Diving into Tiered Administration

Really? There’s always something wrong in the instructions :-/

Approaches to improving security are always interesting to me. Recently I became aware of tiered administration as an aside in a security video I watched. “10 Work From Home Security Settings You Can Implement Now to Block Attackers.” Very good. Watch if you can. The intro to tiering admin credentials and systems begins at about 30:10. That started the dive for me!

There are many background and architectural articles on Microsoft.com. They talk ideas and generalization with really bad confusing graphics (imho). However, I found one article that promised to step through the process of setting up Tiered Administration, Initially Isolate Tier 0 Assets with Group Policy to Start Administrative Tiering – Microsoft Tech Community.

I followed the steps and it didn’t result in Domain Admins members being prevented logon to a member server or workstation. I repeated the process several times to be certain I hadn’t overlooked something and got the same lack of result each time.

The Group Policy precedence in the article didn’t work. The precedence in a comment to the article that stated the precedence in the article was wrong, also didn’t work.

At that point I put together a chart to track the hosts, accounts, policies, and security groups I was using. With the chart, and patiently changing one attribute at a time and repeating logon tests, I finally found a combination that worked!!

Great, Tier0 accounts couldn’t logon to anything except Tier0 assets. Now start trying other things in my virtual environment to find out what needs to be accounted for if migrating a domain to the restricted accounts model.

It didn’t take long to find there’s also something else Tier0 Domain Admins accounts couldn’t do, they couldn’t install software on Tier1 & 2 assets any longer. The Tier0 accounts couldn’t logon and there were no dedicated Tier1 or 2 accounts to use. (Should have tried the app server’s local admin for logon. Then try s/w install and see if could use Tier0 credential to perform s/w install.) Members of Local Administrators group can install software. Domain Admins group is in the local Administrators group. So any member of Domain Admins should be able to install software.

If a Tier0 account is in the group that limits logon on to only Tier0 assets then it cannot logon and install software on Tier1 & 2 assets. So, have Tier0 accounts restricted to Tier0 assets but how are Tier1 and 2 assets going to be managed?

Nowhere in the article is this limitation mentioned! Set up Tier0 admins and suddenly Tier1 & 2 assets can’t be managed with any Domain Admin group account. A real problem.

Back to my trusty charts. Create new security groups and Group Policies after spending some time trying to understand the policies and how they’re being applied. Then start testing.

Seems my head scratching after discovering the problem and before trying to produce a solution worked. I came up with a scheme that doesn’t change the working Tier0 accounts and hosts settings and gives Tier1 accounts access to Tier1 assets but not Tier0 assets. Still a bit more testing to confirm Tier1 can’t access Tier2. Then testing to confirm able to create Tier2 accounts. Then check the effect on service accounts which currently are admin accounts used only for function of certain software, e.g. manage audit settings to capture and report changes in the environment.

Anyhow this screed was about two things really. My satisfaction standing up a Tiered Admin environment (at least the beginnings, in test) and my growing frustration over technology implementation articles written as step-wise instruction that just don’t work (Tiered Admin, Certificate Services, Federation Services to name a few), and that leave out really important information like, “if you do this, you loose admin access to Tier1 & 2 assets.”

The “how to articles” that don’t actually work are all from Microsoft.com URLs. A third party site getting it wrong, frustrating but not feeling misinformed by an authority I should be able to trust. After all, not Microsoft. An article on Microsoft.com that says “do this” get “that result” that’s wrong or incomplete, very frustrating! If you can’t trust Microsoft about how to use its software then who are you going to trust?