Full Report
I’ve been performing internal assessments for seven years and out of all the things I have learnt, one is certain: without a proper tiering model, security tools alone won’t stop your organization from collapsing after a major compromise. In this post I’ll explain what a tiering model is, how to break a flat network even when protections are present, and, most importantly, how to build a defense-in-depth network providing practical tips and diagrams.
Analysis Summary
# Best Practices: Active Directory Tiering & Network Segmentation
## Overview
These practices address the fundamental insecurity of "flat" networks where a single compromise on a workstation leads to full domain takeover. By implementing a Tiering Model, organizations restrict administrative credentials to specific "trust zones," preventing attackers from escalating privileges via LSASS memory dumps, token impersonation, or lateral movement.
## Key Recommendations
### Immediate Actions
1. **Block LSASS Access:** Deploy "RunAsPPL" (Protected Process Light) for LSASS to prevent common credential dumping tools like Mimikatz.
2. **Audit Privilege Distribution:** Use tools like BloodHound or NetExec to identify where Domain Admins (DA) are currently logged in.
3. **Disable Insecure Protocols:** Disable LLMNR, NBT-NS, and enforce LDAP signing/encryption to prevent person-in-the-middle (PITM) attacks.
4. **Credential Hygiene:** Instruct administrators to never log into standard workstations with Domain Admin accounts.
### Short-term Improvements (1-3 months)
1. **Define Three-Tier Architecture:**
* **Tier 0:** Domain Controllers, Forest Root, and identity management systems.
* **Tier 1:** Servers, databases, and enterprise applications.
* **Tier 2:** User workstations and mobile devices.
2. **Implement Group Policy Restrictions (GPO):** Configure "Deny log on locally" and "Deny log on through Remote Desktop Services" to ensure Tier 0 accounts cannot touch Tier 1 or Tier 2 assets.
3. **Deploy Privileged Access Workstations (PAWs):** Require admins to use dedicated, hardened hardware for Tier 0/1 management tasks.
### Long-term Strategy (3+ months)
1. **Administrative Forest (ESAE/Red Forest):** Move all administrative accounts and PAWs into a separate, highly restricted Active Directory forest with a one-way trust to the production forest.
2. **Micro-segmentation:** Implement host-based firewalls and VLAN tagging to ensure workstations cannot communicate with each other directly (preventing lateral movement).
3. **Deception Infrastructure:** Deploy honeypots (honey-tokens, honey-users) to detect attackers who are forced into "loud" techniques like Kerberoasting or brute-forcing.
---
## Implementation Guidance
### For Small Organizations
- Focus on the **Logon Restrictions**. Even without a Red Forest, using GPOs to prevent Domain Admins from logging into workstations provides significant protection for $0 cost.
- Use a "Jump Server" for all server administration.
### For Medium Organizations
- Implement the full **3-Tier Model** within the existing domain.
- Enforce strict VLAN separation between servers and workstations.
- Introduce MFA for all administrative RDP/SSH sessions.
### For Large Enterprises
- Deploy the **Administrative Forest** (Red Forest) model.
- Ensure administrative workstations have no internet access, except for essential service endpoints (e.g., EntraID/Windows Update).
- Implement hardware-based root of trust for PAWs.
---
## Configuration Examples
### GPO: Restricting Tier 0 Accounts
* **Path:** `Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment`
* **Setting:** *Deny log on locally* & *Deny log on through Remote Desktop Services*
* **Users/Groups:** Add `Tier 0 Admins`, `Domain Admins`, `Enterprise Admins`.
* **Apply to:** All Workstations (Tier 2) and Member Servers (Tier 1).
### Registry: Enabling LSASS Protection
* **Key:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
* **Value Name:** `RunAsPPL`
* **Value Data:** `dword:00000001` (Note: UEFI Lock may be required for full enforcement).
---
## Compliance Alignment
- **NIST SP 800-207:** Zero Trust Architecture (Principle of Least Privilege).
- **CIS Controls:** Control 5 (Account Management) and Control 6 (Access Control Management).
- **Microsoft Security Model:** Enterprise Access Model (formerly Tiering Model).
---
## Common Pitfalls to Avoid
- **Administrative "Bridge" Accounts:** Using the same account for daily email/web browsing and server administration.
- **Bi-directional Trusts:** Configuring a two-way trust between the Admin Forest and the User Forest, which allows an attacker to jump back into the management zone.
- **Ignoring Local Admins:** Failing to manage local administrator passwords (use LAPS instead).
- **Flat Service Accounts:** Allowing service accounts to have Domain Admin privileges or access to multiple tiers.
---
## Resources
- **BloodHound:** `github[.]com/BloodHoundAD/BloodHound` (Pathfinding tool)
- **NetExec:** `github[.]com/Pennyw0rth/NetExec` (Network assessment tool)
- **Microsoft Documentation:** "Securing Privileged Access" (ESAE/Tiering guidance)
- **Mimikatz:** `github[.]com/gentilkiwi/mimikatz` (Defensive testing tool)