Active Directory Tiering Model: Implementation Guide
Active Directory is the keys to the kingdom in Windows enterprise environments. Every domain-joined workstation, server, and application trusts AD for authentication and authorization. When threat actors achieve Domain Admin access — and in most ransomware incidents they do — they can deploy ransomware to every domain-joined system simultaneously, create persistent backdoor accounts, and export the entire credential database (NTDS.dit). The Active Directory tiering model is a credential isolation architecture that prevents an attacker who compromises a workstation from escalating to Domain Admin by eliminating the paths between administrative tiers.
Why AD Gets Compromised: The Lateral Movement Problem
Most AD compromises follow a predictable path: workstation compromise via phishing, credential theft from the compromised workstation memory, credential reuse to access additional systems, and progressive escalation until Domain Admin is achieved. The tiering model breaks this chain at the credential layer.
Credential theft from memory
When an administrator logs into a workstation interactively, Windows caches credentials in LSASS memory. Mimikatz and similar tools extract plaintext passwords, NTLM hashes, and Kerberos tickets from LSASS. Any account that has logged into a compromised workstation is effectively compromised.
Pass-the-Hash and Pass-the-Ticket
Stolen NTLM hashes and Kerberos tickets can authenticate to other systems without knowing the plaintext password. An attacker who steals a Domain Admin hash from a compromised workstation has Domain Admin access — the hash is the credential.
The admin-workstation contamination problem
In organizations without tier separation, a Domain Admin account is used to log into user workstations for helpdesk tasks. Any workstation compromise in the environment exposes Domain Admin credentials. This is the fundamental problem the tiering model solves.
The Three Tiers: Definition and Boundaries
The tiering model segregates AD resources and their administrative accounts into three tiers based on the blast radius of compromise. The core rule: accounts from a higher-numbered (lower-privilege) tier must never log into systems in a lower-numbered (higher-privilege) tier.
Tier 0 — Control Plane
The highest-sensitivity tier. Contains: Domain Controllers, AD Connect servers, PKI/CA infrastructure, federation servers (ADFS), privileged identity management systems (PAM tools), and any system that can directly modify AD objects or authentication. Tier 0 accounts have unrestricted AD control. Compromise of Tier 0 = complete domain compromise.
Tier 1 — Servers and Applications
Contains: member servers, application servers, database servers, virtualization infrastructure (VMware vCenter, Hyper-V), and cloud management interfaces. Tier 1 accounts administer these systems but have no rights on Domain Controllers or Tier 0 systems.
Tier 2 — Workstations and End Users
Contains: user workstations, laptops, helpdesk-managed devices, and end-user accounts. Tier 2 accounts (helpdesk admin, workstation local admin) have rights on workstations but no rights on Tier 1 servers or Tier 0 systems.
The golden rule
A Tier 2 admin account must never log into a Tier 1 server or Tier 0 system. A Tier 1 admin account must never log into a Tier 0 system. Violation of this rule propagates credential exposure upward through the tiers. Technical controls (logon restrictions, Authentication Policies) enforce this boundary.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Implementing Tier Boundaries: Technical Controls
Tier separation depends on preventing accounts from one tier logging into systems of a different tier. This requires a combination of Group Policy, Authentication Policies, and Protected Users group membership.
User Rights Assignment via Group Policy
Use Group Policy to deny interactive logon rights for accounts from higher tiers on lower-tier systems. 'Deny log on locally,' 'Deny log on through Remote Desktop Services,' and 'Deny access to this computer from the network' GPOs applied to Tier 0/1 admin account groups on Tier 2 systems prevent the most common contamination paths.
Authentication Policies (Windows Server 2012 R2+)
Authentication Policies are AD objects that restrict which Kerberos TGTs can be used on which systems. A Tier 0 Authentication Policy can restrict Tier 0 admin accounts to only authenticate to Tier 0 systems. This is a more robust control than GPO because it is enforced at the KDC, not the client.
Protected Users Security Group
Add Tier 0 accounts to the Protected Users group. This prevents NTLM authentication (Kerberos only), disables credential caching, removes Kerberos delegation, and forces short ticket lifetimes. Protected Users membership significantly reduces the attack surface for credential theft from Tier 0 accounts.
Restricted Admin Mode for RDP
Standard RDP sends credentials to the remote system, exposing them to theft on a compromised host. Restricted Admin Mode uses the connecting machine's credentials for outbound authentication without transmitting them to the target. Enable Restricted Admin for all Tier 0 and Tier 1 administrative RDP sessions.
Local Administrator Password Solution (LAPS)
LAPS generates unique, random local administrator passwords for each domain-joined computer and stores them in AD. This eliminates the lateral movement vector of shared local admin passwords — a compromised workstation's local admin password cannot be reused on other workstations.
Privileged Access Workstations (PAWs)
A Privileged Access Workstation (PAW) is a hardened, dedicated workstation used exclusively for privileged administrative tasks. Tier 0 administrators use a dedicated PAW to manage Domain Controllers — never their regular workstation. The PAW's hardened configuration and internet isolation prevent credential theft from the administrative session.
“A PAW is not about making the administrator's life harder — it is about ensuring that the most powerful accounts in the environment are never exposed on the most targeted systems in the environment.”
Microsoft Privileged Access Workstation Documentation
PAW hardware and OS hardening
PAWs should be physically separate devices (not VMs on shared infrastructure that could be compromised). Windows 10/11 with Secure Boot, UEFI firmware password, BitLocker, and Credential Guard enabled. No email client, no web browser except for allowed administrative URLs, no user productivity applications.
Internet isolation
PAWs should have no internet access or severely restricted outbound access (administrative URLs only). Lateral movement through phishing requires internet access; PAW internet isolation eliminates this vector.
Jump server alternative
Where dedicated PAW hardware is not feasible, a hardened jump server accessed via RDP from the administrator's workstation provides partial isolation. Tier 0 tasks are performed on the jump server, keeping Tier 0 credentials off the administrator's regular workstation. Less secure than a physical PAW but a significant improvement over no isolation.
PAW management
PAWs are Tier 0 systems and must be managed by Tier 0 accounts via Tier 0 management infrastructure. A PAW managed through regular IT tooling (SCCM, regular GPO) that could be compromised by a Tier 2 attacker undermines the architecture.
Privileged Account Hygiene
Tier separation is architectural; privileged account hygiene is operational. Both are required.
Dedicated admin accounts
Administrators must have separate accounts for administrative tasks versus day-to-day work. A Domain Admin should use a standard user account for email and web browsing, and a separate Tier 0 admin account (on a PAW) for DC administration. The admin account has no mailbox and no browser access.
No permanent Tier 0 membership
Minimize permanent membership in Domain Admins, Enterprise Admins, and Schema Admins. Use just-in-time (JIT) privileged access — elevate to Tier 0 access for specific tasks with time-bounded tokens, then de-elevate. Microsoft Entra PIM and PAM solutions (CyberArk, BeyondTrust) enable JIT privileged access.
Service account management
Service accounts are high-value attack targets. Replace standard service accounts with Group Managed Service Accounts (gMSA) where possible — gMSAs use automatically managed, long complex passwords that are not exposed to administrators. For legacy service accounts, use unique passwords stored in a PAM vault.
Admin account inventory
Maintain a complete inventory of all accounts with administrative privileges across all tiers. Audit quarterly for accounts that have accumulated unnecessary privileges (privilege creep). Remove privileged access immediately upon role change or termination.
Monitoring for Tier Boundary Violations
Technical controls prevent many tier violations; monitoring detects violations that technical controls miss or that attackers actively attempt.
Alert on cross-tier logon events
Alert immediately on any event where a Tier 0 account authenticates to a non-Tier 0 system, or a Tier 1 account authenticates to a Tier 0 system. Windows event ID 4624 with logon type 3 (network) or 10 (RemoteInteractive) provides the data; SIEM correlation against tier membership provides the alert logic.
Domain Controller authentication monitoring
All interactive and remote logons to Domain Controllers are high-sensitivity events. Alert on any logon to a DC by an account that is not in the approved Tier 0 administrative accounts list.
BloodHound for attack path analysis
BloodHound ingests AD data and maps attack paths from any starting point to Domain Admin. Run BloodHound regularly against your environment to identify paths that bypass intended tier boundaries before attackers find them. Focus on paths from Tier 2 assets to Tier 0 — these are the most critical to eliminate.
The bottom line
The Active Directory tiering model is not optional for organizations that want to prevent ransomware from achieving domain-wide deployment. The implementation is neither quick nor simple — it requires dedicated admin accounts, PAWs or jump servers, Authentication Policies, LAPS, and sustained operational discipline to prevent tier contamination. But the return is proportional to the investment: organizations with mature tier implementation survive ransomware intrusions as workstation-level incidents rather than domain-wide disasters.
Frequently asked questions
What is the Active Directory tiering model?
The AD tiering model is a credential isolation architecture that separates administrative accounts and systems into three sensitivity tiers (Tier 0: Domain Controllers and AD infrastructure; Tier 1: servers and applications; Tier 2: workstations and end users). The core rule is that administrative accounts from a higher-numbered tier are never used to log into lower-numbered tier systems. This prevents an attacker who compromises a workstation from obtaining credentials that work on Domain Controllers.
Why is Active Directory the primary target in ransomware attacks?
Domain Admin access in Active Directory allows an attacker to: deploy software (ransomware) to all domain-joined systems simultaneously via Group Policy, create persistent backdoor accounts that survive remediation, export the entire AD credential database (NTDS.dit containing all password hashes), and disable security tools via policy. It is the highest-leverage position in a Windows enterprise environment, which is why threat actors prioritize achieving it before deploying ransomware.
What is a Privileged Access Workstation (PAW)?
A PAW is a hardened, dedicated workstation used exclusively for privileged administrative tasks, with no email, no general web browsing, and no user productivity applications. Tier 0 administrators use a physical PAW (not a VM) to log into Domain Controllers, keeping Tier 0 credentials off regular workstations that are at constant risk of phishing compromise. PAWs are network-isolated from internet access to prevent credential theft via the administrative session.
What is LAPS and why does it matter for AD security?
LAPS (Local Administrator Password Solution) is a Microsoft tool that generates unique, random local administrator passwords for each domain-joined computer and stores them in an AD attribute with access controls. Without LAPS, organizations typically use shared local admin passwords across all workstations — an attacker who discovers the shared password through one compromise can authenticate to all workstations. LAPS eliminates this lateral movement vector.
What is BloodHound and how is it used defensively?
BloodHound is an open source tool that maps Active Directory attack paths using graph theory. It ingests AD relationship data (group memberships, session data, ACLs) and identifies shortest paths from any starting node to Domain Admin. Defensively, security teams run BloodHound against their own environment to find unintended privilege paths — service account ACL inheritance that grants unexpected AD rights, nested group memberships that reach Tier 0, or Kerberos delegation configurations that create escalation paths. Eliminating these paths reduces the attack surface before adversaries can exploit them.
How long does implementing the AD tiering model take?
A realistic timeline for a medium enterprise (1,000-5,000 users) with no existing tier separation is 6-18 months for meaningful implementation. The project requires: admin account inventory and restructuring, PAW procurement and configuration, LAPS rollout, Authentication Policy implementation, GPO changes for logon restrictions, and operational discipline training. Tier 0 isolation (Domain Controllers) is the highest-priority starting point and can be achieved in 3-6 months; full three-tier implementation with PAWs is the longer-term target.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.