AD Tiering Made Simple(r)

Home » Blog » AD Tiering Made Simple(r)

Active Directory (AD) tiering is nothing new for organizations that need the most secure IT environments, like those in the defense and critical infrastructure spaces. While it is a surprisingly underused approach to partitioning and protecting an organization’s most valuable assets and accounts, it is starting to find its way into more businesses as an effective method to stop privilege escalation attacks in AD.

AD tiering projects frequently go hand in hand with implementing the principle of least privilege to stop lateral movement within a tier. Additionally, they’re often accompanied by the implementation of visibility tooling to provide insights on privileged account and legacy authentication protocol usage, both of which are key to a successful AD security tiering project.

In this blog, we’ll explore the visibility challenges associated with Active Directory (AD) tiering and discuss how Silverfort visibility capabilities help organizations overcome these challenges, making the management of AD tiering simpler and more efficient.

Common Visibility Challenges in AD Tiering

Figure 1 – typical distribution of admin and privileged service accounts in an Active Directory tiering model

Organizations typically start an AD tiering project by locking down human account access to Tier 0, which includes Domain Controllers, PKI online signing CA, Entra Connect / AD FS. They do this by using Privilege Access Workstations and logon restrictions with group policies and/or authentication policy silos.

However, organizations often struggle to extend this approach beyond Tier 0, crucially leaving Tier 1 – where typically 98% of all admin accounts and privileged service accounts reside (see Figure 1) – without full coverage.

Here are the main challenges that most organizations experience with AD tiering:

Limited Visibility of Privileged Service Accounts

A large portion of service accounts have been in use for a long time and are often overprivileged. In addition, their credentials may be stored unencrypted in the local filesystem, and it can be very challenging to understand exactly where and when they are used.

Insufficient visibility of account mapping

It is essential to consider what resources are accessed by each privileged user when designing a model of least privileged access. These results then need to be validated and sanitized before implementing them as access rules.

Lack of visibility of legacy protocol usage

Ideally, all privileged users should be members of the “Protected Users” group, which disables password caching and legacy protocols. Prior to enabling this group membership, it is necessary to obtain complete visibility into the usage of legacy authentication protocols by these privileged users in order to measure the potential impact and implement remediation measures.

For the above reasons, organizations that have started their AD Tiering model journey typically manage to secure Tier 0 for their admin user accounts but get stuck trying to extend it to Tier 1.

How Silverfort Helps with AD Tiering

Silverfort can enhance AD tiering by offering extensive visibility and control over user access across the organization. It continuously monitors authentication and access activities, assigning risk indicators and scores to users and machines based on their behavior patterns. This process helps identify and manage access to high-risk or high-value assets, which is crucial for AD tiering. Additionally, Silverfort’s integration with Azure AD provides further insights into user behavior and risk, supporting the implementation of an effective AD tiering strategy.

Complete Visibility Across AD Environment

Once deployed, Silverfort will get real-time visibility into domain-based authentications and collect the metadata for every authentication.

Silverfort also offers the ability to scan for attack surfaces and misconfigurations and provides other metrics relevant to the security and health of your Active Directory deployment. Most of these metrics are presented as KPIs in dashboards, live alerts that can be acted upon, or high-level reports that can be used to provide management with an overview of Active Directory risk.

Here are some examples of Silverfort capabilities relevant for visibility on AD Tiering:

Detection of Privileged Accounts

To detect/monitor the user scope for Tier 0, Silverfort can quickly provide an inventory of all relevant accounts using our risk indicators “Domain Administrators”, “Privileged Users” and “Shadow admins”.

Figure 2 – Inventory of privileged accounts with dedicated KPIs in Tier 0: Domain Admins, Privileged Users, and Shadow Admins.

Clicking any of the relevant KPIs will provide a detailed list of flagged accounts, including a short description of the risk, how to mitigate it, and a link to the relevant article in the Mitre ATT&CK framework.

Figure 3 – List of shadow admin accounts

Detection of Service Accounts

Visibility into the usage of Active Directory service accounts is often lacking. Silverfort makes it very easy to quickly get an overview of all service account usage, as well as relevant KPIs such as privileged service accounts, interactive logon (dual use), and risk level based on the attack surface and any observed attacks or unusual behavior.

Figure 4 – Silverfort’s Service Accounts screen displays the service account name, source, destination, number of authentications, risk score, and account info

Investigate Service Account Activities

For each Active Directory account of interest, Silverfort’s investigation page provides detailed KPIs providing information where the account is used (Sources), as well as any authentications to destination network services (Targets). This information is essential for defining the scope to implement least privilege using policies.

Figure 5 – KPIs for a deep-dive investigation of each account, including all sources and destinations of authentications

Advanced Authentication Logs

Silverfort’s authentication log with built-in parsers for weak encryption protocols allows for quick identification of authentications that should not be used by privileged users. With this information, legacy authentications can be eliminated or reduced to an absolute minimum. Privileged accounts can also be added to the “Protected Users” group in Active Directory, with good visibility on the possible impact of this action.

Figure 6 – Example log parser showing results for simple LDAP binds by a domain administrator account, as well as risk indicators available for filtering usage of weak encryption types

Identity Security & Posture Management

The Threat Detection dashboard in Silverfort gives an overview of Active Directory attack surface management, using KPIs for common misconfigurations and other steps that should be taken to reduce the attack surface. Commonly detected issues should be addressed, especially when they concern privileged accounts or resources in Tier 0 or Tier 1.

Figure 7 – Selection of KPIs for AD attack surface management

Notification Access Policies

Once asset and account tiers have been established and organized using dedicated OUs or AD groups, it’s easy to create authentication policies to get real-time alerts of inappropriate account usage across tiers and daily reports on their occurrence.

Figure 9 – Example notify access policy for interactive logon across tiers with Tier 1 accounts

Real-Time Visibility is Essential for Effective AD Tiering Management

Innovations by Silverfort around the visibility of Active Directory authentication allow for a simple yet very effective approach to accelerate the deployment of Active Directory Tiering. With relatively little effort for deployment and configuration, organizations can gain insights into account usage, attack surface, and compliance with tiering policies, as well as user/service account and computer/resource risk.

While there’s no magical solution to rolling out tiering across all Active Directory assets in an organization, Silverfort makes the task significantly easier. Looking to strengthen your AD Tiering management and gain complete visibility across your environment? Reach out to one of our experts here

Stop Identity Threats Now