The purpose of this tier model is to protect identity systems using a set of buffer zones between full control of the Environment (Tier 0) and the high risk workstation assets that attackers frequently compromise.
The Tier model is composed of three levels and only includes administrative accounts, not standard user accounts:
- Tier 0 – Direct Control of enterprise identities in the environment.
Tier 0 includes accounts, groups, and other assets that have direct or indirect administrative control of the Active Directory forest, domains, or domain controllers, and all the assets in it. The security sensitivity of all Tier 0 assets is equivalent as they are all effectively in control of each other.
- Tier 1 – Control of enterprise servers and applications.
Tier 1 assets include server operating systems, cloud services, and enterprise applications. Tier 1 administrator accounts have administrative control of a significant amount of business value that is hosted on these assets. A common example role is server administrators who maintain these operating systems with the ability to impact all enterprise services.
- Tier 2 – Control of user workstations and devices.
Tier 2 administrator accounts have administrative control of a significant amount of business value that is hosted on user workstations and devices. Examples include Help Desk and computer support administrators because they can impact the integrity of almost any user data.
Primary responsibilities and critical restrictions
Tier 0 administrator – manage the identity store and a small number of systems that are in effective control of it, and:
- Can manage and control assets at any level as required
- Can only log on interactively or access assets trusted at the Tier 0 level
Tier 1 administrator – manage enterprise servers, services, and applications, and:
- Can only manage and control assets at the Tier 1 or Tier 2 level
- Can only access assets (via network logon type) that are trusted at the Tier 1 or Tier 0 levels
- Can only interactively log on to assets trusted at the Tier 1 level
Tier 2 administrator – manage enterprise desktops, laptops, printers, and other user devices, and:
- Can only manage and control assets at the Tier 2 level
- Can access assets (via network logon type) at any level as required
- Can only interactively log on to assets trusted at Tier 2 level