Chatta subito con l'assistenza
Chat con il supporto

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Privileged Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

How Tier Zero Objects are Identified

Following are the criteria that the Security Guardian Tier Zero provider uses to identify Tier Zero objects in Active Directory.

NOTE: For the criteria that BloodHound Enterprise uses, refer to the BloodHound support article Tier Zero: Members and Modification.

  • Domains: The Domain object is identified as Tier Zero because it is a domain partition in the Active Directory forest which supports replication and administrative functions.

  • Groups: May be identified as Tier Zero if they are a Default AD Security Group which has access to Tier Zero objects in the domain, or if they are a member of another Tier Zero group (either directly or indirectly).

    The default AD Security Groups considered Tier Zero are:

    Account Operators

    Administrators

    Backup Operators

    Cert Publishers

    Cloneable Domain Controllers

    Cryptographic Operators

    Distributed COM Users

    DnsUpdateProxy

    DnsAdmins

    Domain Admins

    Domain Controllers

    Enterprise Key Admin

    Enterprise Admins

    Enterprise Read-Only Domain Controllers

    Group Policy Creators Owners

    Hyper-V Administrators

    Incoming Forest Trust Builders

    Key Admins

    Network Configuration Operators

    Performance Log Users

    Print Operators

    Read-Only Domain Controllers

    Remote Management Users

    Schema Admins

    Server Operators

    Storage Replica Administrators

  • Users: May be identified as Tier Zero if they are a member of a Tier Zero group (either directly or indirectly).

  • Computers: May be identified as Tier Zero if they are a Domain Controller, Read-Only Domain Controller, or are a member of a Tier Zero group (either directly or indirectly).

  • Group Policies: May be identified as Tier Zero if they are linked to

    • the Domain

    • an AD site or an organizational unit (OU) that contains a Domain Controller, a Read-Only Domain Controller, or other Tier Zero user or computer.

It is recommended that some additional objects, which may not be identified by the Tier Zero provider, be added manually.

 

 

Tier Zero Objects List

The Tier Zero Objects list displays all of the Tier Zero objects that have been collected by the Tier Zero provider (Security Guardian or BloodHound Enterprise) as well as any that have been manually-added by users.

NOTE: If BloodHound Enterprise is configured and you see the message No New Tier Zero Objects, check the BloodHound Enterprise Configuration Status from within On Demand Audit. Review the configuration connection message details to determine whether the connection to SpecterOps has been successful. Review the Last Configuration Received, Next Configuration Synchronization, and the status of the configuration.

 

To access the Tier Zero Objects list:

From the On Demand left navigation menu, choose Security | Tier Zero Objects. The following information is listed for each Tier Zero object:

  • Display Name

  • Principal Name

  • Distinguished Name

  • Object Type

  • Date Added

    NOTE: This field displays the signed-in user's local date and time.

NOTE: If you click the Filter button, you can filter displayed results by any one of these criteria.

From the Tier Zero Objects list, you can:

Viewing Tier Zero Object Details

To view a Tier Zero object's details:

From the Dashboard Uncertified Tier Zero Objects tile or the Tier Zero Objects list, click the object's Principal Name.

 

The following information displays for the selected Tier Zero object:

  • Object Properties:

  • Certification Status

  • Added By (Security Guardian, BloodHound Enterprise or User)

  • Distinguished Name

  • Object ID

  • Object Type

  • Principal Name

  • Domain FQDN

  • Domain SID

  • Date Added

    NOTE: This field displays the signed-in user's local date and time.

  • Information Last Updated

  • for a User object, local admin privileges
  • for a Group object, any other groups it is a member of
  • for a Group Policy object, objects affected by the Group Policy

    NOTE: BloodHound Enterprise classifies domains affected by a Group Policy as OUs.
  • objects that the selected object can control
  • objects that have control over the selected objects.

NOTE: BloodHound Enterprise returns a maximum of 1,000 related objects for each Tier Zero category.

Why Tier Zero?

This section provides the reason why the object is considered Tier Zero. If the object was added by the provider (Security Guardian or Bloodhound Enterprise), the reason is returned by the provider. If the object was manually added by a user, the reason is "Manually added as Tier Zero by <user_principal_that_added_object>".

Adding Tier Zero Objects Manually

You can add Tier Zero objects manually for AD objects that were not identified as Tier Zero by the Tier Zero provider but are considered critical assets in your organization.

 

In addition to the Tier Zero objects identified by the Tier Zero provider, it is recommended that the following objects be added manually:

  • Microsoft Entra Connect servers, including:

    • servers with PTA agents if Pass-Through Authentication (PTA) is enabled

    • the "AZUREADSSO" computer account

  • Active Directory Federation servers

  • Privileged access management (PAM) systems

  • Certificate Authorities and Subordinates

  • Computers that host Quest Recovery Manager and other Active Directory management software and their backups

  • Computers that host GPOAdmin, Active Administrator, and other group policy management software

  • Microsoft Exchange Servers (if split permissions are not configured)

  • Microsoft System Center Configuration Manager (SCCM) servers or equivalent

  • Microsoft Exchange Groups (if default permissions are still configured)

  • Microsoft SQL server or equivalent if hosting a database from a Tier Zero system

  • Active Directory Management and auditing software, such as Change Auditor or Active Roles Server

To add a Tier Zero object manually:

  1. Use one of the following options:

  2. For each Tier Zero object you want to add:

    1. Enter the object's Principal Name, or type at least two characters then select the object from the drop-down. (Note that a message will display if the object is already Tier Zero.)

      The object will be added to the Principal Name list.

    2. In the Principal Name list, select object(s) you want to add.

  3. Click Save.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione