Active Directory Tiering for Texas SMBs: The 90-Day Implementation
Microsoft's tiered administration model is the single highest-leverage AD security control most Texas SMBs haven't deployed. A 90-day rollout closes the most-exploited lateral movement path used in modern ransomware.
Introduction
The single highest-leverage Active Directory security control most Texas SMBs have not deployed is Microsoft's tiered administration model — the Tier 0 / Tier 1 / Tier 2 framework that segregates administrative credentials so that compromise of a workstation does not lead to compromise of a domain controller. This is the lateral movement path used in roughly 90% of ransomware incidents we investigate.
This guide is a 90-day implementation plan for Texas SMBs in the 50-500 employee range. It assumes you have an on-premises Active Directory or hybrid environment, that you've never formally tiered admin access, and that you want to close this gap before your next audit, cyber insurance renewal, or incident.
What the Tiered Model Actually Means
The model defines three tiers of administrative access based on what the credential controls:
- Tier 0 — controls identity itself. Domain controllers, Active Directory database, certificate authority, federation services, identity synchronization servers. Compromise of Tier 0 is game over.
- Tier 1 — controls servers and applications. Database servers, application servers, file servers, hypervisor management. Compromise of Tier 1 is severe but recoverable.
- Tier 2 — controls user workstations and standard endpoints. Help desk admin rights, workstation management. Compromise of Tier 2 is daily noise.
The core rule: credentials from a higher tier may never authenticate to a lower tier. A Tier 0 admin must never log into a Tier 2 workstation, because if that workstation has malware, the malware can steal the Tier 0 credential and pivot to a domain controller.
Why It Matters Now
Modern ransomware operators specifically target the Domain Admin escalation path. The dwell time pattern looks like this:
- Initial access via phishing, exploited service, or stolen credential — lands on a workstation (Tier 2)
- Local privilege escalation, dump credentials from memory or LSASS
- Find a Tier 1 or Tier 0 credential that recently authenticated to that workstation (because admins log into workstations to support users)
- Use that credential to authenticate to a Tier 0 system, dump SYSTEM/NTDS.dit, extract all domain hashes
- Now have domain admin everywhere — deploy ransomware tenant-wide
The entire chain depends on step 3. Tiered administration breaks step 3 by ensuring Tier 0 and Tier 1 credentials never authenticate to a workstation in the first place.
The 90-Day Implementation Plan
Days 1-15: Discovery and Inventory
- Inventory all admin accounts (Domain Admins, Enterprise Admins, Schema Admins, all built-in admin groups)
- Identify each account's actual usage: who uses it, for what tasks, on which systems
- Categorize each system as Tier 0, Tier 1, or Tier 2
- Identify "service accounts" with admin rights — these are usually misclassified Tier 1 or Tier 0 entities
- Document your current state honestly. Most environments will discover Tier 0 admins routinely RDP into workstations to support users.
Days 16-30: Build the Tier 0 Boundary
- Create dedicated Tier 0 admin accounts (separate from daily-use Tier 1/2 accounts)
- Designate Privileged Access Workstations (PAWs) — dedicated hardware or VMs used ONLY for Tier 0 admin tasks
- Configure PAWs with no internet access, no email, no productivity software, locked down via PAM/application allowlisting
- Apply Authentication Policy Silos to bind Tier 0 admin accounts to PAWs only
- Migrate Tier 0 admin work onto PAWs, verify it functions
Days 31-60: Tier 1 Server Boundary
- Create Tier 1 admin accounts separate from Tier 0 and Tier 2
- Designate Tier 1 jump servers — Windows Server systems used to admin Tier 1 servers
- Apply Authentication Policy Silos preventing Tier 1 accounts from logging into Tier 2 workstations
- Use LAPS to randomize local admin passwords on all servers (eliminates the universal local admin pivot)
- Migrate server administration onto the Tier 1 jump pattern
Days 61-75: Tier 2 Workstation Boundary
- Create dedicated Tier 2 admin accounts for help desk staff
- Use LAPS for workstation local admin password randomization
- Configure Tier 2 admin accounts to be unable to log into Tier 0 or Tier 1 systems
- Just-in-time elevation for help desk: temporary admin rights on the specific workstation being supported, expiring after 60 minutes
Days 76-90: Verification and Documentation
- Test that a compromised Tier 2 workstation cannot pivot to Tier 1 or Tier 0
- Test that Tier 0 admins cannot accidentally log into a workstation
- Document the new model — runbook for help desk, runbook for server admins, runbook for identity admins
- Train all admins on the new procedure
- Schedule quarterly review
What This Doesn't Eliminate
Tiered admin closes the most common pivot path. It does not close:
- Compromise via Tier 1 application vulnerability (still need patching)
- Compromise via Tier 2 user account credential theft (still need MFA — see MFA bypass attacks)
- Compromise of cloud identity (Microsoft 365 admins need separate hardening — see ITDR coverage)
It is a foundational layer, not a replacement for the other layers.
Where to Start
For Texas SMBs without tiered administration: the Day 1-15 discovery is the highest-leverage starting point. Most organizations don't actually know how their admin credentials are used until they look. The discovery alone often reveals 5-10 quick wins (service accounts that should be removed, Domain Admins that should be Tier 1, RDP sessions that should not be happening).
Pair this with our 2026 PAM tools comparison for the endpoint enforcement layer, and our cybersecurity services for the broader program.
Geographic Coverage
Related Articles
Need Expert IT Support?
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.