Skip to main content
Applies to BloodHound Enterprise and CE Privilege Zones help you organize objects in your environment into logical groups based on their privilege and risk levels. Using Privilege Zones, you can monitor and maintain the security posture of tiered isolation models.
The Privilege Zones feature is available under early access.

Key concepts

Review these key concepts before exploring Privilege Zones. You can find detailed explanations for each concept in the articles throughout this section.
ConceptDescriptionUsed in Risk Analysis
ZoneA group of objects representing the hierarchy of control across all domains in an environment (based on access level)
LabelA flexible way to categorize objects within a zone (or across zones) for easier searching and filtering
RuleA set of instructions that associates objects with zones and labels, based on object types, relationships (expansion), or Cypher queries
TaggingThe process of associating objects with zones and labels using rules
CertificationEnterprise Edition An optional process to interrupt automatic inclusion of additional objects in a zone by requiring manual certification of the additional objects
Zones organize objects into a strict hierarchy. BloodHound analyzes how object privileges are assigned and where they can be escalated across your environment. By default, BloodHound includes a Tier Zero zone that represents a set of objects with full control over an environment and any objects with control over those objects. See Tier Zero: Members and Modification to learn more.
By default, you can create up to two additional zones to match your organization’s security model. If you need to create more zones, contact your account manager.
If BloodHound detects an object in a lower-privileged zone controlling an object in a higher-privileged zone, it identifies it as a finding in the Attack Paths and Posture pages. For example, if a Tier One user can control a Tier Zero server, BloodHound flags it as a violation of the privilege model. This analysis helps you identify and remediate privilege escalation paths and misconfigurations that violate your security model.

Features

The Zone Builder page provides tools for configuring and managing your privilege zones. Once configured, BloodHound analyzes your zones and displays findings in the Attack Paths and Posture pages. The Zone Builder page provides the following tabs:
  • Zones: A group of objects that represent the hierarchy of control across all domains in an environment based on access level
  • Labels: A flexible way to categorize a group of objects in a single zone (or across multiple zones) for easier searching and filtering
  • Certification Enterprise Edition: An optional process to interrupt automatic inclusion of additional objects in a zone by requiring manual certification of the additional objects
  • History: An audit log of changes made to your zones and labels over time
These tools enable further risk mitigation in your environments by highlighting the violations and misconfigurations in your tiered network model.