Read as

Last updated: April 29, 2026

Why this module exists. Most AD breaches succeed because Domain Admin credentials end up exposed on workstations or member servers. Microsoft’s Tiered Administration Model (originally “Securing Privileged Access” / “Enterprise Access Model”) is the structural fix. It’s well-documented and rarely implemented in full.

Why this module exists. Most AD breaches succeed because Domain Admin credentials end up exposed on workstations or member servers. Microsoft’s Tiered Administration Model (originally “Securing Privileged Access” / “Enterprise Access Model”) is the structural fix. It’s well-documented and rarely implemented in full. This module is the practical playbook.

The model

Three tiers, in increasing sensitivity:

Tier 2 — workstations. User devices. Where most attackers land first.
Tier 1 — member servers, applications. Web servers, file servers, SQL servers, Exchange.
Tier 0 — identity infrastructure. Domain controllers, AD Connect, ADFS, certificate authorities, the systems that are the kingdom.

The hardening rule: credentials never flow downward. Tier-0 admins log into Tier-0 systems only. Tier-1 admins handle Tier-1, never log into Tier-2. Workstation admins handle Tier-2 only.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Module 16 · AD Tier-0 Hardening — The Defender’s Playbook

The model

Custom team training + practitioner advisory

Other modules in this track