After we wrote about the new Microsoft Securing Privilege Access Model in our last blog article, we would like to discuss the classic ESAE tiering this time. First, we would like to point out that the new Microsoft model no longer refers to tiering, but to levels of security (Privileged Access, Specialized Security and Enterprise Security). More on this in a moment, just keep in mind that we will come back to the Levels of Security in a moment. But now, as an introduction to this blog, to our infographic on the Tiering Model:

Why Tiering?

Why divide the infrastructure into different tiers or levels? Microsoft wrote about this in the original ESAE documentation:

„The purpose of this tier model is to protect identity systems using a set of buffer zones between full control of the Environment (Tier 0) and the high risk workstation assets that attackers frequently compromise.“

So, the goal is to create one or more buffers between systems that manage identities and the systems with high risk of attacks. Whether only systems that manage identities need/should be protected and which are the high-risk systems will be discussed in the next section.

How to do tiering?

Again, first take a look at the Microsoft documentation. To protect the systems, the accounts must be protected with administrative access. The tier model therefore revolves around the protection of these accounts and provides for 3 tiers in the standard:

Source: https://web.archive.org/web/20190125204946im_/https://docs.microsoft.com/en-us/windows-server/identity/media/securing-privileged-access-reference-material/paw_rm_fig1.jpg

Tier 0: Administrative accounts that have direct or indirect control over enterprise identities (as opposed to local identities e.g. local SQL accounts)

Tier 1: Administrative accounts that have control over enterprise servers and applications

Tier 2: Administrative accounts that have control over end users, workstations, and devices

At this point again a short comparison to the Levels of Security from the new Microsoft Model (Privileged Access, Specialized Security and Enterprise Security). So there are still 3 levels, or should we say tiers? 😉

In the new model, Privileged Access is the most secure layer, i.e. Tier 0, followed by Specialized Security (could be compared to Tier 1) and finally Enterprise Security, which, similar to Tier 2, comprises all enterprise-wide security controls. Even though Microsoft has renamed the levels, the idea is still to define different layers according to protection needs and to seal them off from each other. But now back to tiering….

How should administrative access be protected in concrete terms? Microsoft sees the restriction of access as the primary protection mechanism here:

There is one OU per tier with further sub-OUs for logical separation of servers, users and groups, etc. In each tier there is a group in which all admin accounts are members.

For Tier 1 and Tier 2, there is one GPO each in which the logon restrictions are configured.

In Tier 1 policy, Tier 0 admins are denied logon.

In the Tier 2 policy, both Tier 0 and Tier 1 admins are banned from logon.

Conclusion

Implementing tiering is a task that should not be underestimated, especially in evolved environments. However, it is an important cornerstone for many further measures and a massive security gain, as it makes lateral movement by attackers very difficult. If in doubt, it is best to isolate only Tier 0 systems first. Only then are Tier 1 and Tier 2 systems protected. This has the advantage of sealing off the most important systems and at the same time allowing experience to be gained with the tiering model. This makes it easier to expand to Tier 1 and 2 at a later stage.