Credential Tiering is a vital component of identity-centric security and should not be underestimated. Tiering plays a critical role in increasing the security of an IT environment. Implementing Credential Tiering creates a strong defense against potential security breaches that could harm the entire organization, putting at risk the core principles of confidentiality, integrity, and availability. It’s important to highlight that Credential Tiering is addressing the underlaying credential theft challenges that cannot be easily replaced with trendy cloud solutions or tool-based methods.

This first article in a two-part series discusses the importance of containment using the Microsoft Credential Tier model as an example. The second part covers the implementation, identifying Tier 0 objects, and measuring and visualizing the progress of an Active Directory Credential Tier implementation.

Why should we care?

Andy Robbins from SpecterOps, during one of his presentation Attacking and Defending Azure with BloodHound, made a statement that deserves attention: “For over 20 years, the same or similar Tactics, Techniques, and Procedures (TTP) have been consistently employed to compromise enterprises relying on Active Directory.” Why does this persist? Active Directory is a widely used Identity Provider (IdP) and can be found in almost all IT environments. Due to its popularity and age, vulnerabilities in this service are well-documented and manifest in various ways, including legitimate protocol abuse, misconfiguration, suboptimal management practices, permission misuse, neglecting updates or hardening recommendations, and more.

The challenges surrounding IdPs are not unique to Active Directory; other IdPs like AWS, Entra ID, and GCP face similar hurdles. Major players like Google, Microsoft, and Amazon have yet to completely solve the difficulties of securely operating these systems. Simply adding more security tools to the mix does not effectively solve the root cause. Instead, the focus should be on fundamental prevention methods. In the blog post Defenders Mindset John Lamberts states, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” This highlights the need for a shift in perspective, emphasizing the importance of understanding the adversary’s tactics and adopting a proactive, strategic approach to security. Unless we change our mindset for securing IT environments, we will be stuck in the same discussions as adversaries keep using the same tactics, techniques, and procedures to compromise IT environments.

A highly effective strategy for enhancing Active Directory’s security involves analysing existing attack paths and assessing the impact of their removal. For in-depth insights into this approach, refer to the articles The Attack Path Management Manifesto by Andy Robbins and Attack Path Analysis – Gaining an Advantage Over Adversaries by me. However, it is essential to attain a security standard for an Active Directory environment. Otherwise, removed attack paths may resurface. To establish a defined state, a security model known as Credential Tiering becomes indispensable. The upcoming chapter will explain the concept of Tiering and its significance as a fundamental element in securing an identity-centric environment such as Active Directory.

What is Credential Tiering?

A Tier-Model is a framework that categorizes identities and the resources they access into various tiers based on their value or importance. Tiering requires the implementation of security controls to maintain separation between these tiers. Additionally, it defines rules for segregation, specifies fundamental controls that must be in place, and acknowledges the possibility of additional controls. There are different types of Tier-Models depending on the environment, such as on-premises infrastructure, Active Directory, Microsoft Cloud, AWS, Business-Critical-Applications and so forth. The fundamental concept of a tier-model is coming from the Bell-LaPadula security model, which aims to preserve data confidentiality and the Biba-Model, which focuses on data integrity.

A more detailed explanation if tiering is helpful can be found in the following two articles, which were published in 2012 and 2014 by Micosoft: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf and Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf. These documents discussing Active Directory attacks and are providing holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against credential theft attacks. We highly recommend reading these two significant papers. In the paper from 2014, Microsoft explains tiering as a way to prevent an entire IT environment from being compromised by the loss of a single asset. The analogy used is that of large ships having compartments to limit the damage caused by a leak. By designing IT environments in a similar way, the loss of confidentiality, integrity, or availability of one or several assets can be contained and prevented from affecting the rest of the environment. Followed by the analogy is the containment model presented and called Tiering Model Designed for Active Directory. In this article, we will refer to the model as the Microsoft Credential Tier model. This model has three tiers of administrative privilege, but in certain cases, extra tiers may be required. However, additional tiers must be added cautiously and should not introduce unnecessary tiering violations.

• Tier-0 – Forest and Domain Administrators: Direct or indirect administrative control over the Active Directory forest, domains, or domain controller (DC). This includes administrative access to storage devices that contain Active Directory database files.
• Tier-1 – Server Administrators: Direct or indirect administrative control over a single or multiple servers that do not fall into Tier-0. Business critical servers are also in this tier.
• Tier-2 – Workstation Administrators, User Administrators, Helpdesk Technicians: Direct or indirect administrative control over a single or multiple devices and day-to-day user accounts.

The model aims to block attackers from gaining higher privileges with stolen credentials. Microsoft describes the following rules for the model:

• Each administrative resource, such as group, account, server, workstation, Active Directory object, or application, belongs to one tier only.
• Personnel who work at multiple tiers will have separate administrative accounts for each tier they need. Any account that accesses more than one tier will be divided into multiple accounts, each of which stays within one tier. These accounts will also have different passwords.
• Administrative accounts cannot control higher-tier resources through administrative access, such as ACLs, application agents, or service account control. Accounts that control a higher tier cannot log on to lower-tier computers, because this may expose and compromise the account credentials and privileges.
• Administrative accounts can control lower-tier resources as needed by their role, but only through higher-tier management interfaces that do not expose credentials. For example, domain admin accounts (Tier 0) can manage server admin Active Directory account objects (Tier 1) through Active Directory management consoles on a domain controller (Tier 0).

In which tier are my IT solutions?

To be able to make a tier assignment, a holistic view of each individual service and Active Directory permission must be taken. The following question must always be answered: Does a control-up or exposure-down risk arise? For example: Domain controller virtual machines are operated by the solution System Center Configuration Manager (SCCM). SCCM is operated by Tier-1 administrators. This creates a control-up risk resulting in a tiering violation. This example introduced the dependency chain paradigm. Additional upstream risks to a domain controller could include:

• Management agents on server and scheduled tasks
• Unpatched Software Vulnerability, Weak OS Configuration
• Backup and storage administrators
• Baseboard Management Controllers (BMCs)
• Physical access and virtual machine administrators
• ACLs on Computer account, OU, GPO, GPO Content
• Host Installation Media/Process
• Application admin roles (Domain/Enterprise/Schema Admins, Account/Server Operators, etc.)
• Hosts where upstream administrator credentials are exposed
• Security boundary extensions (Trusts to other directories, Outsourcing to a Service Provider)

And translated into a not-finished graph. PS: It is a valuable exercise to extend the below graph to visualize the dependency chain to important IT components.

All of the above identified upstream risks can lead to a downstream control of all business data, accounts and devices that are directly or indirectly managed by Active Directory. Based on this revelation each identified tiering violation must be addressed. Various mitigation options are available:

Another way to identify tiering violations can be done via the following method:

• First, define a use case: I want to use my day-to-day laptop to log in with my domain admin to my jump server to manage all my domain controllers.
• Second, draw the use case: Draw a grid with the tiers and the entities required for the use case.
• Third, draw the connections: user1 is logged in on notebook1, user1 types the password from admin1 on notebook1 to login to the server jumpserver1, from the jumpserver1 admin1 is used to manage DC1.
• Fourth, spot the violations: Mark and number the boundaries where the connection crosses.

The following drawing serves as the use case example:

The drawing shows four tiering violations:

• First and second violation: Credential exposure-down to Tier 1 and Tier 2
• Third violation: Control-up violation
• Fourth violation: Control-up violation

By the way this is a common management pattern we often encounter during assessments or red team engagements. Internally we call the server jumpserver1 credential harvester and is often one of our targets. Back to the topic of what we can do to mitigate the control-up and the exposure-down tiering violations. From our five options presented above we should go for option B:

• Create a Privileged Access Workstation (PAW) in Tier 0 as f1t0paw01.
• Re-Create A1 in Tier 0 as f1t00user1.
• Create dedicated JMP Server in Tier 0 as f1t0jmp1. (Optional)
• Login with f1t00user1 to the PAW and connect to the Tier 0 jump server f1t0jmp01.
• Manage the domain controller f1t0ads01 from dedicated Tier 0 jump server f1t0jmp01 or directly from the PAW.

Every entity in a tiering should follow a strict naming convention. This provides several advantages, particularly in terms of auditing. Following an example for user accounts:

If none of the mitigation options can be implemented, analyses should be performed to determine how the exploitation of tiering violations can be made more difficult or at least be detected. If nothing is feasible, the risk should be formally accepted and documented, along with its potential consequences in case of an incident.

What about lateral traversal risks?

To mitigate the lateral traversal threat within each tier, there must be dedicated privileged users who are granted access to objects for administrative tasks. An example of this is a server administrator who is granted access to the servers and services to perform regular maintenance and monitoring tasks. However, there will also be a need for privileged access to manage these server administrator. This access will be performed by a tier administrator. An other example in the form of a use case:

• Use Case: I am user1 and I have the following IT roles in my company: Tier 1 owner, Server Administrator, Responsible for Business App1

To minimise the lateral traversal risk for user1 multiple admin accounts are necessery:

• Create a Tier 1 administrator: f1t10user1
• Create a Tier 1 server administrator: f1t11user1
• Create a Tier 1 general purpose administrator for App1: f1t12user1 (i.e., An administrator with elevated privileges limited to a few servers.)

In this case user1 should have three different admin accounts. A Privileged Access Management (PAM) solution may be used to minimize the number of dedicated admin accounts. However, we frequently encounter PAM setups that appear to be costly security by obscurity solutions. They often imply that users may have initially undergone an seperate access management approval process, but subsequently, they can obtain temporary elevated privileges without the need for Multi-Factor Authentication (MFA) or an approval process, regardless of the device they are using. Consequently, it is crucial for PAM solutions to strictly adhere to the above discussed tier model restrictions to avoid tiering violations.

Is that everything regarding tiering?

Certainly, there are other essential aspects that contribute to a successful Credential Tier implementation. These include for example security boundaries, Privileged Access Workstation (PAW), hardening, access-management and automation. The following simplified Credential Tiering Hierarchy of Needs is modeled after Maslows Hierarchy of Needs and the Incident Response Hierarchy of Needs. It outlines the phases organizations can follow to enhance the segregation of entities and subsequently make credential theft more difficult for adversaries. The capabilities at the bottom serve as essential prerequisites for effectively implementing the capabilities above them, including those associated with the Credential Tier model.

The new tiering model from Microsoft

According to Microsoft the Enterprise Access Model replaces the Active Directory credential tier model which was designed to prevent unauthorized privilege escalation in an on-premises Windows Server Active Directory setup. The Enterprise Access Model should encompass all elements from the Active Directory credential tier model while addressing the access management requirements of a modern enterprise, including on-premises, multiple clouds, internal and external user access, and more. In the new model the Control Plane is the equivalent of Tier 0, whereas the Management Plane and the Data/Workload Plane are Tier 1. Access to the planes in Tier 0 and Tier 1 should happen from Privileged Access Workstations (PAW), separate from regular User Access and App Access from devices in Tier 2. Outlined in the Securing Priviled Access articel. To summaries nothing has changed, the challenges of segregation are absolutly the same. Maintaing a secure posture for Active Directory is difficult, mainting a secure posture for the Microsoft Cloud or general Clouds are even more challenging. The article Microsoft Cloud Security – The Top-10 Riskiest Configurations outlines what we see during cloud environment assessment. Most of the outlined risks can be addressed with Credential Tiering.

Where do we begin?

The second article addresses this question. The article provides guidance on how the transition to a credential tiered environment might look like. It also presents a method for measuring security improvements during this process.

Conclusion

In order to enhance security in an identity-centric environment, Credential Tiering is a fundamental component. It can help prevent security breaches that could compromise the confidentiality, integrity, or availability of the entire environment. It’s important to consider the significance of upstream risks and their potential impact on downstream controls. Tiering is an enduring concept that cannot be easily replaced by cloud solutions or other tool-based methodologies. Hence, it is essential to understand the value of segregation and start applying it to identity-centric solutions. Implementing Tiering may require significant effort as it addresses the issue comprehensively and the involvment of multiple teams. However, starting in phases, such as focusing on the most privileged entities first, can significantly enhance security and make it already more difficult for an adversary to gain widespread access rights.

About the Author

Marius Elmiger is a security professional since the early 2000’s. He worked in various IT roles such as an administrator, engineer, architect, and consultant. His main activities included the implementation of complex IT infrastructure projects, implementation of security hardening concepts, and compromise recoveries. Later he transitioned to the offensive side. As a foundation, in addition to numerous IT certificates, Marius graduated with an MSc in Advanced Security & Digital Forensics at Edinburgh Napier University. (ORCID 0000-0002-2580-5636)

Links

• https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model
• https://en.wikipedia.org/wiki/Biba_Model
• https://en.wikipedia.org/wiki/Maslows_hierarchy_of_needs
• https://gist.github.com/m8r1us/c4e3af44062ee513fab01d20483a87c6
• https://github.com/swannman/ircapabilities
• https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview
• https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model
• https://medium.com/@johnlatwc/defenders-mindset-319854d10aaa
• https://posts.specterops.io/the-attack-path-management-manifesto-3a3b117f5e5
• https://www.microsoft.com/en-US/download/details.aspx?id=36036
• https://www.youtube.com/watch?v=GTR-K7urwBk