Microsoft recommends securing networks by
having a separate device for admin tasks
Microsoft’s Security Team has some insightful advice on how
companies can reduce the risk of security breaches. Their recommendation is in
regards to how companies should deal with administrator accounts.
They recommend that employees with administrative access
should be using a separate device that is dedicated to handle only
This device needs to be kept up to date with all the most
recent software and operating system patches.
It is also necessary to provide zero rights by default to
administration accounts and instead require that they request just-in-time
(JIT) privileges that offer access for a finite amount of time. The use of the
JIT privileges should also be logged into a system.
Microsoft also recommends that administrator accounts
should be created on a separate user namespace/forest that does not have access
to the internet. The admin identity should also be different from the
employee’s normal work identity.
With this in place, any compromise of the company’s
employee-force namespace/forest won’t allow for the attacker to have easy
access to an administrator account, as the employee with the administrative
rights would not be using that account for daily tasks.
Remote access to the separate administrative device must
also be prevented, as attackers could be logging these events on compromised
The way to go is to have administrators use their separate
devices for any administrative tasks as often as possible.
It was also suggested by Microsoft’s Security Team that
administrative devices move away from passwords.
They recommend enforcing multi-factor authentication. By
conforming to the fast identity online (FIDO) 2.0 standard, a PIN and a
biometric would be used for authentication rather than a password.
Microsoft saved the most underrated identity management step for
last, which is that companies can take their set up of a basic user management
plan and switch to a role-based set-up. By basing log in abilities around
roles, rather than usernames, it allows companies to only assign permissions to
each user account that are required for that user’s job/tasks inside of the
When using this type of identity management, it’s important to move users across roles as their jobs change and to remove any access they no longer need.
As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648