crowmoor.se

Why do I care about defining Tier 0 and why is it a problem to have a large Tier 0? It is all part of minimizing the attack surface. You want to minimize the places where it is possible to find a domain administrator account and exploit that. It is far easier to secure 20 computers rather than 200 or 2000. But with GPOs you can manage 10 as easy as 10 000 computers so what’s the big deal with Tier 0?

It comes with the inherit problems of authentication and authorisation that we need to make sure that it is possible to work without having to type your password for every transaction. This is done by placing a hash that is calculated using your username/password/token etc. This is reused for some time to validate your credentials. This makes the system easier to use but also creates a possible vulnerability. Sadly, the hashes are possible to hijack and reuse therefor the problem with credential theft exist.

The hashes are stored in memory and is possible to steal with the right tools meaning that we have to focus on removing the places where domain administrators have logged in to as few as possible. This means that implementing privileged access workstations is imperative to minimize credential theft. Such workstations mean in short that you have one computer for mail and one for administrative tasks. This of course create a cost if you have 100´s of administrators that needs to have two computers.