Detailed Tier Model Implementation Guide

A step-by-step approach to implementing the Administrative Tier Model in Active Directory

1. Preparation Phase

  1. Conduct an inventory of all assets in your environment
  2. Identify and categorize assets into appropriate tiers:
    • Tier 0: Domain Controllers, AD CS, DNS Servers, etc.
    • Tier 1: Application and database servers
    • Tier 2: Workstations and user devices
  3. Document current administrative accounts and their access levels
  4. Develop a migration plan and timeline
  5. Communicate changes to all stakeholders and IT staff
Tip: Use tools like AD Topology Diagrammer to visualize your current AD structure.

2. Active Directory Restructuring

  1. Create new Organizational Units (OUs) for each tier:
    • OU=Tier0
    • OU=Tier1
    • OU=Tier2
  2. Move computer objects to their respective tier OUs
  3. Create tier-specific security groups:
    • SG_Tier0_Admins
    • SG_Tier1_Admins
    • SG_Tier2_Admins
Important: Ensure you have a backup of your AD before making structural changes.

3. Creating Tiered Administrative Accounts

  1. Establish a naming convention for tiered accounts (e.g., T0-AdminJohnDoe, T1-AdminJaneSmith)
  2. Create new administrative accounts for each tier
  3. Add these accounts to their respective tier security groups
  4. Implement strong password policies for these accounts
  5. Enable Multi-Factor Authentication (MFA) for all administrative accounts
Tip: Use a Privileged Access Management (PAM) solution to manage and audit these high-privilege accounts.

4. Implementing Access Controls

  1. Create and link GPOs to each tier OU to enforce access controls:
    • Tier 0 GPO: Restrict logon to Tier 0 assets
    • Tier 1 GPO: Restrict logon to Tier 1 assets
    • Tier 2 GPO: Restrict logon to Tier 2 assets
  2. Configure Windows Firewall rules to isolate tiers
  3. Implement LAPS (Local Administrator Password Solution) for managing local admin accounts
Warning: Test GPOs thoroughly in a non-production environment before applying them.

5. Privileged Access Workstations (PAWs) Setup

  1. Identify and prepare dedicated workstations for Tier 0 administration
  2. Harden these PAWs with enhanced security measures:
    • Enable BitLocker
    • Restrict internet access
    • Apply strict AppLocker policies
  3. Configure these PAWs to only allow logon from Tier 0 accounts

6. Implementing Just-In-Time (JIT) and Just-Enough-Administration (JEA)

  1. Configure time-based group membership for administrative groups
  2. Implement a process for requesting and approving elevated access
  3. Set up PowerShell JEA endpoints for specific administrative tasks
  4. Create custom JEA role capabilities for different administrative functions
Tip: Use Azure AD Privileged Identity Management (PIM) for cloud-based JIT access.

7. Monitoring and Auditing

  1. Configure advanced audit policies for each tier
  2. Set up centralized logging (e.g., using Windows Event Forwarding)
  3. Implement real-time alerting for suspicious activities:
    • Attempts to access higher tiers from lower tiers
    • Unusual logon patterns
    • Changes to privileged groups
  4. Regularly review and analyze security logs

8. Training and Documentation

  1. Develop training materials for IT staff on the new tier model
  2. Conduct training sessions for all affected administrators
  3. Create and maintain documentation on:
    • Tier model architecture
    • Administrative procedures for each tier
    • Escalation processes
  4. Establish a regular review process for the tier model implementation

9. Gradual Rollout and Testing

  1. Begin with a pilot group of administrators and systems
  2. Gradually expand the implementation across the organization
  3. Continuously gather feedback and adjust the implementation as needed
  4. Conduct regular penetration testing to verify the effectiveness of the tier model
Important: Maintain a rollback plan in case of unforeseen issues during implementation.





Scroll to Top