Control the System That Controls Access
Corporations use Active Directory for access to systems, applications, and the Internet. But too often this critical business system is overlooked when it comes to who has access to it, and the widespread privileges granted to systems and users. Following a 3 tiered, granular Least Access approach, you can control access thereby limiting the risk of exposing critical security controls to those who have no business having access or permissions.
Quite often AD is rolled out in a flat configuration where Domain admins have privileges to do everything, everywhere, and there ends up being dozens or more of these users. Compromising one Domain Admin account provides a threat actor with access to everything. Instead we believe there should be only a small handful of users that have access to critical servers like AD, Authentication, DNS, DHCP etc. AND those passwords should not be used anywhere else. In the second tier are server admins who do NOT have access to Tier 1 but only the servers that live in the 2nd tier such as web and application servers etc. If a Domain admin needs to have access to these servers than that access is only granted through an account and separate password that can only access Tier 2 services. Thus if a Tier 2 admin password is compromised there is no way for them to access Tier 1 services. The 3rd Tier is for the general user population and they no access to either Tier 1 or Tier 2.