Tier Zero Objects
Tier Zero objects are the most critical assets within an organization's Active Directory. Within the Microsoft enterprise access model, Tier Zero objects in Active Directory include accounts, groups, and other assets that have direct or indirect administrative control of AD and the assets within it.
Currently, Security Guardian supports the following Tier Zero object types:
- Domains
- Computers
- Groups
- Group Policies
- Users
The Tier Zero provider (Security Guardian or BloodHound Enterprise) identifies Tier Zero objects within the organization's Active Directory domain(s). These objects are then collected by and displayed in Security Guardian.
You can also add Tier Zero objects to Security Guardian manually.
How Tier Zero Objects are Identified
Following are the criteria that the Security Guardian Tier Zero provider uses to identify Tier Zero objects in Active Directory.
-
Domains: The Domain object is identified as Tier Zero because it is a domain partition in the Active Directory forest which supports replication and administrative functions.
-
Groups: May be identified as Tier Zero if they are a Default AD Security Group which has access to Tier Zero objects in the domain, or if they are a member of another Tier Zero group (either directly or indirectly).
The default AD Security Groups considered Tier Zero are:
|
√ Account Operators
√ Administrators
√ Backup Operators
√ Cert Publishers
√ Cloneable Domain Controllers
√ Cryptographic Operators
√ DnsUpdateProxy
√ DnsAdmins
√ Domain Admins
√ Domain Controllers
√ Enterprise Key Admin
√ Enterprise Admins |
√ Enterprise Read-Only Domain Controllers
√ Group Policy Creators Owners
√ Hyper-V Administrators
√ Incoming Forest Trust Builders
√ Key Admins
√ Network Configuration Operators
√ Performance Log Users
√ Print Operators
√ Read-Only Domain Controllers
√ Remote Management Users
√ Schema Admins
√ Server Operators
√ Storage Replica Administrators |
-
Users: May be identified as Tier Zero if they are a member of a Tier Zero group (either directly or indirectly).
-
Computers: May be identified as Tier Zero if they are a Domain Controller, Read-Only Domain Controller, or are a member of a Tier Zero group (either directly or indirectly).
It is recommended that some additional objects, which may not be identified by the Tier Zero provider, be added manually.
Tier Zero Objects List
The Tier Zero Objects list displays all of the Tier Zero objects that have been collected by the Tier Zero provider (Security Guardian or BloodHound Enterprise) as well as any that have been manually-added by users.
|
|
NOTE: If BloodHound Enterprise is configured and you see the message No New Tier Zero Objects, check the BloodHound Enterprise Configuration Status. Review the configuration connection message details to determine whether the connection to SpecterOps has been successful. Review the Last Configuration Received, Next Configuration Synchronization, and the status of the configuration. |
To access the Tier Zero Objects list:
From the On Demand left navigation menu, choose Security | Tier Zero Objects. The following information is listed for each Tier Zero object:
-
Display Name
-
Principal Name
-
Distinguished Name
-
Object Type
-
Date Added
|
|
NOTE: This field displays the signed-in user's local date and time. |
|
|
NOTE: If you click the Filter button, you can filter displayed results by any one of these criteria. |
From the Tier Zero Objects list, you can:
Viewing Tier Zero Object Details
To view a Tier Zero object's details:
From the Dashboard Uncertified Tier Zero Objects tile or the Tier Zero Objects list, click the object's Principal Name.
The following information displays for the selected Tier Zero object:
- for a User object, local admin privileges
- for a Group object, any other groups it is a member of
- for a Group Policy object, objects affected by the Group Policy
NOTE: BloodHound Enterprise classifies domains affected by a Group Policy as OUs.
- objects that the selected object can control
- objects that have control over the selected objects.
|
|
NOTE: BloodHound Enterprise returns a maximum of 1,000 related objects for each Tier Zero category. |
Why Tier Zero?
This section provides the reason why the object is considered Tier Zero. If the object was added by the provider (Security Guardian or Bloodhound Enterprise), the reason is returned by the provider. If the object was manually added by a user, the reason is "Manually added as Tier Zero by <user_principal_that_added_object>".
