Forum Discussion

Sandro Alves's avatar
Sandro Alves
Copper Contributor
May 26, 2021

Windows server security

Hi,

 

our rule for logging onto servers today is always to use a separate account with local administrative privileges.

 

This means that the administrator uses an account for individual use to log on to their computers without permission and also another individual account with permission for local administration for servers.

 

The goal is to prevent the administrator from using the same personal login on the server.

However, if this account used for the servers is hacked, you will have access to all other servers.

Is there any good practice to help?

 

For example, use UAC at a maximum level to always ask?

 

Or create a third account, one to log in to the server without permission and another with administrative privilege that will only be used when privilege is requested?

 

Thanks.

  • Hi Sandro,

    If understand correct you are worried that if one of the accounts with local admin is compromised, they are able to compromise other servers with the same account on prem.

    Maybe the legacy ad Tier model is first step you could look into:
    https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model#evolution-from-the-legacy-ad-tier-model

    So depending on which tier of server you are accessing you have a different account.
    For example
    for example: AD server, exchange server =tier 0
    for example: IIS server = tier 1
    for example: endpoints = tier 2
    A compromise of an account in Tier 2 will not result in the total compromise of tier 1This not overcomplicated stuff with privileged access workstations.


  • Hi Sandro,

    If understand correct you are worried that if one of the accounts with local admin is compromised, they are able to compromise other servers with the same account on prem.

    Maybe the legacy ad Tier model is first step you could look into:
    https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model#evolution-from-the-legacy-ad-tier-model

    So depending on which tier of server you are accessing you have a different account.
    For example
    for example: AD server, exchange server =tier 0
    for example: IIS server = tier 1
    for example: endpoints = tier 2
    A compromise of an account in Tier 2 will not result in the total compromise of tier 1This not overcomplicated stuff with privileged access workstations.


Resources