SOLVED

Windows server security

%3CLINGO-SUB%20id%3D%22lingo-sub-2389374%22%20slang%3D%22en-US%22%3EWindows%20server%20security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2389374%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eour%20rule%20for%20logging%20onto%20servers%20today%20is%20always%20to%20use%20a%20separate%20account%20with%20local%20administrative%20privileges.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20means%20that%20the%20administrator%20uses%20an%20account%20for%20individual%20use%20to%20log%20on%20to%20their%20computers%20without%20permission%20and%20also%20another%20individual%20account%20with%20permission%20for%20local%20administration%20for%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20goal%20is%20to%20prevent%20the%20administrator%20from%20using%20the%20same%20personal%20login%20on%20the%20server.%3C%2FP%3E%3CP%3EHowever%2C%20if%20this%20account%20used%20for%20the%20servers%20is%20hacked%2C%20you%20will%20have%20access%20to%20all%20other%20servers.%3C%2FP%3E%3CP%3EIs%20there%20any%20good%20practice%20to%20help%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20use%20UAC%20at%20a%20maximum%20level%20to%20always%20ask%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20create%20a%20third%20account%2C%20one%20to%20log%20in%20to%20the%20server%20without%20permission%20and%20another%20with%20administrative%20privilege%20that%20will%20only%20be%20used%20when%20privilege%20is%20requested%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2391315%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20server%20security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2391315%22%20slang%3D%22en-US%22%3EHi%20Sandro%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20understand%20correct%20you%20are%20worried%20that%20if%20one%20of%20the%20accounts%20with%20local%20admin%20is%20compromised%2C%20they%20are%20able%20to%20compromise%20other%20servers%20with%20the%20same%20account%20on%20prem.%3CBR%20%2F%3E%3CBR%20%2F%3EMaybe%20the%20legacy%20ad%20Tier%20model%20is%20first%20step%20you%20could%20look%20into%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Fcompass%2Fprivileged-access-access-model%23evolution-from-the-legacy-ad-tier-model%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Fcompass%2Fprivileged-access-access-model%23evolution-from-the-legacy-ad-tier-model%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20depending%20on%20which%20tier%20of%20server%20you%20are%20accessing%20you%20have%20a%20different%20account.%3CBR%20%2F%3EFor%20example%3CBR%20%2F%3Efor%20example%3A%20AD%20server%2C%20exchange%20server%20%3Dtier%200%3CBR%20%2F%3Efor%20example%3A%20IIS%20server%20%3D%20tier%201%3CBR%20%2F%3Efor%20example%3A%20endpoints%20%3D%20tier%202%3CBR%20%2F%3EA%20compromise%20of%20an%20account%20in%20Tier%202%20will%20not%20result%20in%20the%20total%20compromise%20of%20tier%201This%20not%20overcomplicated%20stuff%20with%20privileged%20access%20workstations.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

our rule for logging onto servers today is always to use a separate account with local administrative privileges.

 

This means that the administrator uses an account for individual use to log on to their computers without permission and also another individual account with permission for local administration for servers.

 

The goal is to prevent the administrator from using the same personal login on the server.

However, if this account used for the servers is hacked, you will have access to all other servers.

Is there any good practice to help?

 

For example, use UAC at a maximum level to always ask?

 

Or create a third account, one to log in to the server without permission and another with administrative privilege that will only be used when privilege is requested?

 

Thanks.

1 Reply
best response confirmed by Trevor_Rusher (Community Manager)
Solution
Hi Sandro,

If understand correct you are worried that if one of the accounts with local admin is compromised, they are able to compromise other servers with the same account on prem.

Maybe the legacy ad Tier model is first step you could look into:
https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model#evolution-from-the-...

So depending on which tier of server you are accessing you have a different account.
For example
for example: AD server, exchange server =tier 0
for example: IIS server = tier 1
for example: endpoints = tier 2
A compromise of an account in Tier 2 will not result in the total compromise of tier 1This not overcomplicated stuff with privileged access workstations.