise and other Quest technologies can help you uncover the hidden permissions and memberships comprising the true scope of the critical Tier Zero assets in your Active Directory.

Please join us for this real training for free Session.

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources