{"id":6247,"date":"2022-06-20T10:46:36","date_gmt":"2022-06-20T08:46:36","guid":{"rendered":"https:\/\/www.teal-consulting.de\/?p=6247"},"modified":"2022-08-02T13:18:26","modified_gmt":"2022-08-02T11:18:26","slug":"establish-security-boundaries-in-your-on-prem-ad-and-azure-environment","status":"publish","type":"post","link":"https:\/\/www.teal-consulting.de\/en\/2022\/06\/20\/establish-security-boundaries-in-your-on-prem-ad-and-azure-environment\/","title":{"rendered":"Establish security boundaries in your on-prem AD and Azure environment"},"content":{"rendered":"<div class=\"wpb-content-wrapper\">[vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221;][vc_column][vc_empty_space height=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; padding_top=&#8221;20&#8243; padding_bottom=&#8221;20&#8243;][vc_column_inner][vc_column_text][\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_column_text]\n<p class=\"p2\">Preventing escalation from initial access in your Active Directory (AD) environment to Domain Admins can feel impossible, especially after years of successful red team engagements finding new attack paths each time. While securing your critical assets is challenging, it is not impossible with the right approach.<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p class=\"p2\">This blog post provides a high-level explanation of how to implement security boundaries in an on-prem AD and Azure environment to protect your critical assets based on the principle of tiered administration, including how BloodHound Enterprise can help you in the process. Finally, we will cover how to organize your AD objects and Azure resources in a structure that reflects your security boundaries.<span class=\"Apple-converted-space\">\u00a0<\/span><\/p>\n<p>The blog post was produced as a collaboration between <a href=\"https:\/\/www.teal-consulting.de\/en\/\" target=\"_blank\" rel=\"noopener\">Teal<\/a> and <a href=\"https:\/\/specterops.io\/\" target=\"_blank\" rel=\"noopener\">SpecterOps<\/a>.<\/p>\n<p>We recommend that you have a basic understanding of attack paths before reading this blog post, which you can gain from the first section of <a href=\"https:\/\/twitter.com\/_wald0\" target=\"_blank\" rel=\"noopener\">wald0<\/a>\u2019s deep dive into the subject: <a href=\"https:\/\/posts.specterops.io\/the-attack-path-management-manifesto-3a3b117f5e5\" target=\"_blank\" rel=\"noopener\">The Attack Path Management Manifesto<\/a>.[\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_video link=&#8221;https:\/\/youtu.be\/PRl5RIjb0bU&#8221; el_width=&#8221;70&#8243; align=&#8221;center&#8221;][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<h2><span style=\"font-size: 22px;\">Old and new Microsoft recommendations<\/span><\/h2>\n<p>Historically, Microsoft recommended using the Enhanced Security Admin Environment (ESAE) architecture to provide a secure environment for AD administrators to prevent full compromise of a production forest in case of compromise of non-admin users. The AD tier model was part of ESAE. Because Microsoft created ESAE before they made Azure, ESAE was explicitly designed for on-prem AD. Thanks to the Internet Archive, you can still read Microsoft\u2019s old version of <em>Securing Privileged Access<\/em> with EASE, the tier model, etc., <a href=\"https:\/\/web.archive.org\/web\/20201210154206\/https:\/docs.microsoft.com\/en-us\/windows-server\/identity\/securing-privileged-access\/securing-privileged-access-reference-material\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>On December 15, 2020, Microsoft published their new revised version of <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/overview\" target=\"_blank\" rel=\"noopener\">Securing Privileged Access<\/a> on Microsoft docs, including the Enterprise Access Model, which encompasses both on-prem, Operational Technology (OT), Azure, and other cloud providers. Microsoft retied ESAE and took down their old recommendations.<\/p>\n<p>The principles for Microsoft\u2019s old and new recommendations are effectively the same. They recommend tiered administration with dedicated admin accounts. Admins should use a hardened Privileged Access Workstation (PAW) when performing administrative tasks, and the admin session must require Multi-Factor Authentication (MFA) and Just-In-Time (JIT) restrictions. Deployment of PAWs and other critical assets must comply with the <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/privileged-access-success-criteria#clean-source-principle\" target=\"_blank\" rel=\"noopener\">clean source principle<\/a>.<\/p>\n<p>The main difference between the two sets of recommendations is the focus on Azure. The previous recommendations had a strong focus on preventing cached credentials, an extensive security challenge in on-prem environments. Microsoft\u2019s latest recommendations include Azure technologies like Conditional Access, which is highly relevant for Azure as the control panels are Internet exposed.<\/p>\n<p>As the core fundamentals of each are the same (limiting access to privilege, we recommend using elements from ESAE as the underlying basis for creating security boundaries in on-prem AD and use Microsoft\u2019s latest recommendations for Azure.<\/p>\n<p>In the following sub-sections, we will dive into the tier model from ESAE and the equivalent Enterprise Access Model from the latest Securing Privileged Access.[\/vc_column_text][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<h2><span style=\"font-size: 22px;\">Active Directory administrative tier model<\/span><\/h2>\n<p>The purpose of the tier model is to implement security boundaries that will protect critical assets from high-risk devices like regular workstations adversaries frequently compromise.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6196 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_1.jpg\" alt=\"\" width=\"776\" height=\"422\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_1.jpg 776w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_1-300x163.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_1-768x418.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_1-700x381.jpg 700w\" data-sizes=\"(max-width: 776px) 100vw, 776px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 776px; --smush-placeholder-aspect-ratio: 776\/422;\" \/><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>Tier Zero<\/strong>: Critical assets with direct or indirect control over the entire AD forest. Members of Enterprise Admins have direct control, whereas a SCOM admin account has indirect control if DCs have SCOM agents installed.<\/li>\n<li><strong>Tier One<\/strong>: Enterprise servers and applications. These systems do not have direct or indirect control of the environment.<\/li>\n<li><strong>Tier Two<\/strong>: Workstations and other devices.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n[\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_column_text]Assets of a higher tier (closer to zero) can control assets in a lower tier, but not the other way around. For example, Domain Admins in Tier Zero can have the privilege to reset the password of any user account. In contrast, tiering allows the help desk to reset the password of Tier Two users only and not the server admins in Tier One and Zero.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6198 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_2.jpg\" alt=\"\" width=\"870\" height=\"410\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_2.jpg 870w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_2-300x141.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_2-768x362.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_2-700x330.jpg 700w\" data-sizes=\"(max-width: 870px) 100vw, 870px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 870px; --smush-placeholder-aspect-ratio: 870\/410;\" \/><\/p>\n<p>The second principle of the tier model restricts users\u2019 login rights such that user accounts are only allowed to login into a single tier. Naturally, Tier Two users cannot log in on critical servers in Tier Zero. Less intuitively, Domain Admins cannot log in on Tier One and Tier Two computers, despite full control over them. This restriction is because user credentials are (in most cases) cached on the computer where the user logs in. A malicious user with administrative rights on that computer can steal these credentials, e.g., using Mimikatz, and impersonate the victim user to log in on other systems where the victim user has access.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6200 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_3.jpg\" alt=\"\" width=\"896\" height=\"422\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_3.jpg 896w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_3-300x141.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_3-768x362.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_3-700x330.jpg 700w\" data-sizes=\"(max-width: 896px) 100vw, 896px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 896px; --smush-placeholder-aspect-ratio: 896\/422;\" \/><\/p>\n<p>The consequence of this principle is that employees with Tier Zero access must have a dedicated Tier Zero user and a separate Tier Two account they can use for their regular Tier Two workstation for emailing, web browsing, etc. The principle does not apply only to human user accounts but to any accounts, including service accounts.<\/p>\n<p>The yellow arrows in the illustration above indicate that users from a lower tier can log in on systems in higher tiers, but only as required. For example, if you have a file server in Tier 1 that Tier Two users use, the users must have network logon privilege on this server. Still, Tier Two users cannot perform an interactive login on the computer through RDP or any other network protocol, nor have administrative rights on the computer, as that would violate the tiering.<\/p>\n<p>As a consequence of the clean source principle, admins with privileged access to a given tier must establish the privileged session from a workstation belonging to the same tier. PAWs are therefore required, and admins cannot use their regular Tier Two workstations for managing Tier One and Zero.[\/vc_column_text][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<h3>Enterprise Access Model<\/h3>\n<p>The <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/privileged-access-access-model\" target=\"_blank\" rel=\"noopener\">Enterprise Access Model<\/a> is the replacement for the tier model in Microsoft\u2019s latest recommendations:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6202 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_4.jpg\" alt=\"\" width=\"1128\" height=\"488\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_4.jpg 1128w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_4-300x130.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_4-1024x443.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_4-768x332.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_4-700x303.jpg 700w\" data-sizes=\"(max-width: 1128px) 100vw, 1128px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1128px; --smush-placeholder-aspect-ratio: 1128\/488;\" \/><\/p>\n<p>The concept is very similar to AD tiering. The Control Plane is the equivalent of Tier Zero, whereas the Management Plane and the Data\/Workload Plane are Tier One. Access to the planes in Tier One and Tier Zero should happen from <em>Privileged Devices and Workstations<\/em> (aka PAWs), separate from regular User Access and App Access from devices in Tier Two.<\/p>\n<p>Privileged access should be completely isolated from user access, as illustrated in <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/overview\" target=\"_blank\" rel=\"noopener\">Microsoft\u2019s Privileged Access Strategy<\/a>:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6206 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen-5.jpg\" alt=\"\" width=\"1178\" height=\"590\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen-5.jpg 1178w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen-5-300x150.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen-5-1024x513.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen-5-768x385.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen-5-1000x500.jpg 1000w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen-5-700x351.jpg 700w\" data-sizes=\"(max-width: 1178px) 100vw, 1178px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1178px; --smush-placeholder-aspect-ratio: 1178\/590;\" \/>[\/vc_column_text][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<h2><span style=\"font-size: 22px;\">How to create security boundaries<\/span><\/h2>\n<p>How do we change your environments to comply with the concept of tiered administration? And very importantly, how do we do it effectively and securely? This section will cover the overall phases of implementing security boundaries in on-prem AD and Azure. We will use the tiering terminology for both on-prem AD and Azure.<\/p>\n<h3>Classify your systems<\/h3>\n<p>It is essential first to decide your security boundary, i.e., which tier your assets belong to, and which employees should have access to what assets. You cannot protect your critical assets from non-privileged users if you do not know your critical assets and which users you will allow access to.<\/p>\n<p>We recommend starting by implementing a single security boundary to isolate your Tier Zero from the rest of your environment, as Tier Zero gives full control over everything.<\/p>\n<h3>Identify potential attack paths and set prioritization<\/h3>\n<p>Identify possible attack paths crossing your security boundaries and set prioritization based on how critical the attack path is for the environment.<\/p>\n<p>You can use the FOSS (Free and Open-Source Software) version of <a href=\"https:\/\/github.com\/BloodHoundAD\/BloodHound\" target=\"_blank\" rel=\"noopener\">BloodHound<\/a> to identify critical attack paths using analysis functions like \u201c<em>Shortest Paths from Domain Users to High Value Targets<\/em>\u201d. BloodHound also enables you to enumerate the inbound control of your Tier Zero assets:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6210 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_6.jpg\" alt=\"\" width=\"910\" height=\"562\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_6.jpg 910w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_6-300x185.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_6-768x474.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_6-700x432.jpg 700w\" data-sizes=\"(max-width: 910px) 100vw, 910px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 910px; --smush-placeholder-aspect-ratio: 910\/562;\" \/><\/p>\n<p>You should aim to find all compromising permissions on Tier Zero assets granted to Non Tier Zero objects and prioritize those. FOSS BloodHound does not provide a severity score for attack paths, but you can prioritize the attack paths manually. An attack path exposed to very few users in the environment is not as urgent to remediate as attack paths that all users can exploit, e.g., if the Domain Users group has compromising permissions.<\/p>\n<p><a href=\"https:\/\/bloodhoundenterprise.io\/\" target=\"_blank\" rel=\"noopener\">BloodHound Enterprise<\/a> (BHE) can help you speed up that process. BHE maps all the attack paths from the entire AD domain or Azure tenant towards Tier Zero. It measures the exposure of each attack path, i.e., the percentage of users with the necessary rights to abuse it. In the example below, a Tier Zero AD user (ADMINISTRATOR@TESTLAB.LOCAL) has a session on a Non Tier Zero computer (WIN10.TESTLAB.LOCAL), which leaves the credentials of the Tier Zero user exposed to Non Tier Zero users with execution access to this Non Tier Zero computer:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6208 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_7.jpg\" alt=\"\" width=\"902\" height=\"600\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_7.jpg 902w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_7-300x200.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_7-768x511.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_7-700x466.jpg 700w\" data-sizes=\"(max-width: 902px) 100vw, 902px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 902px; --smush-placeholder-aspect-ratio: 902\/600;\" \/><\/p>\n<p>It may not seem like a significant problem as it only evolves a single Tier Zero user, but it is a critical finding according to BHE, and if we check the timeline, we can see that the exposure is 100%:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6212 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_8.jpg\" alt=\"\" width=\"930\" height=\"742\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_8.jpg 930w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_8-300x239.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_8-768x613.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_8-700x558.jpg 700w\" data-sizes=\"(max-width: 930px) 100vw, 930px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 930px; --smush-placeholder-aspect-ratio: 930\/742;\" \/><\/p>\n<p>The 100% exposure means that 100% of the users and computers in the domain have the ability to abuse an attack path and gain access to the Non Tier Zero computer. BHE can, in this way, help you identify attack paths to Tier Zero and give you a criticality based on the exposure.<\/p>\n<p>Azure support was recently added to BHE, and BHE is now likewise able to map out attack paths in Azure:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6214 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_9.jpg\" alt=\"\" width=\"1174\" height=\"674\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_9.jpg 1174w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_9-300x172.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_9-1024x588.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_9-768x441.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_9-345x198.jpg 345w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_9-700x402.jpg 700w\" data-sizes=\"(max-width: 1174px) 100vw, 1174px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1174px; --smush-placeholder-aspect-ratio: 1174\/674;\" \/><\/p>\n<h3>Create a roadmap and implement<\/h3>\n<p>Critical attack paths should have high priority, and some are low-hanging fruits that can be remediated immediately with almost no risk of undesired side effects. For example, you can quickly correct if a Tier Zero object owner is not a Tier Zero object by changing the owner to, e.g., Domain Admins.<\/p>\n<p>Other attack paths are not effectively remediated with a one-by-one approach and require more planning\u2014for example, a Tier Zero admin user logging in on a Tier One server. It may only involve a single user this time, but you must ensure all users have the proper accounts, have the correct login permissions, and know what user account to use for which systems. Else, it will happen again and again.<\/p>\n<p>Therefore, it is essential to create a plan (roadmap) for how and in which order you will remediate and enforce your security boundary to solve the issues effectively and reduce the risk of causing production systems to fail.<\/p>\n<p>It is excellent if you can execute tasks in parallel but remember that both systems and humans cannot deal with too much simultaneously. Implementing multiple things simultaneously in the same system increases the risk of systems failing and making it harder to debug. On the human side, you do not what to overload the IT personnel with tasks as they are critical for success.<\/p>\n<p>It is best to plan and schedule remediations in the order that makes sense with an understanding of all Attack Paths. For example, forcing admins to use physical Tier Zero PAWs will have little to zero impact if your environment contains attack paths from Domain Users to Tier Zero. Such attack paths will bypass the protection provided by PAWs completely.<\/p>\n<p>Unforeseen challenges and blockers occur, and new critical vulnerabilities are constantly published. Therefore, you must frequently evaluate and update the roadmap and prioritization.<\/p>\n<p>The following sections describe an example of a generic high-level roadmap for isolating Tier Zero with a security boundary.<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Remediate easy-to-fix Tier Zero attack paths<\/li>\n<li>Assess security principals with control on Tier Zero systems<\/li>\n<li>Assess on-prem AD login consequences<\/li>\n<li>Design tiering structure and build it<\/li>\n<li>Ensure correct on-prem login permissions<\/li>\n<li>Move AD objects and Azure resources<\/li>\n<li>Remediate remaining Tier Zero attack paths<\/li>\n<li>Implement Privileged Access Workstation (PAW)<\/li>\n<li>Implement Just-In-Time (JIT) administration<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n[\/vc_column_text][vc_empty_space height=&#8221;30&#8243;][vc_column_text]<strong><span style=\"color: #008081;\">1)\u00a0\u00a0 Remediate easy-to-fix Tier Zero attack paths<\/span><\/strong><\/p>\n<p>Go through the identified Tier Zero attack path and judge if this is something that can be solved permanently with a quick fix and little to no risk of systems failing. Remediate those attack paths.<\/p>\n<p>BHE provides a recommended remediation guide for every attack path:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6216 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_10.jpg\" alt=\"\" width=\"910\" height=\"448\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_10.jpg 910w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_10-300x148.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_10-768x378.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_10-700x345.jpg 700w\" data-sizes=\"(max-width: 910px) 100vw, 910px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 910px; --smush-placeholder-aspect-ratio: 910\/448;\" \/><\/p>\n<p><strong><span style=\"color: #008081;\">2)\u00a0\u00a0 Assess security principals with control on Tier Zero systems<\/span><\/strong><\/p>\n<p>Assuming you have defined what systems belong to Tier Zero, go through the list of security principals that have inbound control on each Tier Zero system and decide whether they need this access and belong to Tier Zero. FOSS BloodHound and BHE can provide you with the list, or you could manually iterate RBAC roles, ACLs, local groups, etc. Remember to assess those you add as well. Afterward, you should have a complete list of Tier Zero assets, including systems, users, groups, etc.[\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_column_text]<span style=\"color: #008081;\"><strong>3)\u00a0\u00a0Assess on-prem AD login consequencesn<\/strong><\/span><\/p>\n<p>All Tier Zero users in on-prem AD, including service accounts, are not allowed to log in on Non Tier Zero computers. Identify where extra Non Tier Zero accounts are necessary. Human users are easy because humans can manage multiple accounts, but service accounts are tricky. A service account for a given system commonly requires login rights on many computers in each tier. You should reconfigure these systems to use at least one service account per tier. If that is not an option, you should deploy separate system instances per tier.<\/p>\n<p><span style=\"color: #008081;\"><strong>4)\u00a0 Design tiering structure and build it<\/strong><\/span><\/p>\n<p>It is beneficial for the IT security department and the IT administrators to create a structure in your environment that makes it easy to see your security boundary. Clear security boundaries make it easier for admins to know if a given change breaks the security boundary without consulting the security department. It will also solve, or make it easier to solve, attack paths systematically in an effective way.<\/p>\n<p><span style=\"text-decoration: underline;\">On-prem AD tiering structure<\/span><\/p>\n<p>In on-prem AD, you want an OU structure that reflects your tiers. This is a simple example of what it could look like:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-6220 size-medium lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_11-199x300.jpg\" alt=\"\" width=\"199\" height=\"300\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_11-199x300.jpg 199w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_11-680x1024.jpg 680w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_11-768x1157.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_11-700x1055.jpg 700w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_11.jpg 774w\" data-sizes=\"(max-width: 199px) 100vw, 199px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 199px; --smush-placeholder-aspect-ratio: 199\/300;\" \/><\/p>\n<p>The location of an AD object will make it clear which tier they belong to. Under the Accounts, Computers, and Groups OUs, you could create the OU structure representing departments of the organization or whatever makes sense in your organization. It could also be the other way around, like this:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-6218 size-medium lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_12-137x300.jpg\" alt=\"\" width=\"137\" height=\"300\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_12-137x300.jpg 137w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_12.jpg 294w\" data-sizes=\"(max-width: 137px) 100vw, 137px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 137px; --smush-placeholder-aspect-ratio: 137\/300;\" \/><\/p>\n<p>You need to be aware that the parent container must be of the same tier level or higher. Full control on a parent container allows adversaries to create an ACE on the parent, granting full control to child objects. It means full control on a parent container is implicit full control of its child objects (unless inheritance is disabled on child objects). For example, the Accounts, Computers, and Groups OUs in the screenshot above are all Tier Zero OUs because they contain Tier Zero objects.<\/p>\n<p><span style=\"text-decoration: underline;\">Azure tiering structure<\/span><\/p>\n<p>Guidance and best practices for Azure are well described in Microsoft\u2019s <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/cloud-adoption-framework\/\" target=\"_blank\" rel=\"noopener\">Cloud Adoption Framework<\/a>, which is an excellent resource for how to build your Azure environment. One of the key concepts is <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/cloud-adoption-framework\/ready\/landing-zone\/\" target=\"_blank\" rel=\"noopener\">Azure landing zones<\/a>, a scalable and modular way to manage Azure resources under subscriptions. The chart below is a Microsoft example of an organization with multiple landing zones:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6223 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_13.jpg\" alt=\"\" width=\"902\" height=\"682\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_13.jpg 902w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_13-300x227.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_13-768x581.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_13-700x529.jpg 700w\" data-sizes=\"(max-width: 902px) 100vw, 902px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 902px; --smush-placeholder-aspect-ratio: 902\/682;\" \/><\/p>\n<p>Like on-prem, you want to organize your Azure resources such that it is clear to see the security boundaries. By arranging your Tier Zero resources under one or more Azure landing zones, you can achieve that. You could also use the management- or resource group level to divide your resources into tiers if that suits your environment better. Still, it is essential to remember that the parent (group\/subscription) to the highest tier (closest to zero) of its child resources, e.g., parents of Tier Zero resources, are automatically also in Tier Zero.<\/p>\n<p><span style=\"color: #008081;\"><strong>5)\u00a0\u00a0 Ensure correct on-prem login permissions<\/strong><\/span><\/p>\n<p>Before moving the AD objects into the new OU structure, we should ensure that the user accounts can log in in the right places and cannot log in elsewhere. A simple solution is to collect all user accounts of each tier into a group and use GPOs linked to the tier OUs to deny login for users belonging to other tiers:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6225 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_14.png\" alt=\"\" width=\"876\" height=\"420\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_14.png 876w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_14-300x144.png 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_14-768x368.png 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_14-700x336.png 700w\" data-sizes=\"(max-width: 876px) 100vw, 876px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 876px; --smush-placeholder-aspect-ratio: 876\/420;\" \/><\/p>\n<p>By using the deny rules, we do not have to worry about membership in local groups that give login rights, as the deny rules will take precedence over allow. Sometimes we cannot use deny rules, though. For example, we do not deny network logon for Tier Two users in the above example since Tier Two users need to be able to authenticate against network services hosted in Tier One. Therefore, we need to ensure Tier Two users are not members of Administrators and other privileged groups on Tier One computers.<\/p>\n<p><span style=\"color: #008081;\"><strong>6)\u00a0\u00a0 Move AD objects and Azure resources<\/strong><\/span><\/p>\n<p>Now that you have your new tiering structure, it is time to move AD objects and Azure resources into it. The move does not have to be an actual move of the AD object or Azure resource but could also be the creation of a new replacing instance.<\/p>\n<p><span style=\"text-decoration: underline;\">Moving AD objects<\/span><\/p>\n<p>There are several things you need to consider before you move an AD object to avoid breaking stuff:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Inherited permissions: When you create an Access Control Entity (ACE) in an AD object\u2019s Access Control List (ACL), child objects can be set to inherit the ACE. Unless inheritance is disabled on child objects, child objects will inherit ACEs from their parent containers. As a result, permissions on an AD object may change when you move the AD object, which introduces a risk of failing systems. To prevent surprises, you should compare the inherited ACEs of the AD object\u2019s current parent container and the new parent and determine if you need to add any permissions to the new parent or the AD object itself. Reading ACLs in AD is not easy. This PowerShell script can help you: <a href=\"https:\/\/improsec.com\/s\/Get-ADObjectACL.txt\" target=\"_blank\" rel=\"noopener\">Get-ADObjectACL.ps1<\/a>. Suppose you doubt how a given ACE is utilized, e.g., if the permission is set too wide like Full Control granted to Domain Users, you can audit access to the AD object by modifying the AD object\u2019s System Access Control List (SACL). That will enable you to monitor which identities access this object and which action they perform before deciding what ACEs are sufficient on the AD object. For more information, check the \u201cMethod Two: Granted vs Requested Permissions\u201d slides (starting at slide 43) from wald0\u2019s presentation on the subject <a href=\"https:\/\/www.blackhat.com\/docs\/webcast\/04262018-Webcast-Toxic-Waste-Removal-by-Andy-Robbins.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/li>\n<li>GPOs and settings: Moving a user or computer object may result in a change of GPOs applied. In the example below, we want to move our ADCS server from the Servers\\ADCS OU to Tier0\\Computers\\ADCS OU. That move will unlink the \u201cServer Settings\u201d GPO from the server and link the GPO \u201cTier0 Computer Config\u201d instead.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-6227 size-medium lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_15-256x300.png\" alt=\"\" width=\"256\" height=\"300\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_15-256x300.png 256w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_15.png 498w\" data-sizes=\"(max-width: 256px) 100vw, 256px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 256px; --smush-placeholder-aspect-ratio: 256\/300;\" \/><\/p>\n<p>Be aware that it can be hard in a real environment to tell what settings apply to a computer or user using Group Policy Management since GPOs linked closer to an object will overwrite settings set further away, but that is not necessarily true if a GPO is enforced, or loopback processing is enabled. You must also ensure a WMI filter is not filtering out the user or computer.<\/p>\n<p><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-security-baselines\/new-tool-policy-analyzer\/ba-p\/701049\" target=\"_blank\" rel=\"noopener\">Policy Analyzer<\/a> is a great free tool for comparing sets of GPOs setting for setting. It also allows you to compare the current settings locally of a computer with a set of GPOs, which is very useful since other means than GPOs, e.g., SCCM settings or manual configurations, may apply on the computer. If \u201c<a href=\"https:\/\/www.stigviewer.com\/stig\/windows_7\/2014-04-02\/finding\/V-4448\" target=\"_blank\" rel=\"noopener\"><em>Process even if the Group Policy objects have not changed<\/em><\/a>\u201d has not been enabled on a computer, GPO settings take effect only once, and admins could have overwritten the settings afterward. Finally, when you unlink a GPO from a computer, the GPO settings will no longer apply, but that is not always the case as some <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/security-policy-settings\/security-policy-settings#persistence-of-security-settings-policy\" target=\"_blank\" rel=\"noopener\">settings persist<\/a>. Therefore, it is highly recommended to carefully analyze the current local settings on a computer versus the settings that will hit the computer when moved to avoid unknowingly overwriting essential settings.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Hardcoded Distinguished Names (OU paths): Scripts, tools, and manual procedures are sometimes configured to look for AD objects under a given OU and may break or stop working if AD objects are moved outside that OU. There is no easy way to discover hardcoded Distinguished Names, and the best you can do is to make sure to question the right people regarding potential issues before an AD object is moved.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n[\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_column_text]<span style=\"text-decoration: underline;\">Moving Azure resources<\/span><\/p>\n<p>Like on-prem AD, there is a lot to consider when moving Azure resources. For example, an Azure resource\u2019s ID will change after a move, which can cause the same issues as hardcoded Distinguished Names for on-prem AD.<\/p>\n<p>We highly recommend you to read Microsoft\u2019s guide on how to move Azure resources available <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-resource-manager\/management\/move-resource-group-and-subscription\" target=\"_blank\" rel=\"noopener\">here<\/a>. It includes links to guides on moving specific resource types and which types you cannot move.[\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_column_text]<span style=\"color: #008081;\"><strong>7)\u00a0 Remediate remaining Tier Zero attack paths<\/strong><\/span><\/p>\n<p>You should already have remediated most of your Tier Zero attack paths by remediating the easy-to-fix and implementing a structure that reflects your security boundary. If there are any Tier Zero attack paths left, you should remediate those now.<\/p>\n<p><strong><span style=\"color: #008081;\">8)\u00a0\u00a0 Implement Privileged Access Workstation (PAW)<\/span><\/strong><\/p>\n<p>PAW is a big subject, and we will not cover PAW in detail in this blog post. Teal has a blog post on PAW available <a href=\"https:\/\/www.teal-consulting.de\/en\/2021\/04\/15\/esae-deep-dive-series-part-9-privilege-admin-workstation-paw\/\" target=\"_blank\" rel=\"noopener\">here<\/a>. Another great resource is Microsoft\u2019s <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/privileged-access-devices\" target=\"_blank\" rel=\"noopener\">Privileged access devices<\/a>.<\/p>\n<p>However, there are two essential things regarding PAW we want to make clear:[\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_column_text css=&#8221;.vc_custom_1655723826211{margin-left: 15px !important;}&#8221;]1. Using PAWs is not enough<\/p>\n<p>After you have deployed PAWs and they are working, you should isolate admin access to the tier the PAW belongs to, so only PAWs can establish admin access to that tier. This ensures adversaries with admin credentials cannot compromise the tier without a PAW under their control.<\/p>\n<p>2. PIM\/PAM is not PAW<\/p>\n<p>A Privileged Identity Management \/ Privileged Access Management (PIM\/PAM) solution is great for security but cannot replace a PAW. Suppose you use your regular Tier Two laptop to access Tier One or Zero through a PAM. In that case, it is possible with administrative access to your Tier Two computer to steal or overtake your session to Tier Zero.[\/vc_column_text][vc_empty_space height=&#8221;20&#8243;][vc_column_text]<span style=\"color: #008081;\"><strong>9)\u00a0 Implement Just-In-Time (JIT) administration<\/strong><\/span><\/p>\n<p>There are many custom and non-native JIT solutions for both on-prem AD and Azure, which we will not cover in this blog post. <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899\" target=\"_blank\" rel=\"noopener\">LAPS<\/a> can help you accomplish JIT administration in on-prem AD, but most PIM\/PAM solutions provide better options. In Azure, you can configure JIT in Azure AD PIM, which comes with an Azure AD Premium P2 license.[\/vc_column_text][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<h3>Measuring progress<\/h3>\n<p>You can measure the progress of your implementation in many ways, depending on the perspective. If you have divided your roadmap into a list of tasks, you could use the number of tasks completed over the total number of tasks as a measure. That gives an idea of how far you are in your roadmap. To measure your security boundary\u2019s effectiveness, you could count the number of attack paths crossing the security boundary and give them a weight based on criticality.<\/p>\n<p>BHE collects data continuously and measures the impact of your remediations of attack paths on BHE\u2019s posture page. The overall exposure of Tier Zero measured over time:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-6229 lazyload\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_16.png\" alt=\"\" width=\"870\" height=\"430\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_16.png 870w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_16-300x148.png 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_16-768x380.png 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/06\/festlegen_von_sicherheitsgrenzen_16-700x346.png 700w\" data-sizes=\"(max-width: 870px) 100vw, 870px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 870px; --smush-placeholder-aspect-ratio: 870\/430;\" \/><\/p>\n<h3>Maintain<\/h3>\n<p>When you have established a security boundary (partially or entirely), it is crucial to ensure the security boundary does not vanish over time.<\/p>\n<p>One way to do it is to configure detections based on changes to Tier Zero assets. As an example, <a href=\"https:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/32379.active-directory-how-to-detect-who-added-a-user-to-domain-admins-group.aspx\" target=\"_blank\" rel=\"noopener\">this article<\/a> explains how to detect users added to Domain Admins. Another solution could be to create a script that compares ACEs, group memberships, and RBAC roles of Tier Zero with a blueprint and reports any new entity that breaks the tiering based on the location of the security principal granted the permission.<\/p>\n<p>BHE can also help you with maintenance. You can see in BHE that if a system administrator has made a misconfiguration that breaks your security boundary, new attack paths in BHE will occur, and the exposure will increase. BHE is constantly expanded with new attack path types as researchers and the community publish them, and it will help you stay up to date with new attack types.[\/vc_column_text][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<h2>Wrap Up<\/h2>\n<p>It is not easy to implement security boundaries, but it is doable. Breaking down the great concepts into simple tasks is key to success. Even if you can only partially implement a single security boundary, your critical assets will still be significantly better protected than those of organizations that have not even tried. The further you get, the better are your chances of preventing the adversary from gaining access to your critical assets.<\/p>\n<p>If you want to know more on the subject, check out these links:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/overview\" target=\"_blank\" rel=\"noopener\">Microsofts current Securing Privileged Access<\/a><\/li>\n<li><a href=\"https:\/\/web.archive.org\/web\/20201210154206\/https:\/docs.microsoft.com\/en-us\/windows-server\/identity\/securing-privileged-access\/securing-privileged-access-reference-material\" target=\"_blank\" rel=\"noopener\"><u>Microsofts old on-prem Securing Privileged Access<\/u><\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/cloud-adoption-framework\/\" target=\"_blank\" rel=\"noopener\">Microsoft\u2019s Cloud Adoption Framework<\/a><\/li>\n<li><a href=\"https:\/\/www.teal-consulting.de\/en\/blog\/\" target=\"_blank\" rel=\"noopener\">Teal-Blog<\/a><\/li>\n<li><a href=\"https:\/\/bloodhoundenterprise.io\/blog\/\" target=\"_blank\" rel=\"noopener\">BloodHound Enterprise-Blog<\/a><\/li>\n<li><a href=\"https:\/\/posts.specterops.io\/\" target=\"_blank\" rel=\"noopener\">SpecterOps-Blog<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221;][vc_column][vc_empty_space height=&#8221;50&#8243;][vc_raw_html]JTNDYSUyMGhyZWYlM0QlMjJqYXZhc2NyaXB0JTNBaGlzdG9yeS5iYWNrJTI4JTI5JTIyJTNFJTNDc3BhbiUyMHN0eWxlJTNEJTIyY29sb3IlM0ElMjAlMjNmZjIwNzAlM0IlMjIlM0UlM0MlM0MlMjBCYWNrJTNDJTJGc3BhbiUzRSUzQyUyRmElM0U=[\/vc_raw_html][vc_empty_space height=&#8221;50&#8243;][vc_separator type=&#8221;small&#8221; position=&#8221;center&#8221; color=&#8221;#eeeeee&#8221; thickness=&#8221;2&#8243; width=&#8221;1100&#8243;][vc_empty_space height=&#8221;50&#8243;][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;center&#8221; background_image_as_pattern=&#8221;without_pattern&#8221; z_index=&#8221;&#8221;][vc_column width=&#8221;1\/2&#8243; offset=&#8221;vc_hidden-sm vc_hidden-xs&#8221;][vc_column_text]<iframe title=\"Eingebetteter Beitrag\" data-src=\"https:\/\/www.linkedin.com\/embed\/feed\/update\/urn:li:ugcPost:6648607920479105024?compact=1\" width=\"504\" height=\"284\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" data-load-mode=\"1\"><\/iframe>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/2&#8243; offset=&#8221;vc_hidden-sm vc_hidden-xs&#8221;][vc_column_text]<iframe title=\"Eingebetteter Beitrag\" data-src=\"https:\/\/www.linkedin.com\/embed\/feed\/update\/urn:li:ugcPost:6589869729165389824?compact=1\" width=\"504\" height=\"284\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" data-load-mode=\"1\"><\/iframe>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;grid&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;center&#8221; background_image_as_pattern=&#8221;without_pattern&#8221; z_index=&#8221;&#8221;][vc_column width=&#8221;1\/2&#8243; offset=&#8221;vc_hidden-lg vc_hidden-md&#8221;][vc_column_text]<iframe title=\"Eingebetteter Beitrag\" data-src=\"https:\/\/www.linkedin.com\/embed\/feed\/update\/urn:li:ugcPost:6648607920479105024?compact=1\" width=\"304\" height=\"284\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" data-load-mode=\"1\"><\/iframe>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/2&#8243; offset=&#8221;vc_hidden-lg vc_hidden-md&#8221;][vc_column_text]<iframe title=\"Eingebetteter Beitrag\" data-src=\"https:\/\/www.linkedin.com\/embed\/feed\/update\/urn:li:ugcPost:6589869729165389824?compact=1\" width=\"304\" height=\"284\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" data-load-mode=\"1\"><\/iframe>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;center&#8221; background_image_as_pattern=&#8221;without_pattern&#8221; z_index=&#8221;&#8221;][vc_column width=&#8221;1\/2&#8243;][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<blockquote class=\"instagram-media\" style=\"background: #FFF; border: 0; border-radius: 3px; box-shadow: 0 0 1px 0 rgba(0,0,0,0.5),0 1px 10px 0 rgba(0,0,0,0.15); margin: 1px; max-width: 540px; min-width: 326px; padding: 0; width: calc(100% - 2px);\" data-instgrm-permalink=\"https:\/\/www.instagram.com\/p\/Ca4gdX2AoOH\/?utm_source=ig_embed&amp;utm_campaign=loading\" data-instgrm-version=\"14\">\n<div style=\"padding: 16px;\">\n<p>&nbsp;<\/p>\n<div style=\"display: flex; flex-direction: row; align-items: center;\">\n<div style=\"background-color: #f4f4f4; border-radius: 50%; flex-grow: 0; height: 40px; margin-right: 14px; width: 40px;\"><\/div>\n<div style=\"display: flex; flex-direction: column; flex-grow: 1; justify-content: center;\">\n<div style=\"background-color: #f4f4f4; border-radius: 4px; flex-grow: 0; height: 14px; margin-bottom: 6px; width: 100px;\"><\/div>\n<div style=\"background-color: #f4f4f4; border-radius: 4px; flex-grow: 0; height: 14px; width: 60px;\"><\/div>\n<\/div>\n<\/div>\n<div style=\"padding: 19% 0;\"><\/div>\n<div style=\"display: block; height: 50px; margin: 0 auto 12px; width: 50px;\"><\/div>\n<div style=\"padding-top: 8px;\">\n<div style=\"color: #3897f0; font-family: Arial,sans-serif; font-size: 14px; font-style: normal; font-weight: 550; line-height: 18px;\">Sieh dir diesen Beitrag auf Instagram an<\/div>\n<\/div>\n<div style=\"padding: 12.5% 0;\"><\/div>\n<div style=\"display: flex; flex-direction: row; margin-bottom: 14px; align-items: center;\">\n<div>\n<div style=\"background-color: #f4f4f4; border-radius: 50%; height: 12.5px; width: 12.5px; transform: translateX(0px) translateY(7px);\"><\/div>\n<div style=\"background-color: #f4f4f4; height: 12.5px; transform: rotate(-45deg) translateX(3px) translateY(1px); width: 12.5px; flex-grow: 0; margin-right: 14px; margin-left: 2px;\"><\/div>\n<div style=\"background-color: #f4f4f4; border-radius: 50%; height: 12.5px; width: 12.5px; transform: translateX(9px) translateY(-18px);\"><\/div>\n<\/div>\n<div style=\"margin-left: 8px;\">\n<div style=\"background-color: #f4f4f4; border-radius: 50%; flex-grow: 0; height: 20px; width: 20px;\"><\/div>\n<div style=\"width: 0; height: 0; border-top: 2px solid transparent; border-left: 6px solid #f4f4f4; border-bottom: 2px solid transparent; transform: translateX(16px) translateY(-4px) rotate(30deg);\"><\/div>\n<\/div>\n<div style=\"margin-left: auto;\">\n<div style=\"width: 0px; border-top: 8px solid #F4F4F4; border-right: 8px solid transparent; transform: translateY(16px);\"><\/div>\n<div style=\"background-color: #f4f4f4; flex-grow: 0; height: 12px; width: 16px; transform: translateY(-4px);\"><\/div>\n<div style=\"width: 0; height: 0; border-top: 8px solid #F4F4F4; border-left: 8px solid transparent; transform: translateY(-4px) translateX(8px);\"><\/div>\n<\/div>\n<\/div>\n<div style=\"display: flex; flex-direction: column; flex-grow: 1; justify-content: center; margin-bottom: 24px;\">\n<div style=\"background-color: #f4f4f4; border-radius: 4px; flex-grow: 0; height: 14px; margin-bottom: 6px; width: 224px;\"><\/div>\n<div style=\"background-color: #f4f4f4; border-radius: 4px; flex-grow: 0; height: 14px; width: 144px;\"><\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<p style=\"color: #c9c8cd; font-family: Arial,sans-serif; font-size: 14px; line-height: 17px; margin-bottom: 0; margin-top: 8px; overflow: hidden; padding: 8px 0 7px; text-align: center; text-overflow: ellipsis; white-space: nowrap;\"><a style=\"color: #c9c8cd; font-family: Arial,sans-serif; font-size: 14px; font-style: normal; font-weight: normal; line-height: 17px; text-decoration: none;\" href=\"https:\/\/www.instagram.com\/p\/Ca4gdX2AoOH\/?utm_source=ig_embed&amp;utm_campaign=loading\" target=\"_blank\" rel=\"noopener\">Ein Beitrag geteilt von TEAL Technology Consulting (@tealconsulting)<\/a><\/p>\n<\/div>\n<\/blockquote>\n<p><script async src=\"\/\/www.instagram.com\/embed.js\"><\/script>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/2&#8243;][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<blockquote class=\"instagram-media\" style=\"background: #FFF; border: 0; border-radius: 3px; box-shadow: 0 0 1px 0 rgba(0,0,0,0.5),0 1px 10px 0 rgba(0,0,0,0.15); margin: 1px; max-width: 540px; min-width: 326px; padding: 0; width: calc(100% - 2px);\" data-instgrm-permalink=\"https:\/\/www.instagram.com\/p\/CarqiU_AwlN\/?utm_source=ig_embed&amp;utm_campaign=loading\" data-instgrm-version=\"14\">\n<div style=\"padding: 16px;\">\n<p>&nbsp;<\/p>\n<div style=\"display: flex; flex-direction: row; align-items: center;\">\n<div style=\"background-color: #f4f4f4; border-radius: 50%; flex-grow: 0; height: 40px; margin-right: 14px; width: 40px;\"><\/div>\n<div style=\"display: flex; flex-direction: column; flex-grow: 1; justify-content: center;\">\n<div style=\"background-color: #f4f4f4; border-radius: 4px; flex-grow: 0; height: 14px; margin-bottom: 6px; width: 100px;\"><\/div>\n<div style=\"background-color: #f4f4f4; border-radius: 4px; flex-grow: 0; height: 14px; width: 60px;\"><\/div>\n<\/div>\n<\/div>\n<div style=\"padding: 19% 0;\"><\/div>\n<div style=\"display: block; height: 50px; margin: 0 auto 12px; width: 50px;\"><\/div>\n<div style=\"padding-top: 8px;\">\n<div style=\"color: #3897f0; font-family: Arial,sans-serif; font-size: 14px; font-style: normal; font-weight: 550; line-height: 18px;\">Sieh dir diesen Beitrag auf Instagram an<\/div>\n<\/div>\n<div style=\"padding: 12.5% 0;\"><\/div>\n<div style=\"display: flex; flex-direction: row; margin-bottom: 14px; align-items: center;\">\n<div>\n<div style=\"background-color: #f4f4f4; border-radius: 50%; height: 12.5px; width: 12.5px; transform: translateX(0px) translateY(7px);\"><\/div>\n<div style=\"background-color: #f4f4f4; height: 12.5px; transform: rotate(-45deg) translateX(3px) translateY(1px); width: 12.5px; flex-grow: 0; margin-right: 14px; margin-left: 2px;\"><\/div>\n<div style=\"background-color: #f4f4f4; border-radius: 50%; height: 12.5px; width: 12.5px; transform: translateX(9px) translateY(-18px);\"><\/div>\n<\/div>\n<div style=\"margin-left: 8px;\">\n<div style=\"background-color: #f4f4f4; border-radius: 50%; flex-grow: 0; height: 20px; width: 20px;\"><\/div>\n<div style=\"width: 0; height: 0; border-top: 2px solid transparent; border-left: 6px solid #f4f4f4; border-bottom: 2px solid transparent; transform: translateX(16px) translateY(-4px) rotate(30deg);\"><\/div>\n<\/div>\n<div style=\"margin-left: auto;\">\n<div style=\"width: 0px; border-top: 8px solid #F4F4F4; border-right: 8px solid transparent; transform: translateY(16px);\"><\/div>\n<div style=\"background-color: #f4f4f4; flex-grow: 0; height: 12px; width: 16px; transform: translateY(-4px);\"><\/div>\n<div style=\"width: 0; height: 0; border-top: 8px solid #F4F4F4; border-left: 8px solid transparent; transform: translateY(-4px) translateX(8px);\"><\/div>\n<\/div>\n<\/div>\n<div style=\"display: flex; flex-direction: column; flex-grow: 1; justify-content: center; margin-bottom: 24px;\">\n<div style=\"background-color: #f4f4f4; border-radius: 4px; flex-grow: 0; height: 14px; margin-bottom: 6px; width: 224px;\"><\/div>\n<div style=\"background-color: #f4f4f4; border-radius: 4px; flex-grow: 0; height: 14px; width: 144px;\"><\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<p style=\"color: #c9c8cd; font-family: Arial,sans-serif; font-size: 14px; line-height: 17px; margin-bottom: 0; margin-top: 8px; overflow: hidden; padding: 8px 0 7px; text-align: center; text-overflow: ellipsis; white-space: nowrap;\"><a style=\"color: #c9c8cd; font-family: Arial,sans-serif; font-size: 14px; font-style: normal; font-weight: normal; line-height: 17px; text-decoration: none;\" href=\"https:\/\/www.instagram.com\/p\/CarqiU_AwlN\/?utm_source=ig_embed&amp;utm_campaign=loading\" target=\"_blank\" rel=\"noopener\">Ein Beitrag geteilt von TEAL Technology Consulting (@tealconsulting)<\/a><\/p>\n<\/div>\n<\/blockquote>\n<p><script async src=\"\/\/www.instagram.com\/embed.js\"><\/script>[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221;][vc_column][vc_empty_space height=&#8221;30&#8243;][vc_column_text]\n<h4>LATEST POSTS<\/h4>\n[\/vc_column_text][vc_empty_space height=&#8221;30&#8243;]\n<div class='latest_post_holder boxes three_columns one_row' >\n    <ul>\n    \n        <li class=\"clearfix\">\n            <div class=\"boxes_image\">\n                                <a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/06\/01\/microsoft-entra-break-glass-best-practices\/\"><img decoding=\"async\" width=\"539\" height=\"303\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/06\/MS-Entra-Break-Glass-Teal-539x303.jpg\" class=\"attachment-latest_post_boxes size-latest_post_boxes wp-post-image lazyload\" alt=\"\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/06\/MS-Entra-Break-Glass-Teal-539x303.jpg 539w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/06\/MS-Entra-Break-Glass-Teal-300x169.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/06\/MS-Entra-Break-Glass-Teal-1024x576.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/06\/MS-Entra-Break-Glass-Teal-768x432.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/06\/MS-Entra-Break-Glass-Teal-1536x864.jpg 1536w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/06\/MS-Entra-Break-Glass-Teal-700x394.jpg 700w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2026\/06\/MS-Entra-Break-Glass-Teal.jpg 1920w\" data-sizes=\"(max-width: 539px) 100vw, 539px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 539px; --smush-placeholder-aspect-ratio: 539\/303;\"><\/a>\n            <\/div>\n            <div class=\"latest_post\"  >\n                <div class=\"latest_post_text\">\n                    <div class=\"latest_post_inner\">\n                        <div class=\"latest_post_text_inner\">\n                            <h4 itemprop=\"name\" class=\"latest_post_title entry_title\"><a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/06\/01\/microsoft-entra-break-glass-best-practices\/\">Emergency Access in Microsoft Entra: Best Practices for Your Break-Glass Accounts<\/a><\/h4>\n                            <p class=\"excerpt\">The so-called \u201cbreak-glass\u201d accounts. In this article, we'll show you how to securely set up, harden, and monitor this last line of defense in Microsoft Entra according to current best practices....<\/p>\n                            <span class=\"post_infos\">\n                                                                    <span class=\"date_hour_holder\">\n                                        <span itemprop=\"dateCreated\" class=\"date entry_date updated\">01 June, 2026 <meta itemprop=\"interactionCount\" content=\"UserComments: 0\"\/><\/span>\n                                    <\/span>\n                                                                                                \n                                \n                                                            <\/span>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/li>\n    \n        <li class=\"clearfix\">\n            <div class=\"boxes_image\">\n                                <a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/05\/03\/why-your-windows-hardening-will-be-outdated-in-march-2026\/\"><img decoding=\"async\" width=\"539\" height=\"303\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/10\/teal-blog_system-hardening-headerbild-539x303.jpg\" class=\"attachment-latest_post_boxes size-latest_post_boxes wp-post-image lazyload\" alt=\"\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/10\/teal-blog_system-hardening-headerbild-539x303.jpg 539w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/10\/teal-blog_system-hardening-headerbild-300x169.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/10\/teal-blog_system-hardening-headerbild-1024x575.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/10\/teal-blog_system-hardening-headerbild-768x432.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/10\/teal-blog_system-hardening-headerbild-1536x863.jpg 1536w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/10\/teal-blog_system-hardening-headerbild-700x393.jpg 700w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/10\/teal-blog_system-hardening-headerbild.jpg 1920w\" data-sizes=\"(max-width: 539px) 100vw, 539px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 539px; --smush-placeholder-aspect-ratio: 539\/303;\"><\/a>\n            <\/div>\n            <div class=\"latest_post\"  >\n                <div class=\"latest_post_text\">\n                    <div class=\"latest_post_inner\">\n                        <div class=\"latest_post_text_inner\">\n                            <h4 itemprop=\"name\" class=\"latest_post_title entry_title\"><a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/05\/03\/why-your-windows-hardening-will-be-outdated-in-march-2026\/\">Configuration Vulnerability? Why Your Windows Hardening Will Be Outdated in March 2026<\/a><\/h4>\n                            <p class=\"excerpt\">With the March 2026 update, the rules for Windows 11 and Windows Server have changed. It is essential that you familiarize yourself with these changes and adjust your hardening configuration....<\/p>\n                            <span class=\"post_infos\">\n                                                                    <span class=\"date_hour_holder\">\n                                        <span itemprop=\"dateCreated\" class=\"date entry_date updated\">03 May, 2026 <meta itemprop=\"interactionCount\" content=\"UserComments: 0\"\/><\/span>\n                                    <\/span>\n                                                                                                \n                                \n                                                            <\/span>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/li>\n    \n        <li class=\"clearfix\">\n            <div class=\"boxes_image\">\n                                <a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/04\/29\/bsi-update-grundschutz\/\"><img decoding=\"async\" width=\"539\" height=\"303\" data-src=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/09\/teal_blog_on-prem-safe_header-539x303.jpg\" class=\"attachment-latest_post_boxes size-latest_post_boxes wp-post-image lazyload\" alt=\"\" data-srcset=\"https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/09\/teal_blog_on-prem-safe_header-539x303.jpg 539w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/09\/teal_blog_on-prem-safe_header-300x169.jpg 300w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/09\/teal_blog_on-prem-safe_header-1024x575.jpg 1024w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/09\/teal_blog_on-prem-safe_header-768x432.jpg 768w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/09\/teal_blog_on-prem-safe_header-1536x863.jpg 1536w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/09\/teal_blog_on-prem-safe_header-700x393.jpg 700w, https:\/\/www.teal-consulting.de\/wp-content\/uploads\/2022\/09\/teal_blog_on-prem-safe_header.jpg 1920w\" data-sizes=\"(max-width: 539px) 100vw, 539px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 539px; --smush-placeholder-aspect-ratio: 539\/303;\"><\/a>\n            <\/div>\n            <div class=\"latest_post\"  >\n                <div class=\"latest_post_text\">\n                    <div class=\"latest_post_inner\">\n                        <div class=\"latest_post_text_inner\">\n                            <h4 itemprop=\"name\" class=\"latest_post_title entry_title\"><a itemprop=\"url\" href=\"https:\/\/www.teal-consulting.de\/en\/2026\/04\/29\/bsi-update-grundschutz\/\">BSI Update: Grundschutz++ Will Become Mandatory in 2028 \u2013 Why You Should Take Action Now<\/a><\/h4>\n                            <p class=\"excerpt\">The wait is over: The BSI has published the first guidelines for Grundschutz++. What at first glance looks like additional bureaucratic red tape is, in fact, the new \u201cstate of the art\u201d for NIS2. ...<\/p>\n                            <span class=\"post_infos\">\n                                                                    <span class=\"date_hour_holder\">\n                                        <span itemprop=\"dateCreated\" class=\"date entry_date updated\">29 April, 2026 <meta itemprop=\"interactionCount\" content=\"UserComments: 0\"\/><\/span>\n                                    <\/span>\n                                                                                                \n                                \n                                                            <\/span>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/li>\n        <\/ul>\n<\/div>[\/vc_column][\/vc_row]\n<\/div>","protected":false},"excerpt":{"rendered":"<p>This blog post provides a high-level explanation of how to implement security boundaries in an on-prem AD and Azure environment to protect your critical assets based on the principle of <\/p>\n","protected":false},"author":14,"featured_media":6266,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[14],"tags":[],"class_list":["post-6247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-further-topics-en"],"_links":{"self":[{"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/posts\/6247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/comments?post=6247"}],"version-history":[{"count":14,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/posts\/6247\/revisions"}],"predecessor-version":[{"id":6279,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/posts\/6247\/revisions\/6279"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/media\/6266"}],"wp:attachment":[{"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/media?parent=6247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/categories?post=6247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.teal-consulting.de\/en\/wp-json\/wp\/v2\/tags?post=6247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}