Microsoft has given a peek into its internal practices to encourage organizations to be more secure. On its official blog, the security team encouraged enterprise Windows users to use a separate computer for all administrative tasks.
“Establish a separate device for administrative tasks that is updated and patched with the most recent software and operating system,” it says. “Set the security controls at high levels and prevent administrative tasks from being executed remotely.”
The recommendations follow a number of high-profile hacks and malware in the past couple of years. Microsoft itself suffered an Outlook breach via a compromised support agent account, while flaws in several popular software have led to zero-day exploits.
As well as being separate, Microsoft recommends admin identities are issued from a separate namespace or forest without internet access. It says its admin must use a smartcard to access this account.
Thirdly, it believes admin accounts should have no rights by default. Instead, they're required to request just-in-time privileges that have an expiry date and are logged in a system.
Phasing Out Passwords
Of course, all of this can get quite expensive if you're a small organization. Rather than a black and white implementation, Microsoft is recommending companies implement each in a way that makes sense for them.
At the same time, it's pushing once more for a passwordless future, highlighting Windows Hello's recent FIDO2 certification. The company says only 10% of its users use a password on a given day, which is an admirable statistic.
In terms of identity management, the tech giant says organizations could design around roles, rather than usernames. The general idea is to combine user experience improvements with security to spur better adoption.
You can read the full post on the Security blog.