For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Webcast | Tier Zero: What It Is, Its Importance and Boundaries

Webcast | Tier Zero: What It Is, Its Importance and Boundaries
On Demand
  • Recorded Date:Jun. 30, 2022
  • Event:On Demand
Webcast | Tier Zero: What It Is, Its Importance and Boundaries

Every Active Directory environment has Tier Zero systems, whether they recognize it or not. Tier Zero systems are those that – if compromised – will impact the rest of your environment due to security dependencies. Tier Zero begins with domain controllers and any other foundation security systems that provide identity, authentication and access control to the rest of your network, including:

  • ADFS
  • Multifactor authentication and RADIUS servers
  • Privileged account/session management

But Tier Zero also includes additional systems that foundation security systems like domain controllers depend on for synchronization, management or hosting, including:

  • Azure AD Connect
  • Systems management servers that manage DCs or other Tier Zero systems
  • Hypervisors (and hypervisor management systems) that host Tier Zero systems

Finally, Tier Zero extends to any system where a Tier Zero user account logs on. And that brings us to an important point. Tier Zero isn’t just about systems – it’s equally about user accounts. Tier Zero user accounts are those that have privileged access to any Tier Zero system. So that would include accounts like:

  • Domain Admins
  • Local admin authority on a member server running Azure AD Connect or ADFS
  • Root access on a hyper-visor server hosting domain controller VMs

As soon as a Tier Zero account logs into a given system, that system essentially becomes Tier Zero, even if not intended. That’s because anyone with local admin authority on that system can potentially steal the credentials and/or impersonate that Tier Zero user. So that means Secure Admin Workstations (SAWs) are essential to security. Tier Zero systems and accounts must stay together. But it’s so easy for Tier Zero accounts to get out of bounds.

In this webinar, IT security expert Randy Franklin Smith will do a deep dive into Tier Zero. He’ll show you why it’s so important to recognize Tier Zero for what it is and then identify all systems and accounts that are Tier Zero either directly or indirectly. That can be quite a difficult job because of the complexity of group membership, nested groups, directory synchronization, various permission models, etc. There are so many ways that cyberattackers can gain access to Tier Zero assets. As just one example, all it takes is inadvertently assigning someone write permission to the wrong GPO.

Some of the key MITRE ATT&CK techniques that come into play in our discussion are:

  • T1078 – Valid Accounts
  • 002 – OS Credential Dumping: Security Account Manager
  • T1098 – Account Manipulation

Bryan Patton from Quest will expand on his experience helping customers tackle this problem and will also briefly demonstrate how SpecterOps Bloodhound Enterprise and other Quest technologies can help you uncover the hidden permissions and memberships comprising the true scope of the critical Tier Zero assets in your Active Directory.

Speakers

  • Randy Franklin Smith, Ultimate IT Security
  • Bryan Patton, Quest