Every Active Directory environment has Tier Zero systems, whether they recognize it or not. Tier Zero systems are those that – if compromised – will impact the rest of your environment due to security dependencies. Tier Zero begins with domain controllers and any other foundation security systems that provide identity, authentication and access control to the rest of your network, including:
- ADFS
- Multifactor authentication and RADIUS servers
- Privileged account/session management
But Tier Zero also includes additional systems that foundation security systems like domain controllers depend on for synchronization, management or hosting, including:
- Azure AD Connect
- Systems management servers that manage DCs or other Tier Zero systems
- Hypervisors (and hypervisor management systems) that host Tier Zero systems
Finally, Tier Zero extends to any system where a Tier Zero user account logs on. And that brings us to an important point. Tier Zero isn’t just about systems – it’s equally about user accounts. Tier Zero user accounts are those that have privileged access to any Tier Zero system. So that would include accounts like:
- Domain Admins
- Local admin authority on a member server running Azure AD Connect or ADFS
- Root access on a hyper-visor server hosting domain controller VMs
As soon as a Tier Zero account logs into a given system, that system essentially becomes Tier Zero, even if not intended. That’s because anyone with local admin authority on that system can potentially steal the credentials and/or impersonate that Tier Zero user. So that means Secure Admin Workstations (SAWs) are essential to security. Tier Zero systems and accounts must stay together. But it’s so easy for Tier Zero accounts to get out of bounds.
In this webinar, IT security expert Randy Franklin Smith will do a deep dive into Tier Zero. He’ll show you why it’s so important to recognize Tier Zero for what it is and then identify all systems and accounts that are Tier Zero either directly or indirectly. That can be quite a difficult job because of the complexity of group membership, nested groups, directory synchronization, various permission models, etc. There are so many ways that cyberattackers can gain access to Tier Zero assets. As just one example, all it takes is inadvertently assigning someone write permission to the wrong GPO.
Some of the key MITRE ATT&CK techniques that come into play in our discussion are:
- T1078 – Valid Accounts
- 002 – OS Credential Dumping: Security Account Manager
- T1098 – Account Manipulation
Bryan Patton from Quest will expand on his experience helping customers tackle this problem and will also briefly demonstrate how SpecterOps Bloodhound Enterprise and other Quest technologies can help you uncover the hidden permissions and memberships comprising the true scope of the critical Tier Zero assets in your Active Directory.
Speakers
- Randy Franklin Smith, Ultimate IT Security
- Bryan Patton, Quest