How Tier Zero Objects are Identified
Following are the criteria that the Security Guardian Tier Zero provider uses to identify Tier Zero objects in Active Directory.
-
Domains: The Domain object is identified as Tier Zero because it is a domain partition in the Active Directory forest which supports replication and administrative functions.
-
Groups: May be identified as Tier Zero if they are a Default AD Security Group which has access to Tier Zero objects in the domain, or if they are a member of another Tier Zero group (either directly or indirectly).
The default AD Security Groups considered Tier Zero are:
√ Account Operators
√ Administrators
√ Backup Operators
√ Cert Publishers
√ Cloneable Domain Controllers
√ Cryptographic Operators
√ Distributed COM Users
√ DnsUpdateProxy
√ DnsAdmins
√ Domain Admins
√ Domain Controllers
√ Enterprise Key Admin
√ Enterprise Admins |
√ Enterprise Read-Only Domain Controllers
√ Group Policy Creators Owners
√ Hyper-V Administrators
√ Incoming Forest Trust Builders
√ Key Admins
√ Network Configuration Operators
√ Performance Log Users
√ Print Operators
√ Read-Only Domain Controllers
√ Remote Management Users
√ Schema Admins
√ Server Operators
√ Storage Replica Administrators |
-
Users: May be identified as Tier Zero if they are a member of a Tier Zero group (either directly or indirectly).
-
Computers: May be identified as Tier Zero if they are a Domain Controller, Read-Only Domain Controller, or are a member of a Tier Zero group (either directly or indirectly).
It is recommended that some additional objects, which may not be identified by the Tier Zero provider, be added manually.
Tier Zero Objects List
The Tier Zero Objects list displays all of the Tier Zero objects that have been collected by the Tier Zero provider (Security Guardian or BloodHound Enterprise) as well as any that have been manually-added by users.
|
NOTE: If BloodHound Enterprise is configured and you see the message No New Tier Zero Objects, check the BloodHound Enterprise Configuration Status from within On Demand Audit. Review the configuration connection message details to determine whether the connection to SpecterOps has been successful. Review the Last Configuration Received, Next Configuration Synchronization, and the status of the configuration. |
To access the Tier Zero Objects list:
From the On Demand left navigation menu, choose Security | Tier Zero Objects. The following information is listed for each Tier Zero object:
-
Display Name
-
Principal Name
-
Distinguished Name
-
Object Type
-
Date Added
|
NOTE: This field displays the signed-in user's local date and time. |
|
NOTE: If you click the Filter button, you can filter displayed results by any one of these criteria. |
From the Tier Zero Objects list, you can:
Viewing Tier Zero Object Details
To view a Tier Zero object's details:
From the Dashboard Uncertified Tier Zero Objects tile or the Tier Zero Objects list, click the object's Principal Name.
The following information displays for the selected Tier Zero object:
- for a User object, local admin privileges
- for a Group object, any other groups it is a member of
- for a Group Policy object, objects affected by the Group Policy
NOTE: BloodHound Enterprise classifies domains affected by a Group Policy as OUs.
- objects that the selected object can control
- objects that have control over the selected objects.
|
NOTE: BloodHound Enterprise returns a maximum of 1,000 related objects for each Tier Zero category. |
Why Tier Zero?
This section provides the reason why the object is considered Tier Zero. If the object was added by the provider (Security Guardian or Bloodhound Enterprise), the reason is returned by the provider. If the object was manually added by a user, the reason is "Manually added as Tier Zero by <user_principal_that_added_object>".
Adding Tier Zero Objects Manually
You can add Tier Zero objects manually for AD objects that were not identified as Tier Zero by the Tier Zero provider but are considered critical assets in your organization.
In addition to the Tier Zero objects identified by the Tier Zero provider, it is recommended that the following objects be added manually:
-
Microsoft Entra Connect servers, including:
-
Active Directory Federation servers
-
Privileged access management (PAM) systems
-
Certificate Authorities and Subordinates
-
Computers that host Quest Recovery Manager and other Active Directory management software and their backups
-
Computers that host GPOAdmin, Active Administrator, and other group policy management software
-
Microsoft Exchange Servers (if split permissions are not configured)
-
Microsoft System Center Configuration Manager (SCCM) servers or equivalent
-
Microsoft Exchange Groups (if default permissions are still configured)
-
Microsoft SQL server or equivalent if hosting a database from a Tier Zero system
-
Active Directory Management and auditing software, such as Change Auditor or Active Roles Server
To add a Tier Zero object manually:
-
Use one of the following options:
-
For each Tier Zero object you want to add:
-
Enter the object's Principal Name, or type at least two characters then select the object from the drop-down. (Note that a message will display if the object is already Tier Zero.)
The object will be added to the Principal Name list.
-
In the Principal Name list, select object(s) you want to add.
-
Click Save.