Microsoft TI on protecting Tier‑0 identity

When attackers want the keys to a company, they usually do not start with the chief executive. They go after the machines that decide who is allowed in, especially domain controllers and identity servers. (learn.microsoft.com) A domain controller is the office front desk for a Windows network: it checks names, hands out badges, and decides which doors open. Microsoft says compromising one can give an attacker the most direct path to taking over Active Directory, which then reaches servers, laptops, and user accounts across the environment. (learn.microsoft.com) Microsoft groups these crown-jewel systems into “Tier 0,” which means accounts and computers with direct or indirect control over identity. That list includes domain administrators, service accounts, domain controllers, and other systems that can change authentication or access rules. (techcommunity.microsoft.com, learn.microsoft.com) The reason Tier 0 gets special treatment is simple: if Tier 0 credentials touch an ordinary machine, attackers can steal them there. Microsoft’s guidance says the goal of administrative tiering is to stop Tier 0 credentials from ever being exposed on lower-tier systems used for email, web browsing, or routine work. (techcommunity.microsoft.com, learn.microsoft.com) That is why Microsoft’s latest Defender write-up focuses on “high-value assets” instead of treating every server the same. The company says domain controllers, identity infrastructure, and web servers are frequent targets in real attacks, so Defender now uses asset-aware protection tied to Microsoft Security Exposure Management to spot and block threats against those systems. (microsoft.com) The shift is from isolated alerts to attack paths. Microsoft’s March 2026 identity post says defenders need to understand how one leaked password or one risky sign-in connects back to a critical asset, because a valid credential only becomes a disaster when it opens a route to something important. (techcommunity.microsoft.com) In practice, that means a password-dumping alert on a random employee laptop is not the same as the same alert on a domain controller. On a Tier 0 host, credential theft tools can expose administrator secrets that let an intruder create accounts, reset passwords, or push malicious policy across the network. (learn.microsoft.com, learn.microsoft.com) The same logic applies to web shells, which are tiny backdoor programs attackers plant on a server so they can come back later through a browser request. If that backdoor lands on identity infrastructure instead of an ordinary application server, the attacker is standing inside the room where access decisions are made. (microsoft.com) So the operational change for security teams is to join two views that are often split apart: endpoint telemetry from the machine and identity context from the account system. Microsoft has been pushing that convergence across Defender and Defender for Identity so analysts can see not just “malware on host A,” but “malware on a Tier 0 host tied to privileged sign-in activity.” (microsoft.com, microsoft.com) That changes triage order. A medium-severity credential-theft signal paired with an unusual sign-in on a Tier 0 system should jump ahead of a louder alert on an ordinary workstation, because the blast radius is radically different. (microsoft.com, techcommunity.microsoft.com) It also changes hardening. Microsoft’s long-running guidance says Tier 0 systems should be isolated, administered only by Tier 0 accounts, and accessed through privileged workstations where possible, because every extra login path is another place an attacker can catch a powerful credential. (techcommunity.microsoft.com, techcommunity.microsoft.com) The thread running through Microsoft’s message is that identity is no longer just another log source. If defenders know which machines sit at the center of authentication, they can treat a stolen password on those machines the way a bank treats movement in the vault, not the lobby. (microsoft.com, techcommunity.microsoft.com)