our rule for logging onto servers today is always to use a separate account with local administrative privileges.
This means that the administrator uses an account for individual use to log on to their computers without permission and also another individual account with permission for local administration for servers.
The goal is to prevent the administrator from using the same personal login on the server.
However, if this account used for the servers is hacked, you will have access to all other servers.
Is there any good practice to help?
For example, use UAC at a maximum level to always ask?
Or create a third account, one to log in to the server without permission and another with administrative privilege that will only be used when privilege is requested?
So depending on which tier of server you are accessing you have a different account. For example for example: AD server, exchange server =tier 0 for example: IIS server = tier 1 for example: endpoints = tier 2 A compromise of an account in Tier 2 will not result in the total compromise of tier 1This not overcomplicated stuff with privileged access workstations.