Listen to this Post
You Should Know:
Tiered administration is a critical concept in securing Active Directory (AD) environments. It involves segregating administrative tasks into different tiers to minimize the risk of lateral movement by attackers. Below are some practical steps, commands, and codes to implement and verify tiered administration in your environment.
1. Creating Tiered Admin Accounts
To create tiered admin accounts, use the following PowerShell commands:
<h1>Create Tier 0 Admin Account</h1> New-ADUser -Name "Tier0_Admin" -SamAccountName "Tier0_Admin" -AccountPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) -Enabled $true <h1>Create Tier 1 Admin Account</h1> New-ADUser -Name "Tier1_Admin" -SamAccountName "Tier1_Admin" -AccountPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) -Enabled $true <h1>Create Tier 2 Admin Account</h1> New-ADUser -Name "Tier2_Admin" -SamAccountName "Tier2_Admin" -AccountPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) -Enabled $true
2. Assigning Permissions to Tiers
Assign permissions to each tier using the following commands:
<h1>Assign Tier 0 Admin to Domain Admins group</h1> Add-ADGroupMember -Identity "Domain Admins" -Members "Tier0_Admin" <h1>Assign Tier 1 Admin to Server Operators group</h1> Add-ADGroupMember -Identity "Server Operators" -Members "Tier1_Admin" <h1>Assign Tier 2 Admin to Account Operators group</h1> Add-ADGroupMember -Identity "Account Operators" -Members "Tier2_Admin"
3. Verifying Tier Isolation
To ensure that there is no crossover between tiers, use the following commands to verify group memberships:
<h1>Check Tier 0 Admin Group Membership</h1> Get-ADUser -Identity "Tier0_Admin" -Property MemberOf | Select-Object -ExpandProperty MemberOf <h1>Check Tier 1 Admin Group Membership</h1> Get-ADUser -Identity "Tier1_Admin" -Property MemberOf | Select-Object -ExpandProperty MemberOf <h1>Check Tier 2 Admin Group Membership</h1> Get-ADUser -Identity "Tier2_Admin" -Property MemberOf | Select-Object -ExpandProperty MemberOf
4. Implementing Logging and Monitoring
Enable auditing to monitor administrative activities:
<h1>Enable Auditing for Account Management</h1> Auditpol /set /subcategory:"Account Management" /success:enable /failure:enable <h1>Enable Auditing for Logon Events</h1> Auditpol /set /subcategory:"Logon" /success:enable /failure:enable
5. Regularly Reviewing and Updating Policies
Regularly review and update your tiered administration policies to ensure they remain effective. Use the following command to export AD group memberships for review:
<h1>Export AD Group Memberships</h1> Get-ADGroupMember -Identity "Domain Admins" | Export-Csv -Path "C:\Domain_Admins.csv" Get-ADGroupMember -Identity "Server Operators" | Export-Csv -Path "C:\Server_Operators.csv" Get-ADGroupMember -Identity "Account Operators" | Export-Csv -Path "C:\Account_Operators.csv"
What Undercode Say:
Tiered administration is a foundational security practice that significantly reduces the attack surface in Active Directory environments. By segregating administrative tasks into distinct tiers, organizations can limit the potential damage caused by credential theft and lateral movement. Implementing and maintaining tiered administration requires careful planning, regular auditing, and continuous monitoring. The provided PowerShell commands and steps offer a practical starting point for securing your AD environment. For further reading, consider exploring Microsoft’s official documentation on Active Directory Security Best Practices.
References:
Reported By: Spenceralessi Tiered – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
