Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
Overview
Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory. Covers Tier 0/1/2 separation, privileged access workstations (PAWs), administrative forest design, authentication policy silos, and credential theft mitigation.
When to Use
- When deploying or configuring configuring active directory tiered model capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with identity access management concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Objectives
- Implement comprehensive configuring active directory tiered model capability
- Establish automated discovery and monitoring processes
- Integrate with enterprise IAM and security tools
- Generate compliance-ready documentation and reports
- Align with NIST 800-53 access control requirements
Security Controls
| Control | NIST 800-53 | Description |
|---|---|---|
| Account Management | AC-2 | Lifecycle management |
| Access Enforcement | AC-3 | Policy-based access control |
| Least Privilege | AC-6 | Minimum necessary permissions |
| Audit Logging | AU-3 | Authentication and access events |
| Identification | IA-2 | User and service identification |
Verification
- Implementation tested in non-production environment
- Security policies configured and enforced
- Audit logging enabled and forwarding to SIEM
- Documentation and runbooks complete
- Compliance evidence generated
Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md1.6 KB
Active Directory Tiered Model — API Reference
Libraries
| Library | Install | Purpose |
|---|---|---|
| ldap3 | pip install ldap3 |
LDAP queries for AD group and account enumeration |
| pyad | pip install pyad |
Windows AD object manipulation |
Key ldap3 Methods
| Method | Description |
|---|---|
Connection(server, user, password, authentication=NTLM) |
NTLM-authenticated LDAP bind |
conn.search(base_dn, filter, attributes) |
Search AD objects |
conn.entries |
Result entries from search |
AD Tier Definitions (Microsoft ESAE)
| Tier | Assets | Admin Accounts |
|---|---|---|
| Tier 0 | Domain Controllers, AD, PKI, ADFS | Domain Admins, Enterprise Admins |
| Tier 1 | Member servers, applications | Server admins, app admins |
| Tier 2 | Workstations, end users | Help desk, workstation admins |
Critical AD Groups (Tier 0)
| Group | SID Suffix |
|---|---|
| Domain Admins | -512 |
| Enterprise Admins | -519 |
| Schema Admins | -518 |
| Administrators | -544 |
| Account Operators | -548 |
| Backup Operators | -551 |
UserAccountControl Flags
| Flag | Value | Description |
|---|---|---|
| ACCOUNTDISABLE | 0x2 | Account is disabled |
| DONT_EXPIRE_PASSWORD | 0x10000 | Password never expires |
| NOT_DELEGATED | 0x100000 | Account is sensitive for delegation |
External References
Scripts 1
agent.py5.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Active Directory tiered administration model audit agent using ldap3."""
import json
import sys
import argparse
from datetime import datetime
try:
import ldap3
from ldap3 import Server, Connection, ALL, NTLM
except ImportError:
print("Install: pip install ldap3")
sys.exit(1)
TIER_DEFINITIONS = {
"Tier 0": {
"description": "Domain controllers, AD admin accounts, PKI, ADFS",
"groups": ["Domain Admins", "Enterprise Admins", "Schema Admins",
"Administrators", "Account Operators", "Backup Operators"],
},
"Tier 1": {
"description": "Member servers, server admin accounts, applications",
"groups": ["Server Operators", "Print Operators"],
},
"Tier 2": {
"description": "Workstations, standard user accounts, help desk",
"groups": ["Help Desk", "Workstation Admins"],
},
}
def audit_tier0_accounts(conn, base_dn):
"""Audit Tier 0 privileged accounts."""
findings = []
for group_name in TIER_DEFINITIONS["Tier 0"]["groups"]:
conn.search(base_dn, f"(&(objectClass=group)(cn={group_name}))",
attributes=["member"])
for entry in conn.entries:
members = entry.member.values if hasattr(entry.member, 'values') else []
for member_dn in members:
conn.search(member_dn, "(objectClass=*)",
attributes=["sAMAccountName", "lastLogonTimestamp",
"userAccountControl", "adminCount"])
for user in conn.entries:
uac = int(str(user.userAccountControl)) if hasattr(user, 'userAccountControl') else 0
findings.append({
"account": str(user.sAMAccountName),
"group": group_name,
"tier": "Tier 0",
"password_never_expires": bool(uac & 0x10000),
"account_disabled": bool(uac & 0x2),
"admin_count": True,
})
return findings
def check_tier_violations(conn, base_dn):
"""Check for cross-tier privilege violations."""
violations = []
conn.search(base_dn,
"(&(objectClass=user)(adminCount=1)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
attributes=["sAMAccountName", "memberOf", "lastLogon"])
for entry in conn.entries:
groups = entry.memberOf.values if hasattr(entry.memberOf, 'values') else []
tier0 = any("Domain Admins" in str(g) or "Enterprise Admins" in str(g) for g in groups)
tier1 = any("Server" in str(g) for g in groups)
if tier0 and tier1:
violations.append({
"account": str(entry.sAMAccountName),
"violation": "Account spans Tier 0 and Tier 1",
"severity": "CRITICAL",
"recommendation": "Create separate accounts per tier",
})
return violations
def check_paw_compliance(conn, base_dn):
"""Check for Privileged Access Workstation (PAW) deployment indicators."""
conn.search(base_dn,
"(&(objectClass=computer)(cn=PAW*))",
attributes=["cn", "operatingSystem", "lastLogonTimestamp"])
paws = [{"name": str(e.cn), "os": str(e.operatingSystem)} for e in conn.entries]
return {
"paw_count": len(paws),
"paws": paws,
"compliant": len(paws) > 0,
"recommendation": "Deploy PAWs for all Tier 0 admin accounts" if not paws else "PAWs detected",
}
def run_audit(server_ip, domain, username, password):
"""Execute AD tiered model audit."""
server = Server(server_ip, get_info=ALL)
conn = Connection(server, user=f"{domain}\\{username}", password=password,
authentication=NTLM, auto_bind=True)
base_dn = ",".join([f"DC={p}" for p in domain.split(".")])
print(f"\n{'='*60}")
print(f" AD TIERED ADMINISTRATION MODEL AUDIT")
print(f" Domain: {domain}")
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
print(f"{'='*60}\n")
accounts = audit_tier0_accounts(conn, base_dn)
print(f"--- TIER 0 ACCOUNTS ({len(accounts)}) ---")
for a in accounts[:15]:
flags = []
if a["password_never_expires"]:
flags.append("PWD_NEVER_EXPIRES")
print(f" {a['account']} in {a['group']} {' '.join(flags)}")
violations = check_tier_violations(conn, base_dn)
print(f"\n--- TIER VIOLATIONS ({len(violations)}) ---")
for v in violations:
print(f" [{v['severity']}] {v['account']}: {v['violation']}")
paw = check_paw_compliance(conn, base_dn)
print(f"\n--- PAW COMPLIANCE ---")
print(f" PAWs found: {paw['paw_count']}")
print(f" Compliant: {paw['compliant']}")
conn.unbind()
return {"tier0_accounts": accounts, "violations": violations, "paw": paw}
def main():
parser = argparse.ArgumentParser(description="AD Tiered Model Audit Agent")
parser.add_argument("--server", required=True, help="Domain controller IP")
parser.add_argument("--domain", required=True, help="AD domain name")
parser.add_argument("--username", required=True, help="Admin username")
parser.add_argument("--password", required=True, help="Admin password")
parser.add_argument("--output", help="Save report to JSON file")
args = parser.parse_args()
report = run_audit(args.server, args.domain, args.username, args.password)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
Keep exploring