Protect Tier 1. Sleep well at Night.

Microsoft

May 29, 2025

As you obviously enjoyed our article about Protecting Tier 0 the modern way (thanks for all the comments and feedback!), it is time for the next step: Protecting Tier 1. Different Tier, different challenges.

In case you have not yet protected Tier 0, consider reviewing our article about protecting Tier 0 the modern way. Tier 1 is more difficult to outline as there are typically different security ...

Updated May 30, 2025

Version 3.0

active direcory

Active Directory (AD)

DagmarHeidecker

JIT

Just in Time (JIT)

Tiered Administration

DagmarHeidecker

Microsoft

Joined January 02, 2019

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

natehutch

Brass Contributor

Jun 07, 2025

This is a fantastic follow up article, thanks for sharing. I do have one question though. In the scenario you have laid out, it requires T1 admins to logon to a T0 asset (JiT management server). Does this not violate the principles of AD tiering as T1 admins should not be able to access T0 assets?

Rafal_Fitt

Iron Contributor

Jun 13, 2025

IMHO the real core principle of AD tiering is not merely blocking any access to more privileged tier, but rather:
1) blocking admin access to more privileged tier (escalation of privileges)
2) blocking Pass-the-Hash attack path

This is the diff (red arrows in the opposite direction) between "Control restrictions" and "Logon restrictions" in the classic Active Directory administrative tier model

Blog Post

Protect Tier 1. Sleep well at Night.

As you obviously enjoyed our article about Protecting Tier 0 the modern way (thanks for all the comments and feedback!), it is time for the next step: Protecting Tier 1. Different Tier, different challenges.