特权账号分级 Tier 0 Tier1
当您听到同事、系统管理员或其他任何人开始谈论 Active Directory Red Forest 级别时,他们实际上是在识别“增强的安全管理环境”(也称为 ESAE)的行话。ESAE 利用 先进的技术和推荐的做法,为管理环境和工作站提供增强的安全保护。
增强的安全管理环境 (ESAE) 产品旨在通过限制管理凭据的公开来帮助阻止这些凭据盗窃攻击的关键元素。
它基于 Active Directory 管理层模型设计。此分层模型的目的是使用一组缓冲区来保护标识系统,这些缓冲区位于完全控制环境(第 0 层)和攻击者的高风险工作站资产之间 经常妥协。层模型由三个级别组成,仅包括管理帐户,不包括标准用户帐户:
Tier 0 域管理员
Direct Control of enterprise identities in the environment. Tier 0 includes accounts, groups, and other assets that have direct or indirect administrative control of the Active Directory forest, domains, or domain controllers, and all the assets in it. The security sensitivity of all Tier 0 assets is equivalent as they are all effectively in control of each other.
Tier 1 系统基本管理员
Control of enterprise servers and applications. Tier 1 assets include server operating systems, cloud services, and enterprise applications. Tier 1 administrator accounts have administrative control of a significant amount of business value that is hosted on these assets. A common example role is server administrators who maintain these operating systems with the ability to impact all enterprise services.
Tier 2 用户工作站管理员
Control of user workstations and devices. Tier 2 administrator accounts have administrative control of a significant amount of business value that is hosted on user workstations and devices. Examples include Help Desk and computer support administrators because they can impact the integrity of almost any user data.
