Financial Services · 6,500 employees

Regional Bank

Active Directory Tiering & Hardening

Active DirectoryGovernance12 weeks

47 → 6

Domain Admins

Enforced

Tier 0 isolation

100%

Critical findings closed

The challenge

A penetration test revealed that a single phished workstation could reach Domain Admin within hours. The bank had 47 accounts in Domain Admins, no separation between administration tiers, and a regulatory exam approaching that scrutinized privileged access controls.

The approach

1
Performed an AD security assessment scored against tiered-administration best practices.
2
Designed a Tier 0/1/2 model with dedicated admin accounts and secure admin workstation guidance.
3
Cleaned up privileged group membership and implemented least-privilege delegation.
4
Deployed authentication policies and silos to prevent Tier 0 credential exposure on lower tiers.
5
Documented break-glass procedures and produced exam-ready evidence.

The outcome

Privileged accounts were reduced by 87%, and the tiered model contained credential-theft lateral movement. The bank passed its regulatory exam with no privileged-access findings.

Privileged account reduction: 87%
Regulatory findings: 0
Lateral-movement paths to Tier 0: Eliminated

All case studies Discuss a similar project

Ready to secure your identity foundation?

Book a free 30-minute discovery call. We'll talk through your environment and where the biggest wins are — no obligation.

Schedule a Consultation Explore Services