Microsoft Has a Recommendation and You’re Not Gonna Like It

System, network and application administrators can do the most damage in case of a malware attack.  The permissions that they have allow them to do many things that the average user can’t do and those things, in the hands of a hacker, can mean a lot of damage inside every company.

So here is what Microsoft is recommending.

Per Microsoft’s Security Team, employees with administrative access should be using a separate device, dedicated only for administrative operations.

See, I told you that you weren’t going to like it.  But wait, there is more.

This device should always be kept up to date with all the most recent software and operating system patches.

That, of course, seems like common sense.

“Provide zero rights by default to administration accounts,” the Microsoft Security Team also recommended. “Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.”

JIT permissions is a relatively new concept,  but fundamentally a great one.  Instead of having the administrator be all powerful all the time, have them ask for a specific permission in real time and just for the very short time period that they need it.

Furthermore, administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee’s normal work identity.

In addition, that account should not have access to the administrator’s regular email (this is my addition).

Finally, companies should also prevent administrative tasks from being executed remotely, Microsoft said.

Microsoft also explored multifactor authentication and, although it was very secure, it was somewhat cumbersome.  Instead they are using biometrics.  With Windows 10 and a computer that has a crypto chip (TPM), Windows Hello is very secure and also easy to use.  Partly this is because there is a ONE TIME enrollment process that ties that user’s identity and biometrics to that specific physical device.  If you need to log in from more than one device, you need to enroll in each of them, but after the enrollment is done, you can literally look at the computer and enter a short PIN to log in.

Check out the rest of their recommendations at ZDNet.

These are recommendations that I think will definitely improve security.  But it will be less convenient.  So make a choice.



Pick Just One.


Leave a Reply

Your email address will not be published.