Microsoft Recommends Using a Separate Device For Administrative Tasks

In a rare article detailing insights about its staff's efforts in securing its own internal infrastructure, Microsoft has shared some very insightful advice on how companies could reduce the risk of having a security breach. From a report: The central piece of this article is Microsoft's recommendation in regards to how companies should deal with administrator accounts. Per Microsoft's Security Team, employees with administrative access should be using a separate device, dedicated only for administrative operations. This device should always be kept up to date with all the most recent software and operating system patches, Microsoft said. 'Provide zero rights by default to administration accounts,' the Microsoft Security Team also recommended. 'Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.' Furthermore, the OS vendor also recommends that administrator accounts should be created on a separate user namespace/forest that cannot access the internet, and should be different from the employee's normal work identity.

Read more of this story at Slashdot.