Skip to main content
close search
site logo
Dive Brief

Microsoft's security recipe: Lock down admin accounts, eliminate passwords altogether

Published May 13, 2019
Naomi Eide's headshot
Managing Editor
Flickr; Kārlis Dambrāns

Dive Brief:

  • To better secure systems and workforce, Microsoft simplified identity management, provisioning identity access to "exactly the right systems and tools," the security team said in a blog post last week. There is a balance with identity and access management: If a company under-provisions, employees are likely to request more access than is required to avoid going through the provisioning process again.

  • To prevent over-provisioning, Microsoft established role-based access, tying access rules to the "systems, tools and resources" each role requires, according to the post. If an employee moves roles, Microsoft has a process in place to ensure people don't carry system access with them.

  • Microsoft is also moving toward a "password-less world." Only 10% of Microsoft users enter a password per day, in part thanks to a push to reduce legacy authentication workflows, according to the post. The company is also committed to using PINs and a biometric rather than a password.

Dive Insight:

Microsoft, with its $974 billion market cap, has security woes, just like every other company. From the view of the security team, the risks the company faces are prevalent throughout industry.

The company's workforce is spread out, leaving many to access corporate sites through external networks, according to the blog post. Those 131,000 employees are just as fallible as workers at other companies. Remembering complex passwords is a challenge, leaving many to repeat credentials across sites.   

In the name of security, the company dropped legacy password expiration policies and closely follows a banned passwords list.

Its recommendations follow the logical security narrative: Make sure employees who need access have access. Otherwise, lock systems down.

This is in part why Microsoft has paid close attention to administrator accounts. Administrative users have access to critical data and internal systems, making them a ripe target. The fewer people who have privileged access, the more secure a system.

The company also requires users with administrative privileges to use separate, secure devices, have an isolated identity and have zero account rights by default. If an admin requires access, they have to request just-in-time privileges.

Microsoft is cautious by necessity. If a malicious actor were to gain access to a privileged administrative account, they could wreak havoc on businesses across every sector through a third-party, supply chain style attack.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell