Microsoft recommends securing networks by having a separate device for admin tasks

Microsoft’s Security Team has some insightful advice on how companies can reduce the risk of security breaches. Their recommendation is in regards to how companies should deal with administrator accounts.

They recommend that employees with administrative access should be using a separate device that is dedicated to handle only administrative operations.

This device needs to be kept up to date with all the most recent software and operating system patches.

It is also necessary to provide zero rights by default to administration accounts and instead require that they request just-in-time (JIT) privileges that offer access for a finite amount of time. The use of the JIT privileges should also be logged into a system.

Microsoft also recommends that administrator accounts should be created on a separate user namespace/forest that does not have access to the internet. The admin identity should also be different from the employee’s normal work identity. 

With this in place, any compromise of the company’s employee-force namespace/forest won’t allow for the attacker to have easy access to an administrator account, as the employee with the administrative rights would not be using that account for daily tasks.

Remote access to the separate administrative device must also be prevented, as attackers could be logging these events on compromised devices.

The way to go is to have administrators use their separate devices for any administrative tasks as often as possible.

It was also suggested by Microsoft’s Security Team that administrative devices move away from passwords.

They recommend enforcing multi-factor authentication. By conforming to the fast identity online (FIDO) 2.0 standard, a PIN and a biometric would be used for authentication rather than a password.

Microsoft saved the most underrated identity management step for last, which is that companies can take their set up of a basic user management plan and switch to a role-based set-up. By basing log in abilities around roles, rather than usernames, it allows companies to only assign permissions to each user account that are required for that user’s job/tasks inside of the organization.

When using this type of identity management, it’s important to move users across roles as their jobs change and to remove any access they no longer need.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648