Detections
Analytics

Privileged Authentication Silo Configuration

high

Language:

Description

Proper management of privileged accounts (users and computers) is important for security to limit the risks of a full Active Directory (AD) environment compromise. In the most recent versions of Windows (Windows Server 2012R2+), Microsoft provides features and a technical design to protect adequately such accounts using authentication silos and policies. This Indicator of Exposure aims to assist AD administrators in the implementation of a model designed to protect those highly privileged (i.e. "Tier-0") accounts.

Solution

To enhance security against attackers and malware attempting to steal privileged identities, privileged users should exclusively connect to trusted machines. Employing a "tier model" design, particularly focusing on the highest tier (referred to as "Tier-0"), implement authentication silos and policies. This ensures that the credentials of privileged users are inaccessible on standard workstations and servers.

See Also

Authentication Policies and Authentication Policy Silos

L'administration en silo (french reference whitepaper)

Indicator Details

Name: Privileged Authentication Silo Configuration

Codename: C-AUTH-SILO

Severity: High

MITRE ATT&CK Information:

Tactics: TA0004

Techniques: T1078