Microsoft Says Organizations Should Use a Different Computer for Admin Tasks

Microsoft recommends organizations use a different device for admin tasks, ditch passwords, and switch to a roles-based system rather than a username one.

Security Icon Microsoft

has given a peek into its internal practices to encourage organizations to be more secure. On its official blog, the team encouraged enterprise users to use a separate computer for all administrative tasks.

“Establish a separate device for administrative tasks that is updated and patched with the most recent and operating system,” it says. “Set the controls at high levels and prevent administrative tasks from being executed remotely.”

The recommendations follow a number of high-profile hacks and malware in the past couple of years. itself suffered an Outlook breach via a compromised support agent account, while flaws in several popular have led to zero-day exploits.

As well as being separate, Microsoft recommends admin identities are issued from a separate namespace or forest without internet access. It says its admin must use a smartcard to access this account.

Thirdly, it believes admin accounts should have no rights by default. Instead, they're required to request just-in-time privileges that have an expiry date and are logged in a system.

Phasing Out Passwords

Of course, all of this can get quite expensive if you're a small organization. Rather than a black and white implementation, Microsoft is recommending companies implement each in a way that makes sense for them.

At the same time, it's pushing once more for a passwordless future, highlighting Hello's recent FIDO2 certification. The company says only 10% of its users use a password on a given day, which is an admirable statistic.

In terms of identity management, the tech giant says organizations could design around roles, rather than usernames. The general idea is to combine user experience improvements with security to spur better adoption.

You can read the full post on the Security blog.