%3CLINGO-SUB%20id%3D%22lingo-sub-1442217%22%20slang%3D%22en-US%22%3ERemote%20working%20for%20IT%20Pros%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442217%22%20slang%3D%22en-US%22%3E%3CP%3EIt%E2%80%99s%20natural%20for%20IT%20workers%20to%20first%20ensure%20that%20frontline%20and%20supporting%20workers%20in%20an%20organization%20have%20a%20secure%20and%20productive%20way%20of%20performing%20their%20usual%20tasks%20remotely.%20After%20all%2C%20a%20reduction%20in%20the%20business%E2%80%99%20ability%20to%20provide%20its%20products%20and%20services%20correlates%20pretty%20quickly%20to%20a%20drop%20in%20revenue%2C%20cashflow%20and%20profitability.%20Without%20this%20financial%20sustainability%2C%20the%20IT%20department%20has%20no%20organization%20to%20support.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20if%20your%20IT%20Pros%20are%20also%20working%20remotely%2C%20what%20additional%20considerations%20and%20tools%20are%20available%20that%20are%20relevant%20to%20them%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E1.%20Secure%20administrative%20accounts%3C%2FSTRONG%3E%20%3CBR%20%2F%3EThis%20is%20security%20basic%20applies%20no%20matter%20where%20you%20are%20working%20from.%20IT%20Pros%20often%20use%20accounts%20with%20a%20high%20level%20of%20access%2C%20necessary%20to%20perform%20their%20tasks.%20Consider%20making%20these%20accounts%20separate%20from%20the%20logins%20they%20use%20to%20do%20regular%20work%2C%20that%20doesn%E2%80%99t%20require%20administrative%20privileges.%20This%20helps%20to%20protect%20those%20privileged%20accounts%20from%20being%20used%20by%20malware%20which%20acts%20as%20the%20current%20user%2C%20helping%20to%20minimize%20the%20impact%20of%20such%20an%20attack.%20It%E2%80%99s%20also%20vital%20that%20administrative%20accounts%20for%20Cloud%20services%20at%20least%20use%20a%20form%20of%20multi-factor%20authentication%2C%20and%20ideally%20are%20protected%20by%20conditional%20access%20scenarios.%20Conditional%20access%20helps%20to%20identify%20and%20block%20risky%20log-in%20events%20as%20they%20occur.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-howitworks%3FWT.mc_id%3Dremotework-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20it%20works%3A%20Azure%20Multi-Factor%20Authentication%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3ELearn%20about%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%3FWT.mc_id%3Dremotework-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConditional%20Access%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3E2.%20Restrict%20administrative%20access%3C%2FSTRONG%3E%3CBR%20%2F%3EInstead%20of%20an%20administrative%20account%20having%20privileged%20access%20to%20a%20system%20all%20the%20time%2C%20there%20are%20a%20few%20methods%20for%20turning%20this%20on%20only%20when%20needed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20a%20Virtual%20Machine%20in%20Azure%2C%20just-in-time%20access%20can%20be%20used%20to%20block%20network%20ports%20used%20for%20management%20tasks%20(such%20as%20RDP%20and%20SSH)%20until%20access%20is%20requested%20and%20approved.%20Learn%20more%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity-center%2Fsecurity-center-just-in-time%3FWT.mc_id%3Dremotework-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecure%20your%20management%20ports%20with%20just-in-time%20access.%26nbsp%3B%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Managed%20Applications%20also%20have%20a%20just-in-time%20access%20capability.%20Learn%20more%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fazure-resource-manager%2Fmanaged-applications%2Frequest-just-in-time-access%3FWT.mc_id%3Dremotework-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERequest%20just%20in%20time%20access.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPrivileged%20Identity%20Management%20allows%20time-based%20privileged%20access%20to%20resources%20and%20to%20Azure%20Active%20Directory.%20It%20also%20includes%20tracking%20justification%20for%20that%20access%2C%20notifications%20when%20activated%20and%20an%20audit%20history.%20For%20PIM%20options%20applicable%20to%20Azure%2C%20Azure%20AD%2C%20Office%20365%20and%20SaaS%20applications%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-configure%3FWT.mc_id%3Dremotework-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat%20is%20Azure%20AD%20Privileged%20Identity%20Management.%26nbsp%3B%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20for%20Windows%20Server%2C%20there%20are%20several%20options%20for%20securing%20privileged%20access%2C%20including%20just-in-time%20local%20administrator%20account%20passwords%20and%20privileged%20access%20workstations.%20For%20scenarios%20and%20guidance%2C%20visit%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsecuring-privileged-access%2Fsecuring-privileged-access%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecuring%20Privileged%20Access%3C%2FA%3E%26nbsp%3Band%20also%20check%20out%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fscripting%2Flearn%2Fremoting%2Fjea%2Foverview%3Fview%3Dpowershell-7%26amp%3BWT.mc_id%3Dremotework-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EJust%20Enough%20Administration%20for%20PowerShell.%26nbsp%3B%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E3.%20Secure%20scripts%20and%20secrets%3C%2FSTRONG%3E%3CBR%20%2F%3EMany%20modern%20administration%20tasks%20are%20done%20at%20scale%20with%20code-based%20commands%2C%20whether%20that%E2%80%99s%20a%20PowerShell%20script%20or%20an%20Azure%20Resource%20Manager%20Template.%20As%20IT%20Pros%20use%20code-based%20tools%20like%20Visual%20Studio%20Code%2C%20be%20intentional%20about%20storing%20scripts%20in%20a%20location%20that%20both%20facilitates%20use%20across%20a%20remote%20IT%20worker%20team%20and%20keeps%20those%20scripts%20secure.%20This%20could%20even%20be%20a%20private%20GitHub%20repository%2C%20with%20GitHub%20accounts%20secured%20by%20MFA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20check%20your%20code%20(manually%20or%20programmatically)%20to%20ensure%20it%20does%20not%20contain%20environmental%20secrets%20such%20as%20log%20in%20credentials.%20Supply%20these%20as%20a%20variable%20when%20the%20code%20is%20run%2C%20or%20use%20a%20solution%20like%20Azure%20Key%20Vault%20for%20secure%20storage%20of%20secrets%20that%20can%20be%20referenced%20in%20your%20scripts.%20Learn%20more%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fgeneral%2Fbasic-concepts%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Key%20Vault%20concepts.%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E4.%20Use%20Windows%20Admin%20Center%3C%2FSTRONG%3E%3CBR%20%2F%3EWindows%20Admin%20Center%20is%20a%20locally%20deployed%2C%20browser%20based%20administration%20tool%20for%20the%20management%20of%20both%20on-premises%20and%20Azure%20Windows%20Server%20machines%20(physical%20or%20virtual).%20It%20uses%20the%20Windows%20Admin%20Center%20gateway%20and%20requires%20no%20agent%20to%20be%20deployed%20on%20the%20target%20server.%20This%20tool%20is%20preferable%20to%20the%20historic%20method%20of%20using%20an%20RDP%20session%20to%20connect%20to%20and%20manage%20a%20Server%2C%20and%20it%20includes%20role-based%20access%20control%20and%20activity%20logging.%20For%20more%20details%2C%20visit%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fmanage%2Fwindows-admin-center%2Funderstand%2Fwhat-is%3FWT.mc_id%3Dremotework-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat%20is%20Windows%20Admin%20Center%3F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E5.%20Use%20Azure%20Bastion%3C%2FSTRONG%3E%3CBR%20%2F%3EBoth%20RDP%20and%20SSH%20are%20important%20remote%20connectivity%20protocols%2C%20but%20they%E2%80%99re%20also%20highly%20targeted%20by%20malicious%20attacks.%20In%20Azure%2C%20there%E2%80%99s%20an%20easy%20to%20use%20Bastion%20host%20service%20that%20provides%20connectivity%20to%20your%20Azure%20virtual%20machines%20via%20the%20Azure%20Portal%2C%20without%20the%20need%20for%20the%20RDP%20or%20SSH%20ports%20to%20be%20exposed%20to%20the%20Internet.%20In%20fact%2C%20the%20destination%20server%20does%20not%20even%20need%20a%20public%20IP%20address.%20Learn%20more%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fbastion%2Fbastion-overview%3FWT.mc_id%3Dremotework-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat%20is%20Azure%20Bastion%3F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3EConclusion%3C%2FSTRONG%3E%3CBR%20%2F%3EWith%20their%20high%20levels%20of%20access%20to%20critical%20systems%20and%20data%2C%20secure%20work%20methods%20and%20tools%20are%20important%20for%20IT%20Pros%2C%20regardless%20of%20where%20they%20are%20working%20from.%20It%20is%20possible%20to%20provide%20both%20an%20increased%20level%20of%20security%20and%20the%20access%20and%20productivity%20that%20your%20IT%20workers%20need.%20Investing%20the%20time%20to%20review%20this%20now%20will%20help%20to%20protect%20your%20organization%20from%20future%20malicious%20access%20attempts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1442217%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20how%20to%20secure%20the%20remote%20working%20capabilities%20of%20your%20most%20trusted%20users%20-%20those%20with%20administrative%20access.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MSC16_slalom_068.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196670i6E020174CAA265A4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22MSC16_slalom_068.jpg%22%20alt%3D%22MSC16_slalom_068.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1442217%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIT%20Pro%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERemote%20Work%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1445290%22%20slang%3D%22en-US%22%3ERe%3A%20Remote%20working%20for%20IT%20Pros%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1445290%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20great%20article%20and%20I%20also%20really%20love%26nbsp%3B%3CSTRONG%3EWindows%20Admin%20Center%3C%2FSTRONG%3E%2C%20it%20is%20very%20helpful%20and%20easy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

It’s natural for IT workers to first ensure that frontline and supporting workers in an organization have a secure and productive way of performing their usual tasks remotely. After all, a reduction in the business’ ability to provide its products and services correlates pretty quickly to a drop in revenue, cashflow and profitability. Without this financial sustainability, the IT department has no organization to support.

 

But if your IT Pros are also working remotely, what additional considerations and tools are available that are relevant to them?

 

1. Secure administrative accounts
This is security basic applies no matter where you are working from. IT Pros often use accounts with a high level of access, necessary to perform their tasks. Consider making these accounts separate from the logins they use to do regular work, that doesn’t require administrative privileges. This helps to protect those privileged accounts from being used by malware which acts as the current user, helping to minimize the impact of such an attack. It’s also vital that administrative accounts for Cloud services at least use a form of multi-factor authentication, and ideally are protected by conditional access scenarios. Conditional access helps to identify and block risky log-in events as they occur.

 

See How it works: Azure Multi-Factor Authentication 
Learn about Conditional Access 


2. Restrict administrative access
Instead of an administrative account having privileged access to a system all the time, there are a few methods for turning this on only when needed.

 

With a Virtual Machine in Azure, just-in-time access can be used to block network ports used for management tasks (such as RDP and SSH) until access is requested and approved. Learn more at Secure your management ports with just-in-time access.  

 

Azure Managed Applications also have a just-in-time access capability. Learn more at Request just in time access.

 

Privileged Identity Management allows time-based privileged access to resources and to Azure Active Directory. It also includes tracking justification for that access, notifications when activated and an audit history. For PIM options applicable to Azure, Azure AD, Office 365 and SaaS applications, see What is Azure AD Privileged Identity Management. 

And for Windows Server, there are several options for securing privileged access, including just-in-time local administrator account passwords and privileged access workstations. For scenarios and guidance, visit Securing Privileged Access and also check out Just Enough Administration for PowerShell. 

3. Secure scripts and secrets
Many modern administration tasks are done at scale with code-based commands, whether that’s a PowerShell script or an Azure Resource Manager Template. As IT Pros use code-based tools like Visual Studio Code, be intentional about storing scripts in a location that both facilitates use across a remote IT worker team and keeps those scripts secure. This could even be a private GitHub repository, with GitHub accounts secured by MFA.

 

Also, check your code (manually or programmatically) to ensure it does not contain environmental secrets such as log in credentials. Supply these as a variable when the code is run, or use a solution like Azure Key Vault for secure storage of secrets that can be referenced in your scripts. Learn more at Azure Key Vault concepts. 

4. Use Windows Admin Center
Windows Admin Center is a locally deployed, browser based administration tool for the management of both on-premises and Azure Windows Server machines (physical or virtual). It uses the Windows Admin Center gateway and requires no agent to be deployed on the target server. This tool is preferable to the historic method of using an RDP session to connect to and manage a Server, and it includes role-based access control and activity logging. For more details, visit What is Windows Admin Center? 

 

5. Use Azure Bastion
Both RDP and SSH are important remote connectivity protocols, but they’re also highly targeted by malicious attacks. In Azure, there’s an easy to use Bastion host service that provides connectivity to your Azure virtual machines via the Azure Portal, without the need for the RDP or SSH ports to be exposed to the Internet. In fact, the destination server does not even need a public IP address. Learn more at What is Azure Bastion? 


Conclusion
With their high levels of access to critical systems and data, secure work methods and tools are important for IT Pros, regardless of where they are working from. It is possible to provide both an increased level of security and the access and productivity that your IT workers need. Investing the time to review this now will help to protect your organization from future malicious access attempts.

1 Comment
Super Contributor

Thank you for great article and I also really love Windows Admin Center, it is very helpful and easy.