Over the past few days I have been wresting the answer to one question:

“Is there a single rule that could be followed to assist in accurately classifying any Active Directory object in line with Microsoft’s Tier Model?”

My initial impulse was to fall back on the conventional consulting response of “It Depends”. However, this approach would hardly serve any purpose, other than highlighting our fall-back into the state of “unknown unknowns”.

The broadness of the question and the fact that it does not linger on a certain Tier (i.e. Tier Zero), adds complexity and introduces potential for error, but nonetheless, it’s a legitimate query.

My experience has taught me that if there’s an answer I can’t provide, it’s typically because I haven’t put enough effort into finding it, or perhaps, I haven’t been bold enough to tackle it.

By the way, please take the above statements with a significant grain of salt. There are numerous highly esteemed members of the “identity security community” who have explored various aspects of this topic. Here are a couple:

Andy Robbins: How to Define Tier-Zero Assets in Active Directory Security (darkreading.com)Michael Van Horenbeeck: Tier 0: What is it and what it means for Active Directory (quest.com)

Answer it Logically

Now that all necessary disclaimers have been provided, allow me to attempt to answer this question using the one method I trust the most: deductive logic.

If….

Microsoft’s Tier Model draws upon Kenneth J. Biba’s Model (1975), specifically the principles of “No Write Up” and “No Read Down”

and… 

The model’s central objective is to hinder lateral movement by segregating administrative access effectively,

then….

The all-inclusive answer can only be related to the POTENTIAL IMPACT of a successful compromise via an attack pathway.

Judgement Day

Taking into account all that has been discussed thus far, here is my initial endeavor to articulate a universal guideline to assist in the categorization of objects in line with the model:

“The effective tier level of any Active Directory object can be determined by the direct (or derivative) control it can assert over it’s related objects and it should always be classified as closest to zero if it has reachable high value targets irrespective of the probability of the attack path.”

Now feel free to “roast” me.

It can only get better and more accurate from here.

Before you do though let me apply the above into a couple of examples:

Examples

Note that for any of the examples below I highly recommend downloading and starting to use Bloodhound to start seeing in “graphs” and recognising the attack paths.

Example #1

Assume a Tier 2 Active Directory (AD) Group that possesses GenericAll (Full Control) permissions on a service principal (Regular User Object) which has the capacity to ExecuteDCOM on Domain Controllers. In this scenario, the pertinent object is the service principal, as it can be directly exploited to attack the Domain Controllers. The AD Group has access to a high-value target. Given the substantial risk involved, all related objects should be classified as Tier 0, regardless of the likelihood of the attack path being actualised.

Example #2:

Assume a laptop (Tier 2 AD Computer Object), utilised by a user who belongs to the Helpdesk (Tier 2 AD User Object). This user is a member of a group granted PSRemote permissions on an SSCM Server, which can execute code on Domain Controllers, a Tier 0 Computer Object. According to the principle established earlier, regardless of the likelihood of the attack path coming to fruition, we must presume the worst-case scenario. As a result, all of the “items in line” should be classified as Tier 0.

Microsoft’s Tier Model – The Conclusion

Both examples above highlight the presence of a violation that requires remediation, along with the associated risk that needs to be accurately raised. Certainly, it doesn’t suggest promoting, for instance, the Helpdesk user to Tier 0 and reverting to a “flat structure”.

There is classification, and then there’s effective classification.

If you are aiming for the latter, it is impossible to do so without acknowledging potential tiering violations, whether they are intentional or the result of a misconfiguration. Viewing an object through the correct “lens” can prove not just beneficial, but potentially crucial to your domain avoiding compromise.

Hopefully this article will help someone in their efforts to protect their assets.