{"id":86854,"date":"2018-11-29T09:00:51","date_gmt":"2018-11-29T17:00:51","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=86854"},"modified":"2023-08-03T14:59:22","modified_gmt":"2023-08-03T21:59:22","slug":"secure-your-privileged-administrative-accounts-with-a-phased-roadmap","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/","title":{"rendered":"CISO series: Secure your privileged administrative accounts with a phased roadmap"},"content":{"rendered":"<p>In my role, I often meet with CISOs and security architects who are updating their security strategy to meet the challenges of continuously evolving attacker techniques and cloud platforms. A frequent topic is prioritizing security for their highest value assets, both the assets that have the most business value today as well as the initiatives that the organization is banking on for the future. This typically includes intellectual property, customer data, key new digital initiatives, and other data that, if leaked, would do the greatest reputational and financial damage. Once we\u2019ve identified the highest value assets, it inevitably leads to a conversation about all the privileged accounts that have administrative rights over these assets. Most of our customers recognize that you can no longer protect the enterprise just by securing the network edge; the cloud and mobile devices have permanently changed that. Identities represent the critically important new security perimeter in a dual perimeter strategy while legacy architectures are slowly phased out.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"><br \/>\n<\/a><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86869 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-1.png\" alt=\"Running dual perimeters.\" width=\"800\" height=\"450\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-1.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-1-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-1-768x432.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<p>Regardless of perimeter and architecture, there are few things more important to a secure posture than protecting admins. This is because a compromised admin account would cause a much greater impact on the organization than a compromised non-privileged user account.<\/p>\n<p>If you are working on initiatives to secure your privileged accounts (and I hope you are \u263a), this post is designed to help. I\u2019ve shared some of the principles and tools that Microsoft has used to guide and enhance our own security posture, including some prescriptive roadmaps to help you plan your own initiatives.<\/p>\n<h3>Protect the privileged access lifecycle<\/h3>\n<p>Once you start cataloging all the high-value assets and who can impact them, it quickly becomes clear that we aren\u2019t just talking about traditional IT admins when we talk about privileged accounts. There are people who manage social media accounts rich with customer data, cloud services admins, and those that manage directories or financial data. All of these user accounts need to be secured (though most organizations start with IT admins first and then progress to others, prioritized based on risk or the ability to secure the account quickly).<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-2.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86872 size-large\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-2-1024x469.png\" alt=\"Privileged access is more than administrators.\" width=\"1024\" height=\"469\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-2-1024x469.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-2-300x137.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-2-768x352.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-2.png 1039w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>Protecting the privileged access lifecycle is also more than just vaulting the credentials. Organizations need to take a complete and thoughtful approach to isolate the organization\u2019s systems from risks. It requires changes to:<\/p>\n<ul type=\"disc\">\n<li>Processes, habits, administrative practices, and knowledge management.<\/li>\n<li>Technical components such as host defenses, account protections, and identity management.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86875 size-large\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-3-1024x511.png\" alt=\"Securing privileged access. \" width=\"1024\" height=\"511\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-3-1024x511.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-3-300x150.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-3-768x383.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-3.png 1045w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<h3>Principles of securing privileged access<\/h3>\n<p>Securing all aspects of the privileged lifecycle really comes down to the following principles:<\/p>\n<ul type=\"disc\">\n<li>Strengthen authentication:\n<ul type=\"circle\">\n<li>Move beyond relying solely on passwords that are too often weak, or easily guessed and move to a password-less, Multi-Factor Authentication (MFA) solution that uses at least two forms of authentication, such as a PIN, biometrics, and\/or a code generated by a device.<\/li>\n<li>Make sure you detect and remediate leaked credentials.<\/li>\n<\/ul>\n<\/li>\n<li>Reduce the attack surface:\n<ul type=\"circle\">\n<li>Remove legacy\/insecure protocols.<\/li>\n<li>Remove duplicate\/weak passwords.<\/li>\n<li>Reduce dependencies.<\/li>\n<\/ul>\n<\/li>\n<li>Increase monitoring and detection.<\/li>\n<li>Automate threat response.<\/li>\n<li>Ensure usability for administrators.<\/li>\n<\/ul>\n<p>To illustrate the importance we place on privileged access controls, I\u2019ve included a diagram that shows how Microsoft protects itself. You\u2019ll see we have instituted traditional defenses for securing the network, as well as made extensive investments into development security, continuous monitoring, and processes to ensure we are looking at our systems with an attacker\u2019s eye. You can also see how we place a very high priority on security for privileged users, with extensive training, rigorous processes, separate workstations, as well as strong authentication.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-4.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86878 size-large\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-4-1024x570.png\" alt=\"Microsoft protecting Microsoft.\" width=\"1024\" height=\"570\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-4-1024x570.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-4-300x167.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-4-768x428.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-4.png 1043w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<h3>Prioritize quick, high-value changes first using our roadmap<\/h3>\n<p>To help our customers get the most protection for their investment of time\/resources, we have created prescriptive roadmaps to kickstart your planning. These will help you plan out your initiatives in phases, so you can knock out quick wins first and then incrementally increase your security over time.<\/p>\n<p>Check out the <a href=\"https:\/\/aka.ms\/securitysteps\">Azure Active Directory (Azure AD) roadmap<\/a> to plan out protections for the administration of this critical system. We also have an on-premises roadmap focused on Active Directory admins, which I\u2019ve included below. Since many organizations run hybrid networks, we will soon merge these two roadmaps.<\/p>\n<h3>On-premises privileged identity roadmap<\/h3>\n<p>There are three stages to secure privileged access for an on-premises AD.<\/p>\n<p><strong>Stage 1 (30 days)<\/strong><\/p>\n<p>Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-5.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86881 size-large\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-5-1024x549.png\" alt=\"Stage 1 (30 days).\" width=\"1024\" height=\"549\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-5-1024x549.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-5-300x161.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-5-768x411.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-5.png 1051w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>1. Separate accounts: This is the first step to mitigate the risk of an internet attack (phishing attacks, web browsing) from impacting administrative privileges.<\/p>\n<p>2 and 3. Unique passwords for workstations and servers: This is a critical containment step to protect against adversaries stealing and re-using password hashes for local admin accounts to gain access to other computers.<\/p>\n<p>4. Privileged access workstations (PAW) stage 1: This reduces internet risks by ensuring that the workstations admins use every day are protected at a very high level.<\/p>\n<p>5. Identity attack detection: Ensures that security operations have visibility into well-known attack techniques on admins.<\/p>\n<p><strong>Stage 2 (90 days)<\/strong><\/p>\n<p>These capabilities build on the mitigations from the 30-day plan and provide a broader spectrum of mitigations, including increased visibility and control of administrative rights.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-6.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86884 size-large\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-6-1024x574.png\" alt=\"Stage 2 (90 days).\" width=\"1024\" height=\"574\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-6-1024x574.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-6-300x168.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-6-768x431.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-6.png 1047w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>1. Require Windows Hello for business: Replace hard-to-remember and easy-to-hack passwords with strong, easy-to-use authentication for your admins.<\/p>\n<p>2. PAW stage 2: Requiring separate admin workstations significantly increases the security of the accounts your admins use to do their work. This makes it extremely difficult for adversaries to get access to your admins and is modeled on the systems we use to protect Azure and other sensitive systems at Microsoft (described earlier).<\/p>\n<p>3. Just in time privileges: Lowers the exposure of privileges and increases visibility into privilege use by providing them to admins as they need it. This same principle is applied rigorously to admins of our cloud.<\/p>\n<p>4. Enable credential guard on Windows 10 workstations: This isolates secrets for legacy authentication protocols like Kerberos and NTLM on all Windows 10 user workstations to make it more difficult for attackers to operate there and reach the admins.<\/p>\n<p>5. Leaked credentials 1: This enables you to detect a risk of a leaked password by synchronizing password hashes to Azure AD where it can compare them to known leaked credentials.<\/p>\n<p>6. Lateral movement vulnerability detection: Discover which sensitive accounts in your network are exposed because of their connection to non-sensitive accounts, groups, and machines.<\/p>\n<p><strong>Stage 3: Proactively secure posture<\/strong><\/p>\n<p>These capabilities build on the mitigations from previous phases and move your defenses into a proactive posture. While there will never be perfect security, this represents the strongest protections against privilege attacks currently known and available today.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-7.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-86887 size-large\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-7-1024x570.png\" alt=\"Stage 3: Proactively secure posture.\" width=\"1024\" height=\"570\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-7-1024x570.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-7-300x167.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-7-768x428.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/11\/Secure-your-privileged-administrative-accounts-7.png 1052w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>1. Review role-based access control: Protect identity and management systems using a set of buffer zones between full control of the environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise.<\/p>\n<p>2. PAW stage 3: Expands your protection by separating internet risks (phishing attacks, web browsing) from all administrative privileges, not just AD admins.<\/p>\n<p>3. Lowers the attack surface of domain and domain controller: This hardens these sensitive assets to make it difficult for attackers to compromise them with classic attacks like unpatched vulnerabilities and exploiting configuration weaknesses.<\/p>\n<p>4. Leaked credentials 2: This steps up the protection of admin accounts against leaked credentials by forcing a reset of passwords using conditional access and self-service password reset (versus requiring someone to review the leaked credentials reports and manually take action).<\/p>\n<p>Securing your administrative accounts will reduce your risk significantly. Stay tuned for the hybrid roadmap, which will be completed in early 2019.\u00a0Also, learn more at our <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/ciso-series\/\">CISO series<\/a> page.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are working on initiatives to secure your privileged accounts (and I hope you are), this post is designed to help.<\/p>\n","protected":false},"author":61,"featured_media":87994,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3662],"topic":[3684],"products":[3702,3703],"threat-intelligence":[],"tags":[3896],"coauthors":[1906],"class_list":["post-86854","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-security-operations","products-microsoft-entra","products-microsoft-entra-id","tag-credential-theft"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CISO series: Secure your privileged administrative accounts with a phased roadmap | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"If you are working on initiatives to secure your privileged accounts (and I hope you are), this post is designed to help.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISO series: Secure your privileged administrative accounts with a phased roadmap | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"If you are working on initiatives to secure your privileged accounts (and I hope you are), this post is designed to help.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-11-29T17:00:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-03T21:59:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\" \/>\n\t<meta property=\"og:image:width\" content=\"740\" \/>\n\t<meta property=\"og:image:height\" content=\"420\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Mark Simos\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mark Simos\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mark-simos\/\",\"@type\":\"Person\",\"@name\":\"Mark Simos\"}],\"headline\":\"CISO series: Secure your privileged administrative accounts with a phased roadmap\",\"datePublished\":\"2018-11-29T17:00:51+00:00\",\"dateModified\":\"2023-08-03T21:59:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/\"},\"wordCount\":1252,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\",\"keywords\":[\"Credential theft\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/\",\"name\":\"CISO series: Secure your privileged administrative accounts with a phased roadmap | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\",\"datePublished\":\"2018-11-29T17:00:51+00:00\",\"dateModified\":\"2023-08-03T21:59:22+00:00\",\"description\":\"If you are working on initiatives to secure your privileged accounts (and I hope you are), this post is designed to help.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\",\"width\":740,\"height\":420,\"caption\":\"CISO Series icon.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CISO series: Secure your privileged administrative accounts with a phased roadmap\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CISO series: Secure your privileged administrative accounts with a phased roadmap | Microsoft Security Blog","description":"If you are working on initiatives to secure your privileged accounts (and I hope you are), this post is designed to help.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/","og_locale":"en_US","og_type":"article","og_title":"CISO series: Secure your privileged administrative accounts with a phased roadmap | Microsoft Security Blog","og_description":"If you are working on initiatives to secure your privileged accounts (and I hope you are), this post is designed to help.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/","og_site_name":"Microsoft Security Blog","article_published_time":"2018-11-29T17:00:51+00:00","article_modified_time":"2023-08-03T21:59:22+00:00","og_image":[{"width":740,"height":420,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","type":"image\/png"}],"author":"Mark Simos","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Mark Simos","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mark-simos\/","@type":"Person","@name":"Mark Simos"}],"headline":"CISO series: Secure your privileged administrative accounts with a phased roadmap","datePublished":"2018-11-29T17:00:51+00:00","dateModified":"2023-08-03T21:59:22+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/"},"wordCount":1252,"commentCount":0,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","keywords":["Credential theft"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/","name":"CISO series: Secure your privileged administrative accounts with a phased roadmap | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","datePublished":"2018-11-29T17:00:51+00:00","dateModified":"2023-08-03T21:59:22+00:00","description":"If you are working on initiatives to secure your privileged accounts (and I hope you are), this post is designed to help.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","width":740,"height":420,"caption":"CISO Series icon."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/11\/29\/secure-your-privileged-administrative-accounts-with-a-phased-roadmap\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"CISO series: Secure your privileged administrative accounts with a phased roadmap"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/86854"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=86854"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/86854\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/87994"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=86854"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=86854"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=86854"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=86854"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=86854"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=86854"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=86854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}