Create a separate account to install software

Hi Samer Rustom,

It is generally recommended to create a separate account with appropriate privileges for software installations on joined domain computers, rather than using the server administrator account. This practice helps enhance security and minimize potential risks. Here's why:

1. Principle of Least Privilege (PoLP): The principle of least privilege suggests that users should be granted the minimum privileges necessary to perform their tasks. By using a separate account specifically for software installations, you can assign it the necessary permissions to install software without providing it with the broader privileges of the server administrator account. This reduces the risk of accidental or unauthorized changes to the system.

2. Separation of Duties: Separating administrative tasks, such as software installations, into different accounts helps ensure accountability and reduces the risk of unauthorized actions. With a dedicated installation account, you can track and audit the software installation activity separately from other administrative tasks performed using the server administrator account.

3. Mitigating Security Vulnerabilities: In the event that the installation process introduces security vulnerabilities or malware, using a separate account limits the potential impact. If the installation account has restricted privileges, any compromise or exploitation of that account will have a more limited impact on the overall system.

When creating a separate account for software installations, consider the following guidelines:

- Assign only the necessary permissions to the installation account, specifically granting it the rights required for software installation tasks.
- Regularly review and adjust the privileges of the installation account based on the evolving needs of the software installation processes.
- Ensure that the account credentials are securely managed and protected.
- Consider implementing additional security measures, such as multifactor authentication (MFA) or privileged access management (PAM), to further enhance the security of the installation account.

By following these practices, you can better control and secure the software installation process on your joined domain computers while maintaining a strong security posture for your overall infrastructure.

With an Azure educational license, you may have access to certain tools and features for software deployment and management. Here are a few options to consider:

1. Intune for Education: Intune is a cloud-based service that allows you to manage and deploy applications to devices in your organization. Intune for Education is specifically designed for educational institutions and provides features for app deployment, device management, and policy enforcement. You can check if your Azure educational license includes Intune for Education or if there are any discounted plans available for educational institutions.

2. SCCM (System Center Configuration Manager): SCCM is a comprehensive management tool for deploying and managing software across your organization. It offers advanced features for software distribution, patch management, and device management. SCCM may require additional licensing, so it's worth checking if it is included in your Azure educational license or if there are any educational pricing options available.

3. PDQ Deploy: PDQ Deploy is a third-party software deployment tool that allows you to remotely deploy software to multiple computers simultaneously. It offers a free version with limited functionality, as well as a paid version with more advanced features. You can explore the free version to see if it meets your requirements or consider the paid version if you need additional functionality.
   
   Kindest regards

Hi Samer,

The best practices are:
- Never use the enterprise or domain admin accounts
- If possible, use solution such as pdq deploy, intune or SCCM to deploy software

I would also like to add: use the "Local Administrator Password Solution" (LAPS) for management of local account passwords of domain joined computers.