This is a questions I get fairly often. But before I try to answer, let’s take a step back:
We know that attackers typically try to compromise user accounts and then move laterally until they find higher-value credentials. The holy grail in this movement is typically and administrator who uses his admin account to surf the internet, to do e-mails etc. This is simply not acceptable in today’s world. Therefore we urge our customers to:
- Have different accounts to do administrative tasks and everyday business
- Leverage multi-factor authentication for administrators (this is another absolute “must”, no exception)
- In most cases, use a special machine to do admin work.
At Microsoft we typically tell customers to use a “Secure Access Workstation” (SAW) for that. You can find a lot of information here: aka.ms/securedworkstation You can do that hardware-based or as described in the article Azure-managed. At Microsoft internally, we run special hardware for SAWs.
Now, there is one challenge, which pops up: This is all good for on-prem but often a challenge for the Cloud. How do you enforce the use of a SAW for admin tasks in the Cloud?
Depending on how you do authentication, the natural point to make that happen is Conditional Access – remember, we anyway talk about the identity being the perimeter. The guidance above will be updated in this direction soon. In the meantime, Frank Simorjay (he is the poor guy being responsible for SAW at Microsoft) wrote a blog, which can help you to make it happen in the meantime: Secure workstation – Root of trust to manage the cloud