> ## Documentation Index
> Fetch the complete documentation index at: https://docs.alchemicalchef.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Active Directory Tier Model

> Implement Microsoft's tiered administrative model to secure your Active Directory environment

The Active Directory tier model is a security architecture that reduces the risk of credential theft and privilege escalation by separating administrative accounts based on the sensitivity of the resources they manage.

## Why Use a Tier Model?

Traditional Active Directory environments often allow administrators to use the same credentials across all systems. This creates a significant security risk: if an attacker compromises a workstation, they can potentially steal credentials that grant access to domain controllers.

The tier model addresses this by enforcing strict separation between administrative tiers, ensuring that high-privilege credentials are never exposed on lower-tier systems.

<Info>
  The tier model implements Microsoft's Enhanced Security Administrative Environment (ESAE) best practices, also known as the "Red Forest" architecture.
</Info>

## The Three Tiers

| Tier       | Name                    | Resources                                      | Examples                                                              |
| ---------- | ----------------------- | ---------------------------------------------- | --------------------------------------------------------------------- |
| **Tier 0** | Identity Infrastructure | Systems that control Active Directory identity | Domain Controllers, ADFS, Certificate Authorities, Azure AD Connect   |
| **Tier 1** | Server Management       | Enterprise servers and applications            | Application servers, database servers, file servers, management tools |
| **Tier 2** | Workstation Management  | User endpoints and their administrators        | Workstations, laptops, help desk systems                              |

### Tier 0 - Identity Infrastructure

Tier 0 contains the most sensitive assets in your environment. Compromise of a Tier 0 system means complete control of your Active Directory forest.

**Protected resources include:**

* Domain Controllers
* Active Directory Federation Services (ADFS)
* Certificate Authorities (PKI)
* Azure AD Connect servers
* Privileged Access Workstations (PAWs) for Tier 0

### Tier 1 - Server Management

Tier 1 contains your enterprise server infrastructure. While critical to operations, compromise of these systems should not directly lead to domain compromise.

**Protected resources include:**

* Application and web servers
* Database servers (SQL, Oracle)
* File and print servers
* System management servers (SCCM, WSUS)

### Tier 2 - Workstation Management

Tier 2 contains user endpoints. These systems are most exposed to attacks through phishing, malware, and physical access.

**Protected resources include:**

* User workstations and laptops
* Help desk and support systems
* VDI infrastructure

## Tier Isolation

The tier model enforces isolation through Group Policy Objects (GPOs) that restrict how administrators can access systems across tiers.

### Isolation Matrix

| Administrator Tier | Can Access Tier 0 | Can Access Tier 1 | Can Access Tier 2 |
| ------------------ | ----------------- | ----------------- | ----------------- |
| Tier 0 Admin       | Yes               | No                | No                |
| Tier 1 Admin       | No                | Yes               | No                |
| Tier 2 Admin       | No                | No                | Yes               |

### GPO Restrictions

Tier isolation is enforced through user rights assignments that deny:

* **Local logon** - Prevents interactive logon at the console
* **Remote Desktop** - Blocks RDP connections
* **Network logon** - Denies access via SMB, WMI, and similar protocols
* **Batch logon** - Prevents scheduled tasks from running
* **Service logon** - Blocks running as a service account

<Tip>
  The key principle is that credentials from a higher tier should never be exposed on a lower tier system. A Tier 0 admin should never log into a Tier 2 workstation.
</Tip>

## AD Tier Model Manager

The [AD Tier Model Manager](https://github.com/AlchemicalChef/ADTierModel-Rust) is a desktop application that helps you implement and maintain the tier model in your environment.

### Prerequisites

Before installing, ensure you have:

* Windows 10/11 or Windows Server 2016+
* Domain Administrator privileges
* .NET Framework 4.8 or later
* PowerShell 5.1 or later

### Installation

1. Download the latest release from the [GitHub releases page](https://github.com/AlchemicalChef/ADTierModel-Rust/releases)
2. Extract the archive to your preferred location
3. Run the installer or portable executable

### Initial Setup

When you first launch the application:

<Steps>
  <Step title="Connect to Active Directory">
    The application will detect your domain automatically. Verify the connection and authenticate with your Domain Admin credentials.
  </Step>

  <Step title="Initialize Tier Structure">
    Create the Organizational Unit (OU) structure for each tier. The tool will create:

    * `OU=Tier 0,OU=Admin,DC=domain,DC=com`
    * `OU=Tier 1,OU=Admin,DC=domain,DC=com`
    * `OU=Tier 2,OU=Admin,DC=domain,DC=com`
  </Step>

  <Step title="Create Security Groups">
    The tool creates security groups for each tier that will be used in GPO restrictions.
  </Step>

  <Step title="Deploy GPOs">
    Generate and link the Group Policy Objects that enforce tier isolation.
  </Step>
</Steps>

### Key Features

<CardGroup cols={2}>
  <Card title="Tier Object Management" icon="layer-group">
    Assign users, groups, and computers to appropriate tiers with a visual interface.
  </Card>

  <Card title="GPO Automation" icon="gears">
    Automatically generate and maintain the GPOs required for tier isolation.
  </Card>

  <Card title="Compliance Monitoring" icon="shield-check">
    Detect cross-tier access violations and misconfigurations in real-time.
  </Card>

  <Card title="Audit Logging" icon="clipboard-list">
    Track all administrative actions for security review and compliance.
  </Card>
</CardGroup>

## Next Steps

After implementing the tier model, consider these additional security measures:

* Deploy Privileged Access Workstations (PAWs) for Tier 0 administrators
* Implement Just-In-Time (JIT) and Just-Enough-Administration (JEA)
* Enable Protected Users security group for sensitive accounts
* Configure Credential Guard on administrative workstations
