Microsoft recommends using a separate device for administrative tasks
In a rare article detailing insights about its staff’s efforts in securing its own internal infrastructure, Microsoft has shared some very insightful advice on how companies could reduce the risk of having a security breach.
The central piece of this article is Microsoft’s recommendation in regards to how companies should deal with administrator accounts.
Per Microsoft’s Security Team, employees with administrative access should be using a separate device, dedicated only for administrative operations.
This device should always be kept up to date with all the most recent software and operating system patches, Microsoft said.
“Provide zero rights by default to administration accounts,” the Microsoft Security Team also recommended. “Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.”
Furthermore, the OS vendor also recommends that administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee’s normal work identity.
This way, any compromise of the company’s employee-force namespace/forest won’t grant the attacker easy access to an administrator account, since the employee with admin rights would not be using that account for daily tasks.
No more remote logins into admin-enabled devices
And last but not least, companies should also prevent administrative tasks from being executed remotely, Microsoft said.
Employees with administrative accounts should avoid remotely logging into devices with administrator access to perform any administrative tasks, as attackers could be logging these events on compromised devices.
The way to go is to have administrators use their separate devices for any administrative tasks as much as possible.
Moving away from passwords
But Microsoft’s Security Team also shared other security-minded advice. One that Microsoft has been using internally and the company has also started promoting in its products is in regards to moving away from passwords to other authentication systems.
“When Microsoft first explored the use of Multi-Factor Authentication (MFA) for our workforce, we issued smartcards to each employee. This was a very secure authentication method; however, it was cumbersome for employees,” the company’s security team said.
“They found workarounds, such as forwarding work email to a personal account, that made us less safe. Eventually we realized that eliminating passwords was a much better solution.”
Since then, Microsoft, as a company, has focused on delivering products that provide an alternative to passwords –such as its investments in Windows Hello and WebAuthn, two technologies that allow users to authenticate using biometrics.
Further, the company is also considering making passwords easier to manage. Last month, the OS maker started discussing plans to drop “expiring password policies” in its security configuration baseline settings for Windows 10.
The reasoning behind its decision was that forcing employees to change passwords has proven to drive employees towards using weaker passwords that are easier to remember, rather than making sure employees use strong passwords that are harder to crack by attackers.
To help migrate companies to an ecosystem were passwords play a smaller role, Microsoft recommends that companies:
- Enforce MFA—Conform to the fast identity online (FIDO) 2.0 standard, so you can require a PIN and a biometric for authentication rather than a password. Windows Hello is one good example, but choose the MFA method that works for your organization.
- Reduce legacy authentication workflows—Place apps that require passwords into a separate user access portal and migrate users to modern authentication flows most of the time. At Microsoft only 10 percent of our users enter a password on a given day.
- Remove passwords—Create consistency across Active Directory and Azure Active Directory (Azure AD) to enable administrators to remove passwords from the identity directory.
Better identity management
And last, but not least, Microsoft says that the “most underrated identity management step” that companies can take is to set up a basic user management plan that’s designed around roles, rather than usernames.
Microsoft’s Security Team argues that companies should be using a role-based access plan for their organization and move users across roles, rather than assign permissions to each user account whenever a user’s job/tasks inside an organization changes.
“Identify the systems, tools, and resources that each role needs to do their job,” Microsoft said. “Make sure that as people move roles they don’t carry forward access they no longer need.”