But, have you made the correlation between tiering and admin accounts? To fully implement the guidance, a user with admin rights must have a separate admin account per tier! I know some of you are smiling and thinking to yourself ‘of course we do this the admins get their ADM_username accounts for performing admin work’ (or their $username or their username.admin or whatever convention you use). Come up with a naming convention and a process to get an admin account for anyone who does admin work. You need a separate credential for administrative tasks. But I am constantly seeing environments where normal user accounts, which have a mailbox and browse the Internet for cat videos, are also in the Domain Admins group. It ranks right up there with not browsing the Internet from a server. This is an easy one, right? Nothing about this guidance is new. What you did to secure your environment yesterday is no longer sufficient for today’s reality. Through no fault of your own, the rules have changed. My hope with this series is that a few more people know about the guidance, understand why they should care and have an easier time convincing others in their organization that the roadmap guidance should be implemented. Maybe they think the guidance doesn’t apply to them. Maybe they don’t know this guidance exists. Despite all the guidance, I still walk into environments that haven’t implemented a single piece of this guidance. I want you to actually implement the guidance. I have a different purpose for this series of articles than the SPA roadmap itself. In all the cases where I point this out it is possible to take a smaller step by limiting the scope by focusing solely on AD. But there are times where the SPA roadmap takes a big step, and I know it can sometimes be difficult to get the people in charge to agree to a big step. I espouse its virtues to all my customers and anyone else who will listen. So I’d like to share my perspective on the items in the roadmap and the practical implications from an Active Directory Administrator point of view.īut first a caveat for this series of articles. As for myself, I was staff IT in the security department for a large, global corporation, prior to joining Microsoft, where we operated in a tiered administrative model and had implemented many, though not all, of the defenses highlighted in the SPA roadmap. Go browse through our Security tagged posts to get easy access to them. My fellow PFEs have also contributed their own great thoughts around these topics. Microsoft has a significant amount of published guidance around Securing Privileged Access (SPA), Privileged Access Workstations and the Administrative Tier Model. How do you keep your environment secure when malicious cat videos are out there, waiting to pounce? Unfortunately, cat videos may have it out for you and your environment. Microsoft will even help you find cat videos. Hello again, my name is still David Loder, and I’m still a PFE out of Detroit, Michigan. First published on TechNet on Sep 11, 2017
0 Comments
Leave a Reply. |