Listen to this Post

Introduction:
Active Directory (AD) is the cornerstone of identity and access management in most corporate Windows environments, making it a prime target for cyber attackers. AD Tiering is a critical security model designed to contain lateral movement and privilege escalation by segmenting the network into distinct, logical layers. This article deconstructs the theory, practical implementation, and real-world exploitation techniques of this essential defense strategy.
Learning Objectives:
- Understand the fundamental principles and importance of the AD Tiering Model (Tier 0, 1, and 2).
- Learn how to architect and implement a tiering model using Group Policy and administrative segregation.
- Identify common misconfigurations and attack paths that allow adversaries to breach tier boundaries.
- Acquire practical skills to harden your AD environment against tier-crossing attacks.
You Should Know:
1. The Foundational Theory of AD Tiering
The AD Tiering model is a Microsoft-recommended security framework that enforces the principle of least privilege by creating logical boundaries between different classes of assets. Its core purpose is to protect high-value assets by ensuring that compromises in less critical areas cannot easily escalate to full domain control.
– Tier 0: This is the most critical tier, encompassing identities and systems that have direct or indirect control over the AD forest. This includes Domain Controllers, Domain Admins, Enterprise Admins, and the accounts used to manage them.
– Tier 1: This tier contains server-side applications and infrastructure, along with their associated administrative accounts. Examples include SQL Servers, Exchange servers, and the local administrators on these machines. A breach here is severe but should not immediately lead to Tier 0 compromise.
– Tier 2: The user workstation tier. This includes end-user devices and standard user accounts. Most initial breaches occur here, and the tiering model is designed to contain an attack at this level.
The golden rule is: administrative accounts from a higher tier can log into assets at a lower tier, but never the reverse. A Tier 2 admin should never be able to administer a Tier 1 server, and a Tier 1 admin must never have access to a Tier 0 asset.
2. Architecting Your Tiering Model: A Step-by-Step Guide
Implementing a tiering model is a methodological process that begins with inventory and ends with enforced policy.
Step 1: Asset Inventory and Classification.
You cannot protect what you do not know. Use PowerShell to discover all assets and service accounts.
Discover all Windows servers and workstations in the domain
Get-ADComputer -Filter {OperatingSystem -Like "Windows"} -Properties OperatingSystem, Name, DistinguishedName | Select-Object Name, OperatingSystem, DistinguishedName
Discover all privileged groups (Tier 0)
Get-ADGroupMember "Domain Admins" -Recursive
Get-ADGroupMember "Enterprise Admins" -Recursive
Step 2: Create Dedicated Administrative Accounts and Groups.
Separate day-to-day user accounts from privileged administrative accounts. Create new security groups for each tier (e.g., Tier0_Admins, Tier1_Server_Admins, Tier2_Workstation_Admins).
Step 3: Implement Group Policy Object (GPO) Restrictions.
Create and link GPOs to enforce logon restrictions. For Tier 0 assets, create a GPO that restricts interactive logon to only the `Tier0_Admins` group. Similarly, for Tier 1 servers, restrict access to `Tier1_Server_Admins` and Tier0_Admins.
3. The Attacker’s Playbook: Crashing the Tiering Model
A theoretically sound tiering model can be broken by common misconfigurations. Attackers look for weak points that allow them to jump from a lower to a higher tier.
Step 1: Reconnaissance from a Tier 2 Compromise.
Once an attacker has a foothold on a user’s workstation (Tier 2), they enumerate misconfigurations.
PowerView: Find users with interesting properties (e.g., service accounts that are also in admin groups)
Get-NetUser | Where-Object {($<em>.serviceprincipalname -ne "") -and ($</em>.memberof -match "Domain Admins")} | Select-Object samaccountname, memberof, serviceprincipalname
Check for unconstrained delegation on computers (a classic Tier 0 compromise vector)
Get-NetComputer -Unconstrained | Select-Object name
Step 2: Abusing Kerberos for Tier Escalation.
A common flaw is when a Tier 1 server account is configured with unconstrained delegation. If an attacker can force a Domain Admin (Tier 0) to authenticate to that server, the server’s Kerberos service ticket (TGT) for the Domain Admin is cached in memory. The attacker can then steal this ticket and impersonate the Tier 0 admin.
On a Linux-based attack box with Impacket tools 1. Coerce an authentication (e.g., via PetitPotam) python3 ntlmrelayx.py -t ldap://dc01.company.com --escalate-user attack_user <ol> <li>Dump tickets from a compromised server with unconstrained delegation (using Mimikatz on Windows) mimikatz sekurlsa::tickets /export
The attacker now has a Tier 0 ticket and can execute commands on the Domain Controller.
4. Hardening Defenses: Mitigating Common Attack Paths
Understanding the attack is the first step to building a robust defense.
Step 1: Eliminate Dangerous Legacy Settings.
Disable unconstrained delegation entirely. Transition to using Resource-Based Constrained Delegation (RBCD) if delegation is absolutely necessary.
PowerShell: Set the 'TrustedForDelegation' property to false for all computers
Get-ADComputer -Filter {TrustedForDelegation -eq $true} | Set-ADComputer -Remove @{TrustedForDelegation=$true}
Step 2: Implement Authentication Policies (SILO/PLO).
Use Authentication Policies (Available from Windows Server 2012 R2) to create “Authentication Silos” that strictly control which accounts can log on to which resources. This hardens the logical boundaries between tiers.
Step 3: Protected Users Group and Just-Enough-Admin (JEA).
Place all Tier 0 and Tier 1 administrative accounts in the “Protected Users” group to prevent the use of weak NTLM and credential caching. Furthermore, implement JEA for PowerShell, providing constrained, task-specific administrative endpoints instead of full, unrestricted shells.
5. Proactive Hunting: Detecting Tier Boundary Breaches
Defense is not just about prevention but also detection. Security teams must hunt for signs of tier-crossing.
Step 1: Monitor for Anomalous Logon Events.
A Tier 2 asset logging into a Tier 1 or Tier 0 asset is a massive red flag. Centralize Windows Security logs and create alerts for Event ID 4624 (successful logon) where the `Logon Type` and `Workstation Name` indicate a cross-tier logon from a non-privileged source.
Step 2: Hunt for Kerberos Attack Artifacts.
Monitor for Event ID 4769 (Kerberos service ticket requested) where the `Service Name` is a high-value server (like a DC) and the `Client Address` is a non-Tier 0 asset. A high volume of TGS requests from a single source could indicate a Golden Ticket attack or ticket misuse.
What Undercode Say:
- A theoretical model is useless without rigorous implementation. The “Crash Test” phase is non-negotiable; you must actively attempt to break your own tiering design to find the misconfigurations an attacker will exploit.
- The human and service account element is often the weakest link. Over-privileged service accounts and administrators using their high-privilege accounts on lower-tier workstations are the most common vectors for a complete tiering model collapse.
Analysis: The presentation by Aurélien Chalot highlights a critical maturity gap in cybersecurity. Many organizations invest in complex security products while neglecting foundational architectural hygiene like proper AD tiering. The attack techniques demonstrated are not novel zero-days but exploitations of well-documented misconfigurations that persist due to operational complexity and a lack of proactive “assume breach” testing. True resilience is achieved not by building an impenetrable wall, but by creating segmented compartments so that a single breach does not sink the entire ship. The focus must shift from prevention-only to a strategy that includes robust detection and response capabilities for when—not if—the tier boundaries are tested.
Prediction:
The evolution of AD attacks will increasingly leverage AI-driven automation to identify and exploit subtle misconfigurations in tiering policies at scale. As defensive tooling improves for on-premises AD, attackers will pivot harder towards hybrid identity attacks, targeting the synchronization mechanisms between Azure AD and on-premises AD, such as Azure AD Connect. Furthermore, the rise of “living-off-the-land” techniques using native scripting languages like PowerShell 7 (cross-platform) will blur the lines of traditional host-based detection, making application control and network segmentation within tiers more critical than ever. The future of AD security lies in a unified, identity-centric defense posture that spans cloud and on-premises.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: La Cantine – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


