identity access management

Configuring Active Directory Tiered Model

Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory. Covers Tier 0/1/2 separation, privileged access workstations (PAWs), administrative forest design, authentication policy silos, and credential theft mitigation.

access-controlactive-directoryesaeiamidentitypawtiered-model
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory. Covers Tier 0/1/2 separation, privileged access workstations (PAWs), administrative forest design, authentication policy silos, and credential theft mitigation.

When to Use

  • When deploying or configuring configuring active directory tiered model capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with identity access management concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Implement comprehensive configuring active directory tiered model capability
  • Establish automated discovery and monitoring processes
  • Integrate with enterprise IAM and security tools
  • Generate compliance-ready documentation and reports
  • Align with NIST 800-53 access control requirements

Security Controls

Control NIST 800-53 Description
Account Management AC-2 Lifecycle management
Access Enforcement AC-3 Policy-based access control
Least Privilege AC-6 Minimum necessary permissions
Audit Logging AU-3 Authentication and access events
Identification IA-2 User and service identification

Verification

  • Implementation tested in non-production environment
  • Security policies configured and enforced
  • Audit logging enabled and forwarding to SIEM
  • Documentation and runbooks complete
  • Compliance evidence generated
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md1.6 KB

Active Directory Tiered Model — API Reference

Libraries

Library Install Purpose
ldap3 pip install ldap3 LDAP queries for AD group and account enumeration
pyad pip install pyad Windows AD object manipulation

Key ldap3 Methods

Method Description
Connection(server, user, password, authentication=NTLM) NTLM-authenticated LDAP bind
conn.search(base_dn, filter, attributes) Search AD objects
conn.entries Result entries from search

AD Tier Definitions (Microsoft ESAE)

Tier Assets Admin Accounts
Tier 0 Domain Controllers, AD, PKI, ADFS Domain Admins, Enterprise Admins
Tier 1 Member servers, applications Server admins, app admins
Tier 2 Workstations, end users Help desk, workstation admins

Critical AD Groups (Tier 0)

Group SID Suffix
Domain Admins -512
Enterprise Admins -519
Schema Admins -518
Administrators -544
Account Operators -548
Backup Operators -551

UserAccountControl Flags

Flag Value Description
ACCOUNTDISABLE 0x2 Account is disabled
DONT_EXPIRE_PASSWORD 0x10000 Password never expires
NOT_DELEGATED 0x100000 Account is sensitive for delegation

External References

Scripts 1

agent.py5.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Active Directory tiered administration model audit agent using ldap3."""

import json
import sys
import argparse
from datetime import datetime

try:
    import ldap3
    from ldap3 import Server, Connection, ALL, NTLM
except ImportError:
    print("Install: pip install ldap3")
    sys.exit(1)


TIER_DEFINITIONS = {
    "Tier 0": {
        "description": "Domain controllers, AD admin accounts, PKI, ADFS",
        "groups": ["Domain Admins", "Enterprise Admins", "Schema Admins",
                   "Administrators", "Account Operators", "Backup Operators"],
    },
    "Tier 1": {
        "description": "Member servers, server admin accounts, applications",
        "groups": ["Server Operators", "Print Operators"],
    },
    "Tier 2": {
        "description": "Workstations, standard user accounts, help desk",
        "groups": ["Help Desk", "Workstation Admins"],
    },
}


def audit_tier0_accounts(conn, base_dn):
    """Audit Tier 0 privileged accounts."""
    findings = []
    for group_name in TIER_DEFINITIONS["Tier 0"]["groups"]:
        conn.search(base_dn, f"(&(objectClass=group)(cn={group_name}))",
                     attributes=["member"])
        for entry in conn.entries:
            members = entry.member.values if hasattr(entry.member, 'values') else []
            for member_dn in members:
                conn.search(member_dn, "(objectClass=*)",
                            attributes=["sAMAccountName", "lastLogonTimestamp",
                                        "userAccountControl", "adminCount"])
                for user in conn.entries:
                    uac = int(str(user.userAccountControl)) if hasattr(user, 'userAccountControl') else 0
                    findings.append({
                        "account": str(user.sAMAccountName),
                        "group": group_name,
                        "tier": "Tier 0",
                        "password_never_expires": bool(uac & 0x10000),
                        "account_disabled": bool(uac & 0x2),
                        "admin_count": True,
                    })
    return findings


def check_tier_violations(conn, base_dn):
    """Check for cross-tier privilege violations."""
    violations = []
    conn.search(base_dn,
                "(&(objectClass=user)(adminCount=1)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
                attributes=["sAMAccountName", "memberOf", "lastLogon"])
    for entry in conn.entries:
        groups = entry.memberOf.values if hasattr(entry.memberOf, 'values') else []
        tier0 = any("Domain Admins" in str(g) or "Enterprise Admins" in str(g) for g in groups)
        tier1 = any("Server" in str(g) for g in groups)
        if tier0 and tier1:
            violations.append({
                "account": str(entry.sAMAccountName),
                "violation": "Account spans Tier 0 and Tier 1",
                "severity": "CRITICAL",
                "recommendation": "Create separate accounts per tier",
            })
    return violations


def check_paw_compliance(conn, base_dn):
    """Check for Privileged Access Workstation (PAW) deployment indicators."""
    conn.search(base_dn,
                "(&(objectClass=computer)(cn=PAW*))",
                attributes=["cn", "operatingSystem", "lastLogonTimestamp"])
    paws = [{"name": str(e.cn), "os": str(e.operatingSystem)} for e in conn.entries]
    return {
        "paw_count": len(paws),
        "paws": paws,
        "compliant": len(paws) > 0,
        "recommendation": "Deploy PAWs for all Tier 0 admin accounts" if not paws else "PAWs detected",
    }


def run_audit(server_ip, domain, username, password):
    """Execute AD tiered model audit."""
    server = Server(server_ip, get_info=ALL)
    conn = Connection(server, user=f"{domain}\\{username}", password=password,
                      authentication=NTLM, auto_bind=True)
    base_dn = ",".join([f"DC={p}" for p in domain.split(".")])

    print(f"\n{'='*60}")
    print(f"  AD TIERED ADMINISTRATION MODEL AUDIT")
    print(f"  Domain: {domain}")
    print(f"  Generated: {datetime.utcnow().isoformat()} UTC")
    print(f"{'='*60}\n")

    accounts = audit_tier0_accounts(conn, base_dn)
    print(f"--- TIER 0 ACCOUNTS ({len(accounts)}) ---")
    for a in accounts[:15]:
        flags = []
        if a["password_never_expires"]:
            flags.append("PWD_NEVER_EXPIRES")
        print(f"  {a['account']} in {a['group']} {' '.join(flags)}")

    violations = check_tier_violations(conn, base_dn)
    print(f"\n--- TIER VIOLATIONS ({len(violations)}) ---")
    for v in violations:
        print(f"  [{v['severity']}] {v['account']}: {v['violation']}")

    paw = check_paw_compliance(conn, base_dn)
    print(f"\n--- PAW COMPLIANCE ---")
    print(f"  PAWs found: {paw['paw_count']}")
    print(f"  Compliant: {paw['compliant']}")

    conn.unbind()
    return {"tier0_accounts": accounts, "violations": violations, "paw": paw}


def main():
    parser = argparse.ArgumentParser(description="AD Tiered Model Audit Agent")
    parser.add_argument("--server", required=True, help="Domain controller IP")
    parser.add_argument("--domain", required=True, help="AD domain name")
    parser.add_argument("--username", required=True, help="Admin username")
    parser.add_argument("--password", required=True, help="Admin password")
    parser.add_argument("--output", help="Save report to JSON file")
    args = parser.parse_args()

    report = run_audit(args.server, args.domain, args.username, args.password)
    if args.output:
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2, default=str)
        print(f"\n[+] Report saved to {args.output}")


if __name__ == "__main__":
    main()
Keep exploring