As you obviously enjoyed our article about Protecting Tier 0 the modern way (thanks for all the comments and feedback!), it is time for the next step: Protecting Tier 1. Different Tier, different challenges.
Updated May 30, 2025
Version 3.0This is a fantastic follow up article, thanks for sharing. I do have one question though. In the scenario you have laid out, it requires T1 admins to logon to a T0 asset (JiT management server). Does this not violate the principles of AD tiering as T1 admins should not be able to access T0 assets?
IMHO the real core principle of AD tiering is not merely blocking any access to more privileged tier, but rather:
1) blocking admin access to more privileged tier (escalation of privileges)
2) blocking Pass-the-Hash attack path
This is the diff (red arrows in the opposite direction) between "Control restrictions" and "Logon restrictions" in the classic Active Directory administrative tier model