Tier Model & Delegation Model questions

Ok, once we have a little taste of the “sweet Delegation Model” and its tween brother “Tier Model“, you will be having many questions. And questioning is what we need in order to start building a proper Delegation Model with Tiers for Active Directory ®.

As per Peter’s law definition, we will reach the incompetence level in our design. This is because we might not be asking enough questions. By listening to the questions (and why not, even complains) of other teams and stakeholders, we identify areas where not too much is defined.

The Tier Model & Delegation Model questions will help to identify and try to solve these issues.


AD Tier Model

Questions raised based on the AD Tier Model. Tier Model is the physical separation of assets. We consider this segregation as the natural extension of the Delegation Model.

Is the Tier Model enough? Or do I need also the Delegation Model?

Why we need the Tier Model and the Delegation Model.

Any security improvement is welcome, but no single security measurement will help us to protect all our environment. For example, a firewall facing internet indeed will help protecting our network, but will not help us too much on Trojans or worms. This is an antivirus work.

The Tier Model does help us on implementing a set of tiers or buffer zones. And with a set of rules and guides, we can restrict and isolate some of our assets. But here we are missing reducing the overall permissions and rights a user might have. Even if this user is within a given restricted tier. Here is where the twin brother comes to play: the Delegation Model can help reduce the those mentioned permissions and rights.

MS - Security Privileged Access Roadmap
MS – Security Privileged Access Roadmap

Even more, by implementing both models is not sufficient. We have to be prepared to monitor security, and to properly react on any given event. This demonstrates the need to have several tools (monitoring, analysis, alerting, etc.) working embedded into the models.




Social network sharing

Delegation Model

Questions raised on the AD Delegation model. The Delegation Model is to grant controlled and specific rights to administrators, without using privileged groups as Domain Admins. This section will make reference to all topics of the model.

Can I restrict my Administrators, Domain Admins or Enterprise Admins without a Delegation Model in place?

No. Once a user becomes member of a high privileged group, there is no technical restriction. Because of this, she or him can create/change/delete any other administrator. This is the problem with big AD implementations, which did not consider a proper Delegation model (or a 3rd party tool which might provide this functionality).

Restricting Privileged Users is not possible. This is by Active Directory design.

Social network sharing
Can we delegate “exclusive” administrator tasks?

Can we delegate “exclusive” administrator tasks?

Yes. Active Directory is extremely granular when referred to delegations.

We can delegate the task to manage:

  • full partition
  • certain kind of objects within a given partition
  • attribute sets for an object
  • specific attributes
Social network sharing
Can we have Split-Delegation?

Can we have Split-Delegation?

Yes. A split-delegation is when 2 different teams have similar rights within the same object. This is very common and recommended to split loads within teams.

A very common scenario is:

  • the user provisioning team is in charge to create and delete users
  • Service Desk team in charge to reset passwords and unblock user accounts
  • Human Resources team who will maintain certain attributes for the user. This could be be the Employee number and type or the organizational description.

In this example, we can see the importance of the “To who do I need to delegate? and “What it has to be delegated?” questions

Social network sharing
Do I need to delegate authority?

Do I need to delegate authority?

YES. 99% of AD implementations do need to delegate authority, even if a small team is administering the environment. The exception to the rule might be when ONLY 1 administrator is in place and he is solely using the physical AD console (Keyboard and Screen physically attached to the server within the server room) and not using the Admin privileges outside this box.

The same way we have doctors specialized in different areas, we do have administrators and operators who maintain the environment. So yes, most of the time we need to delegate authority.

Social network sharing
To who do I need to delegate?
To who do I need to delegate?
Well, this is a very generic and difficult question to answer, or at least it is without having several more following it. We need to identify any person who is making a change within Active Directory, excluding of course typical standard changes as “Changing my own password”.
In smaller scenarios a simple division within operations (reboot a computer, backup and restore data, reset and unblock user, etc,) and administration (create users, groups, access rights, etc.) might be sufficient.
But for larger organizations there might be several teams for each area:
  • one group is in charge of granting and revoking access
  • a different team manages the user provisioning
  • several teams take care of desktops and laptops
  • several teams are responsible for the servers
  • individual teams are responsible for the infrastructure
Here is the Business who will dictate who is responsible of any assigned task, if the task is feasible. In other words, we should be able to identify the persons, or group of persons, who assign to run a task against the directory.
Social network sharing
What it should be delegated?
What it should be delegated?
Same as the previous question, quite hard to individually response. The simplest, easiest, most common and worst thing we can do is to assign Administrator rights. We must completely ignore this approach, as is not even an option. What we must identify, is what specific action happening on the directory, and if it matches with the “To who do I need to delegate?” question, then we already identify a role, which a delegation will follow.
Taking the user provisioning idea, this team creates and deletes users within the directory. So a delegation will be done for the identified team granting the right to ONLY create users.
Social network sharing

Security Concern

Security topics, questions, answers, discussions and references around the model, and the security improvements that can be achieved.

Is there an alternative to these models?

Not really. The model focuses on many “very old, but STILL valid” concepts, which help us to protect our directory. For example, having unpatched systems will render into vulnerable systems, and the only solution is to patch them, reducing the risk thus increasing security.

But when a more advanced thread is ahead, the solutions get more complex. The main concept here is: if you cannot access it, then you cannot tramper with it. The model is restricting highly targeted identities (nice cookie for hackers), minimizing their exposure. The model can be somehow modified and adapted, but there is no other “efficient” alternative to the concept.

Social network sharing
Why do I need this model?

Why do I need this model?

Because Active Directory is exposed, and don’t misunderstand this. It is exposed to persons, applications, services and networks, so there is a real risk to get it compromised. There are hundreds of details to take into account to objectively check the risk, but the risk is there, and the best thing to do is to manage the risk.

In the old times, just by having an antivirus was enough (Huuh!) to be protected. No internet available. Networks where pretty small, or even inexistent. As the devices where expensive, granting access to anyone was not so easy, so physical security was kind of present.

Today, we have an extreme connectivity, with at least 1 antivirus, anti-Trojans, worms, rootkits, spam… we have access control list for disks, groups, shares, mailboxes… we have many web applications and services, which use any kind of authentication and authorization… databases… social networks… BYOD… AND we have to manage it, assuring the integrity and security of all these. We cannot afford the risk of exposing all this information, or even worst compromising it.

We care about firewalls… networks… IDS… personal FW… antivirus… Authentication… Authorization… so: Why we are not protecting one of the most valuable and critical assets?

This model will not be the “ultimate” security for AD, but will help mitigate credential theft techniques.




Social network sharing

Delegation Model vs. Tier Model comparison





Lest Privileged AccessRating 4Rating 2
Logon RestrictionsRating 1Rating 3
Clean Source PrincipleRating 0Rating 4
Operational PracticesRating 4Rating 4
Configuration over ConventionRating 3Rating 3
Segregation of DutiesRating 4Rating 2
Segregation of AssetsRating 1Rating 4
Reduce Privileged AccountsRating 4Rating 3
Protect from Credential TheftRating 1Rating 3
Logical Perimetral NetworkRating 3Rating 4
Auditable AccessRating 4Rating 3
Social network sharing