Secure status and event monitoring of tier 0 systems

Keeping a Close Watch

From a security perspective, tier 0 systems such as domain controllers, privileged access workstations, or identity management systems provide direct access to digital resources, so more and more IT teams are making sure these systems have additional protection, which includes monitoring to make sure they are working properly.

Regardless of whether you use a tiering model with a formal description (guidelines, firewall rules, and access groups; e.g., the Microsoft tiering model [1]) in your infrastructure or simply apply common sense and good account hygiene in your daily administration, every IT landscape has systems and objects that can be classified as tier 0 – the parts of the environment that enable complete control over the identity and security infrastructure, which makes them both particularly vulnerable and particularly worthy of protection.

In a Windows server landscape, these elements are usually the Active Directory (AD) domain controllers, enterprise certification authorities, and sometimes systems that are heavily integrated into the AD, such as Exchange servers. As hybrid IT has progressed, new typical roles such as the Entra ID Connect server (formerly Azure AD Connect) have been added, and they clearly belong in tier 0. The administration workstations, or privileged access workstations, used to manage tier 0 systems must also be considered tier 0.

If errors occur, it is the monitoring systems' task to notify administrators by email, SMS, or other channels. In many organizations, the monitoring systems are even set up to initiate remedial action automatically in the event of certain malfunctions, ranging from a simple forced restart of a service or the entire server to complex workflows that expand the disks virtual machines (VMs), move the VMs themselves to a different host or cluster, or trigger database reorganizations.

In the case of highly privileged tier 0

... comments powered by Disqus