As you obviously enjoyed our article about Protecting Tier 0 the modern way (thanks for all the comments and feedback!), it is time for the next step: Protecting Tier 1. Different Tier, different challenges.
Updated May 30, 2025
Version 3.0If a T2 admin (compromised or not) created the T1 group before the JIT solution was in place, there could be a case where they can still add or remove users at will, leading to privilege escalation. Even if TTL members are removed, non-TTL users they added would persist.
There should also be safeguards like resetting ACLs and verifying/removing the group owner and the “managed by” field to prevent this scenario.
I haven’t read all the code yet, so maybe this case is already handled or impossible, but it might be worth mentioning it.