Active Directory – Blog Part III: Security & Misconfigurations, Attack Paths, & The Tier Administration Model/EAM
Security & Misconfigurations
Active Directory is more than just a complex hierarchical directory system; it effectively functions as the Identity Perimeter of an organization's enterprise network. Specifically, the Active Directory Forest is what serves as the ultimate security boundary, while individual domains act as management boundaries.
Not all Active Directory setups are configured equally. When an AD environment is not actively maintained, it becomes misconfigured and over-trusted, resulting in doors being left open for potential breaches in the event of a system compromise.
Most breaches stem from over-privileged accounts, misconfigurations, legacy compatibility decisions, and inadequate operational hygiene.
Over time, these risks accumulate as AD environments are left unattended. Like any critical administrative system, consistent management and adherence to best practices are essential.
Attack Paths
A successful breach does not automatically grant full domain control. Instead, attackers must navigate chains of misconfigurations and trust relationships to escalate privileges. These chains are known as attack paths.
AD environments often accumulate unused user accounts that are no longer monitored, including accounts belonging to former employees that were never disabled.
Over-privileged accounts often emerge when users are added to groups over time. Sometimes these may have been temporary projects; other times a user transfers to a different department, and in both scenarios the groups are never removed from the account. As a result, many AD environments contain unused yet enabled accounts, some of which retain unnecessary group memberships and elevated privileges.
Some environments still operate with outdated security protocols such as NTLMv1 or SMBv1. If AD isn't actively updated, these "doors" remain unlocked.
Then there are unmonitored service accounts. These are special accounts in AD designed for applications to authenticate to services and resources within the AD environment. These accounts frequently have Service Principal Names (SPNs) registered, making them common targets for Kerberoasting attacks.
Service accounts are often left unattended, with static passwords and excessive permissions, which enables a silent path for lateral movement. Modern best practices involve migrating these to Group Managed Service Accounts (gMSAs), which automates password management and significantly reduces Kerberoasting risk.
Modern attack mapping tools such as BloodHound visually demonstrate how small misconfigurations combine into privilege escalation chains. Attackers use tools like BloodHound to identify "short-circuit" paths across tiers. For example, a Tier 2 user may be a Local Administrator on a workstation where a Tier 1 Server Admin previously logged in. If that workstation is compromised, the attacker can extract the Tier 1 credential and use it to access a server. From there, they may encounter an active Tier 0 Domain Admin session, allowing escalation to full domain control. This "upward flow" of credentials is precisely what the Enterprise Access Model is designed to prevent.
The Evolution of Administrative Security
In an effort to design mitigation strategies, AD management practices have evolved from a "static phonebook" model to a containment and hygiene approach. This evolution is marked by two major architectural frameworks: the Legacy Tier Administrative Model and the modern Enterprise Access Model (EAM).
The Legacy Tier Administrative Model – 2014
In 2014, the Tier Administrative Model operational methodology was introduced as a response to real-world AD compromise patterns, designed to separate trust boundaries in on-premises environments. It was built as a bottom-up, server-centric approach geared towards preventing credential theft.
The methodology is structured around three security tiers:
- Tier 0: Identity and Forest-Level Control: Domain Controllers, AD DS, PKI, and other systems that directly control the Active Directory environment.
- Tier 1: Server and Application Management: Member servers, application servers, and the administrators who manage them.
- Tier 2: User-Facing Endpoints: Workstations, devices, and the helpdesk or endpoint admins who support them.
| Tier | Name | Assets Included | The "Golden Rule" |
|---|---|---|---|
| Tier 0 | Identity Root | Domain Controllers, Forest Admins, Enterprise Admins, Tier 0 Group Policy. | Only log into Tier 0 systems. Never log into Tier 1 or 2. |
| Tier 1 | Server/App | Member Servers, File Shares, SQL Servers, Business Applications. | Admins manage servers but never log into Tier 2 workstations. |
| Tier 2 | User Assets | End-user laptops, Desktops, Print Servers, standard User accounts. | Local admins have no rights to Tier 1 or Tier 0. |
The Golden Rule: Administrative credentials must never cross downward between tiers (e.g., a Tier 0 admin logging into a Tier 2 workstation). This separation is intended to limit credential exposure, break attack paths, and prevent single compromises from escalating into full domain control.
The Enterprise Access Model (EAM)
The EAM represents the evolution and expansion of the Tier Administration model. Rather than focusing on where a server physically sits, the EAM shifts focus to what level of control the identity has, accounting for Azure/Entra ID and the tools used to manage them.
It introduces a top-down, plane-centric view that accounts for the realities of hybrid and cloud environments. The underlying principle remains unchanged: higher-trust identities must never authenticate to lower-trust systems.
| Plane | Scope | Modern Components | Strategy |
|---|---|---|---|
| Control Plane | Highest Impact | Entra ID Global Admins, Domain Controllers, PKI, Security Policy Engines. | Protect the "source of truth" for all identities. |
| Management Plane | The Bridge | Admin Workstations (PAWs), DevOps Pipelines, PIM/PAM tools, RDP/SSH Gateways. | Isolate the tools and sessions used to manage the Control Plane. |
| User/App Plane | The Surface | SaaS Apps (M365, Salesforce), Laptops, Tablets, IoT, Workload Identities. | Assume the device is compromised; use Zero Trust and Conditional Access. |
| Comparison: Then vs. Now | Legacy Tier Model | Enterprise Access Model (EAM) |
|---|---|---|
| Focus | Server-Centric: Physical & Virtual Servers | Plane-Centric: Identity & Access Sessions |
| Environment | On-Premises Active Directory | Hybrid (AD + Entra ID/Cloud) |
| Strategy | Rigid Infrastructure Segregation | Zero Trust & Conditional Access |
| Control | Administrative Discipline | Automated Policy & PIM/PAM Tools |
The transition from the legacy Tier Administrative Model to the EAM reflects a shift in how boundaries are enforced. In the legacy model, boundaries were largely physical and network-based. In the modern EAM, boundaries are identity-driven, enforced through role separation, token controls, and Privileged Identity Management (PIM).
Whether on-premises or in the cloud, identity remains the primary attack surface. The Enterprise Access Model provides the modern architectural roadmap for protecting it.
Active Directory is a trademark of Microsoft Corporation. This content is for educational purposes and is not affiliated with or endorsed by Microsoft.