BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Tier-Zero Isolation: The Architecture That Closes Most Pentest Paths

Cybersecurity

Tier-zero isolation is not a product. It is an architectural commitment that breaks the lateral movement chain. We cover what belongs in tier-zero, the controls that enforce it, and the rollout mistakes that defeat it.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 19, 2024 · 9 min read

#active-directory#tiering#privilege

Every pentest report contains the same recommendation hidden in different sentences: implement a tier-zero administrative model. Most clients hear this and assign it as a workstream. Two years later, the workstream still has open tickets, the helpdesk still RDPs to domain controllers, and the next pentest finds the same path. The reason is that tier-zero is an architectural decision, not a checklist item. Once committed, it works. Half-committed, it does not.

What is in tier-zero

Tier-zero is the set of systems whose compromise is equivalent to compromise of the entire identity infrastructure. The list is longer than most teams expect.

All domain controllers in every forest you operate.
Every Active Directory Certificate Services server, including web enrollment and OCSP responder hosts.
Azure AD Connect / Entra Connect servers (they hold DCSync rights).
Federation servers (ADFS) and any system that signs SAML or OIDC tokens for production identity.
Backup infrastructure that has direct read access to the AD database. Most enterprise backup products do.
Privileged Access Management servers (CyberArk, BeyondTrust) and the secret stores they protect.
Anything that holds the Domain Admins, Enterprise Admins, or krbtgt credentials in any form: jump servers used by tier-0 admins, build agents that deploy to DCs, monitoring servers with full WinRM rights to DCs.

Tier-1 is application servers and infrastructure with significant business value but no inherent path to identity compromise. Tier-2 is end-user workstations. The model breaks if a credential traverses tiers. A Domain Admin logging into a workstation deposits hashes that compromise tier-zero from tier-2.

Implementation controls

Five mechanisms together implement the tier model. Each one alone leaves gaps.

Privileged Access Workstations (PAWs). Tier-0 admins use a dedicated, hardened, internet-restricted workstation that connects only to tier-0 systems. No browser, no email, no third-party software. Implemented as a separate hardware device or via shielded VM.
Authentication Policy Silos. AD-native control that binds a set of accounts to a set of hosts: tier-0 accounts can only authenticate to tier-0 hosts. Configured via New-ADAuthenticationPolicy and New-ADAuthenticationPolicySilo. Requires Windows Server 2012 R2 functional level minimum.
User Rights Assignment via GPO: Deny log on locally, Deny log on through Remote Desktop Services, Deny log on as a service for tier-2 accounts on tier-0 hosts and vice versa. This is the rule that actually stops a misconfigured logon when the silo policy is bypassed.
Jump servers / privileged session hosts for the path between PAW and tier-0 systems. Recorded sessions, MFA at the jump, no direct RDP from anywhere else.
Network segmentation: tier-0 systems live in a dedicated VLAN with explicit firewall rules. RDP to a DC from a workstation subnet is denied at the network, regardless of credentials.

Detection of tier violations

Tier violations are the leading indicator of an in-progress pentest or incident. The detection rules are simple if the inventory is clean.

4624 on a domain controller where the SubjectUserName is not in the documented tier-0 admin list. This should be zero events outside known maintenance.
4624 type 2 (interactive) on a tier-0 host. Tier-0 admins should rarely log on interactively to anything but PAWs and approved jump servers. An interactive logon to a DC is investigation-worthy.
4769 TGS requests where a tier-0 account is requesting service tickets for tier-2 hosts. If a Domain Admin asked for a TGS to a user workstation, somebody made a mistake or somebody is moving laterally.
Any 4768 with a tier-0 account from a source IP that is not a documented PAW or jump server.

Hardening priorities

If you cannot do everything at once, this is the order that produces the most security per unit of effort.

Inventory tier-0. Write down every host. The act of writing it down forces the conversations about backup servers and SCCM that were never had.
Build PAWs for the AD admin team and require their use. Do not move to step 3 until tier-0 admins exclusively use PAWs.
Apply Authentication Policy Silos in audit mode, review the violation report for two weeks, fix the legitimate violations, then move to enforce.
Apply User Rights Assignment GPOs to deny tier-crossing logons. Test in a small OU first.
Network-segment tier-0 with dedicated VLAN and explicit firewall rules. Remove direct RDP from every other source.
Add tier-0 systems to a separate Defender for Identity / EDR tenant or workspace if available, so detections on tier-0 are not lost in tier-2 noise.

After a real tier-zero rollout, the typical pentest findings change in character. Kerberoasting still works in places, ACLs still need cleanup, but the report no longer ends with Domain Admin in 14 minutes via PetitPotam. The attacker has to find a path through tier boundaries that does not exist, and most engagements time out before they do. That is the architectural fix the consulting recommendation has been pointing at for a decade.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.