16 Oct Data security with tiering – protection at every level
In this article, we give you a closer look at the importance of Microsoft Tiering for your IT security. We have looked at the underlying issues and the critical areas and systems that need to be protected to prevent total loss in the event of a cyber attack. We are all too familiar with these issues from current and past customer projects. We also shed light on the practice of Microsoft tiering and show how companies can effectively secure their infrastructures. We will also discuss best practices and provide recommendations for the successful use of tiering. In an additional webinar on this topic, you will receive hands-on examples and recommendations from our Co-Managing Director Fabian Böhm.
Brief overview: What is Microsoft Tiering?
Microsoft Tiering is a security approach that divides IT systems into different tiers to protect them based on their criticality. The approach provides a clear separation between highly critical systems and less important IT resources to make it more difficult for potential attackers to access the entire network.
Problems that Microsoft Tiering can solve
In day-to-day IT operations, we often see that companies have difficulties in effectively separating their systems. Attackers use precisely these vulnerabilities to:
-
- Compromise identity systems (e.g. Active Directory).
- Take over highly privileged accounts to gain complete control over the entire IT infrastructure.
- Gain more and more access rights through lateral movement in the network until they reach the critical systems.
This leads to a total loss that often takes years to restore. Microsoft Tiering is designed to prevent precisely this scenario by defining strict security zones.
The structure of Microsoft Tiering: The Tiers
Tier 0: Highly critical systems
This includes systems that control the entire IT infrastructure, e.g:
-
- Domain Controller
- Identity servers (Azure AD Connect, Identity Sync, Federation Provider)
- Certification authorities
These systems must be particularly well protected, as their loss would have serious consequences for the entire infrastructure.
Tier 1: Server systems
Tier 1 contains important server systems that are essential for operations but have no impact on the overall IT landscape, e.g.
-
- Application server (e.g. SharePoint, print server)
- Database server
The management of these servers is sensitive, but not as strict as with Tier 0 systems.
Tier 2: End user devices
Tier 2 includes all systems used by end users:
-
- PCs, laptops
- Mobile devices
- Printers, scanners
These systems have fewer privileges and represent the lowest security level.
The practice of Microsoft Tiering: protection through clear separation
Now that we have briefly discussed the basics of Microsoft tiering, we will turn our attention to the practical application and the steps required to successfully implement the tiering model. We will show what measures companies can take to effectively protect their IT infrastructure.
Weak points due to unclear structures
In many companies, historical structures and authorizations, so-called “legacy issues”, have grown over the years and are difficult to trace. These legacy issues harbor considerable risks. An example of this is explained even more clearly in our webinar.
Identify and isolate attack vectors
The first step in improving security is to recognize and eliminate misconfigurations between the tiers. This can be done with a so-called attack path analysis (attack path management), e.g. a path consists of user A who has authorizations for object B. Object B in turn has authorizations for user C. Object B in turn has authorizations for user C.
This means that user A also has authorizations for user C. This is exactly where tiering comes in, by isolating important or critical systems in the entire environment, providing special protection and eliminating unwanted attack paths.
Introduction of security controls and policies
Once the structural changes have been implemented, technical safeguards should be put in place to ensure that the tiers remain effectively isolated from each other.
Implement registration restrictions
An important measure is the introduction of login restriction policies that prevent highly privileged users (Tier 0) from logging in to less critical systems (Tier 1 or Tier 2). This prevents login credentials from T0 accounts being left behind and a compromised system from a lower tier being able to access higher tier systems.
Use of LAPS (Local Administrator Password Solution)
The use of LAPS is also still a recommendation. It ensures that each system has an individual administrator password that is securely stored in Active Directory. This prevents systems from using identical passwords and prevents a compromised local administrator account from causing damage across the board.
In addition, there are other security controls that we also discuss in more detail in our webinar. To show in concrete terms how tiering can be implemented, we have defined four phases for a tiering project.
Implementing a tiering project: four phases to success
The introduction of tiering in an existing IT environment requires a structured approach, which is divided into four main phases:
1. Preparation: Attack path analysis and classification
The first step is to analyze the attack paths in the existing environment. Tools such as Bloodhound can help to identify the potential paths of an attacker through the infrastructure. The systems and users are then classified into the various tiers, working closely with those responsible in the company.
2. Implement protection mechanisms
After classification, technical protective measures are introduced. These include logon restrictions, LAPS and the integration of highly privileged accounts into the “Protected Users” group in Active Directory. Specific password guidelines for critical accounts (e.g. service accounts) must also be defined.
In this phase, the actual migration of users and systems to the corresponding tiers takes place. This includes a careful review of existing authorizations and ensuring that only authorized users have access to sensitive systems.
4. Validation and continuous monitoring
Finally, a new attack path analysis is carried out to ensure that there are no new vulnerabilities. Regular checks are crucial to ensure that the IT environment remains permanently protected.
Challenges in the introduction of the tiering model
The introduction of tiering is not only a technical challenge, but also an organizational one. It requires clear responsibilities and close cooperation between departments. It is crucial to involve those involved at an early stage and ensure that they understand the necessity of the measures.
Recommendations for getting started
Finally, we give some tips for getting started with a tiering project:
-
-
- Carry out an attack path analysis: Use tools like BloodHound to perform an initial analysis of your IT environment.
- Identify highly privileged accounts: Define who needs access to critical systems and limit access to the minimum necessary.
- Planning and communication: Plan the introduction of the tiering model thoroughly and ensure that all stakeholders are involved.
-
The Microsoft tiering model provides a robust basis for increasing IT security and minimizing attack paths. By clearly separating systems into different tiers and implementing protective measures, companies can effectively secure their IT infrastructure against cyber attacks. The implementation may be challenging, but the long-term benefits far outweigh the challenges. And now off to our tiering webinar 😊. You can find more information and contact us directly here: Tiering
LATEST POSTS
-
Data security with tiering – protection at every level
In this article, we give you a closer look at the importance of Microsoft Tiering for your IT security. We have looked at the underlying issues and the critical areas and systems that need to be protected to prevent total loss ...
16 October, 2024 -
it-sa 2024: Visit us in Nuremberg!
This year we will be represented for the first time together with our partner FB Pro GmbH with a stand and a specialist lecture at one of the most important IT security trade fairs in Europe: it-sa 2024 in Nuremberg...
15 August, 2024 -
Windows LAPS: What can the “new” LAPS do and should I use it?
A new version of LAPS - Windows LAPS - has been available for some time now. In this article, we will look at the new features and discuss whether it makes sense to migrate to the new version....
15 July, 2024