Hey everyone, I'm managing IT for a small family business with 14-15 employees, and we're looking to tighten our security. We have 2 servers (handling file, database, print, and Active Directory tasks) and about 18 workstations. I'm considering stripping away my domain admin rights from my personal account to better follow least privilege practices. What are the best steps to take for implementing this? Specifically, how much access should my personal account have to still perform basic tasks like granting admin privileges during application updates? Should all sensitive tasks like file permissions and user management be handled by a dedicated global admin account instead? Also, I'm curious about setting up admin roles in M365 to minimize risks if my account gets compromised. Any insights on how to manage this would be greatly appreciated!
2 Answers
The best practice is to remove any admin privileges from your daily account. It's really about maintaining a separate admin account for tasks that require those rights. It'll just be a bit of extra work to log into that for updates, but it's worth the security boost!
As another solo IT guy (though I handle 200 users), I can say that stripping admin rights from everyday accounts was a game-changer for us. I also suggest getting a second Domain Controller on separate hardware if possible. For M365, ensure your regular account isn't an admin account, especially if you’re using MFA. It helps a lot with security!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures