{"id":10561,"date":"2018-05-24T16:06:17","date_gmt":"2018-05-24T23:06:17","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10561"},"modified":"2023-06-18T13:20:39","modified_gmt":"2023-06-18T20:20:39","slug":"protecting-high-risk-environments-with-secure-admin-workstations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/","title":{"rendered":"Protecting high-risk environments with secure admin workstations"},"content":{"rendered":"<div class=\"m-alert f-error\" role=\"alert\">\n<div>\n<div class=\"c-glyph glyph-incident-triangle\" aria-label=\"Error message\"><\/div>\n<p class=\"c-paragraph\">This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n<p>As malicious threats evolve, companies add multilayer security and take a defense-in-depth approach as they strive to protect their enterprises. One element in our network security strategy at Microsoft is the secure admin workstation (SAW). These limited-use client computers\u2014built on Windows 10\u2014help protect high-risk environments from security risks such as malware, phishing, and pass-the-hash attacks, and they provide secure access to restricted environments.<\/p>\n<p>Security attacks are evolving and becoming more sophisticated in large organizational environments, and to say that IT teams are concerned is an understatement. Secure admin workstations (SAWs) can be invaluable in the security toolkit for any organization. Microsoft Digital has discovered a particularly effective use for SAWs in protecting high-risk environments. Learn what SAWs are, how Microsoft uses them, and why other organizations might adopt them.<\/p>\n<h2>Understanding secure admin workstations<\/h2>\n<p>Secure admin workstations are limited-use client machines that are built to substantially reduce the risk of compromise from malware, phishing attacks, bogus websites, and pass-the-hash (PtH) attacks, among other security risks. Although SAWs can\u2019t be considered a \u201csilver bullet\u201d security solution for these attacks, Microsoft has found these clients to be helpful as part of a layered, defense-in-depth approach to security.<\/p>\n<p>Microsoft partners with manufacturers to build these devices, and what\u2019s unique about them is what they don\u2019t include: software, such as productivity suites and other utilities that are potentially vulnerable to malware and phishing attacks. For example, users can\u2019t be tricked into clicking a link in an email phishing attack if they don\u2019t have an email program running. Productivity tools and high-risk applications that aren\u2019t required for the secure admin role are installed and used on a separate \u201cproductivity virtual machine,\u201d which is hosted on the SAW. This configuration allows the user to access the productivity tools and applications they need without increasing risk to the secure admin environment.<\/p>\n<p>Microsoft allows only approved applications to run on the workstation. High-risk items don\u2019t make the list. Which applications make the approved list can vary,\u00a0but the point of the process is to carefully vet the list and make security a high priority. The SAW can include a limited version of Microsoft Edge that is filtered and uses a proxy server to access the administrative sites the user needs.<\/p>\n<p>In the context of protecting high-risk environments, SAWs are used for making secure connections to the environment and that\u2019s pretty much their only function. As one principal IT service engineer puts it, \u201cSAWs for high-risk environments (HREs) are like giant smart cards, identifying and authenticating that the user is allowed to get in the door.\u201d<\/p>\n<h3>Who has access, and when?<\/h3>\n<p>Given the nature of HREs, it\u2019s understandable that an organization would want to restrict access to SAWs and have a process in place for how these machines are assigned and distributed. For Microsoft, the sequence follows this general pattern:<\/p>\n<ol class=\"c-list\">\n<li>An HRE has a designated owner. Employees who require access to the HRE request approval from the owner.<\/li>\n<li>If the request is accepted, the owner puts in a formal request to the SAW team to create a SAW device. The SAW team coordinates with the device manufacturer.<\/li>\n<li>The device manufacturer ships the device to Microsoft, and the SAW team adds the image to it and hardens the device to make it highly secure. Note that when Microsoft initially receives the device, the hardware is secure but the software isn\u2019t. So, for example, it does have the UEFI passwords set and the machine configuration is already locked down, but it doesn\u2019t have an operating system on it and it\u2019s not software-managed and controlled. Microsoft recommends limiting the amount of time that the SAW is in this state to as short a time as possible.<\/li>\n<li>The software-secured device is then sent to users through interoffice mail, rather than the postal system. This method ensures that the device is always in Microsoft facilities. Users can also come directly to the SAW team to pick it up if that is more convenient.<\/li>\n<li>Users now have access to the device and can sign in using their Microsoft credentials.<\/li>\n<li>Users can start the HRE remote access process.<\/li>\n<\/ol>\n<p>After approved users have the SAW, they use it as needed to access the HREs. In practice, the SAW becomes a second device for them, with their standard machine used for day-to-day work and the SAW used for privileged work. Users experience a bit of a learning curve as they adjust to the limited functionality of the SAW. For more information about the user experience, see the\u00a0<i>Recommendations and limitations\u00a0<\/i>section.<\/p>\n<h3>How SAWs are used for HREs at Microsoft<\/h3>\n<p>The SAW isn\u2019t granting rights to any actual resource; it merely provides a connection to a secure server, which itself connects to the HRE. Specifically, a SAW enables users to use two-factor authentication to make a Microsoft Remote Desktop Protocol connection through a bank of Remote Desktop Services servers for each HRE.<\/p>\n<div><\/div>\n<div class=\"m-image float-right\">\n<figure id=\"attachment_10563\" aria-describedby=\"caption-attachment-10563\" style=\"width: 623px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10563 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-img001.jpg\" alt=\"Figure 1 shows a diagram of the layers of SAW enforcement controls.\" width=\"623\" height=\"351\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-img001.jpg 623w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-img001-300x169.jpg 300w\" sizes=\"(max-width: 623px) 100vw, 623px\" \/><figcaption id=\"caption-attachment-10563\" class=\"wp-caption-text\">Figure 1. SAW enforcements<\/figcaption><\/figure>\n<\/div>\n<p>SAW devices at Microsoft serve two major purposes: to provide access to HREs and to provide access to the domain for users who have privileged admin access. There are approximately 35,000 SAW devices in use at Microsoft, with only 30 to 40 of those devices being used to access HREs, although that number is expected to grow because of increased demand for HRE access.<\/p>\n<p>When users no longer need a SAW device, the SAW team typically re-deploys the device to another user in the same organization. If required, the software is reimaged and, if necessary, the hardware itself is re-baselined (such as for UEFI changes). If any device is unaccounted for, Microsoft Digital can place it in BitLocker recovery mode, with no BitLocker recovery key available. This effectively locks down the device and renders it unusable.<\/p>\n<h2>Recommendations and limitations<\/h2>\n<p>Recommendations and limitations for organizations that are considering using SAWs as one of the layers for isolation can include:<\/p>\n<ul class=\"c-list\">\n<li><strong>Approve applications.<\/strong>\u00a0Always vet and approve anything to be put on the SAW. Users may occasionally ask for additional software or utilities to be added. IT should do a cost-benefit analysis to determine if the applications and systems are critical to the admin role or if they are simply a convenience. In most cases, high-risk applications are not needed for admin functions and can be used from the productivity virtual machine instead of from the SAW.\n<p>This interplay or negotiation with users sometimes calls for creativity.For example, let\u2019s say that a user requests a toolkit that requires local administrative rights on the machine when the user installs it. IT may be able to preinstall that toolkit on the system, so that it can run without administrative rights, rather than granting users the administrative rights necessary to install it themselves. Users get what they need for productivity and IT maintains the security that a SAW requires.<\/li>\n<li><strong>Make the connection between the manufacturer (hardware) and the provisioning team (software) as short as possible.\u00a0<\/strong>This is the least secure link in the chain.<\/li>\n<li><strong>Educate users about how to work with SAWs.<\/strong>\u00a0A SAW device is the only way for a user to access an HRE. There is no workaround for such a locked-down workstation. We deploy SAW laptops to mobile users who need access to HREs.<\/li>\n<li><strong>Carefully track SAW inventory.\u00a0<\/strong>Collect usage metrics on the devices to look for stale computers and devices that aren\u2019t being used.Many IT departments practice this already for their standard hardware and will find it easy to extend this to their SAW inventory as well.<\/li>\n<li><strong>Understand that even SAWs are not 100 percent secure.<\/strong>\u00a0If persons with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.<\/li>\n<li><strong>Realize that it\u2019s more secure to enforce the use of SAWs to access HREs than to allow exceptions.\u00a0<\/strong>Microsoft uses a global enforcement mechanism, so that after a team agrees to use enforcement, everyone accessing the HRE must be using a SAW. Think of it this way: identity management is exception management.<\/li>\n<li><strong>Recognize that this is a relatively high-cost solution.<\/strong>\u00a0In this scenario, Microsoft Digital buys two machines per employee\u2014the SAW and the standard machine\u2014rather than one.<\/li>\n<li><strong>Identify the minimum hardware requirements for a device that will be used as a SAW, primarily because of the chipset needed.\u00a0<\/strong>Windows 10 supports these hardware requirements.<\/li>\n<\/ul>\n<h3>Built on a strong foundation<\/h3>\n<p>Windows 10 provides a strong foundation for our SAW devices with several important built-in security features.<\/p>\n<h4>Windows Defender Device Guard<\/h4>\n<p>Windows Defender Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can run only trusted applications. If the application isn\u2019t trusted, it can\u2019t run\u2014period. It also means that even if an attacker manages to get control of the Windows kernel, that attacker will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.<\/p>\n<h4>Windows Defender Credential Guard<\/h4>\n<p>Windows Defender Credential Guard uses virtualization-based security to isolate secret information so that only privileged system software can access it. Unauthorized access to these secrets can lead to credential theft attacks, such as pass-the-hash or pass-the-ticket. Windows Defender Credential Guard prevents these attacks by protecting password hashes and credentials stored by applications.<\/p>\n<h4>Secure Boot and Trusted Boot<\/h4>\n<p>Secure Boot uses UEFI and TPM to verify the digital signature of the firmware, reducing the risk of successful rootkit attacks. Trusted Boot ensures that only verified and digitally signed operating system and application components are executed when Windows loads.<\/p>\n<p>A SAW builds on the firm foundation of Windows 10, providing the level of isolation and restricted access that Microsoft needs for its high-risk environments. No single technique or even operating system is a perfectly secure solution, but combining the advantages of several techniques offers improved security overall.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft. As malicious threats evolve, companies add multilayer security and take a defense-in-depth approach as they strive to protect their enterprises. One element in our network security strategy at [&hellip;]<\/p>\n","protected":false},"author":146,"featured_media":10562,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[],"coauthors":[674],"class_list":["post-10561","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","m-blog-post"],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Protecting high-risk environments with secure admin workstations - Inside Track Blog<\/title>\n<meta name=\"description\" content=\"Limited-use client computers\u2014built on Windows 10\u2014help protect high-risk environments from security risks such as malware, phishing, and pass-the-hash attacks, and they provide secure access to restricted environments.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protecting high-risk environments with secure admin workstations - Inside Track Blog\" \/>\n<meta property=\"og:description\" content=\"Limited-use client computers\u2014built on Windows 10\u2014help protect high-risk environments from security risks such as malware, phishing, and pass-the-hash attacks, and they provide secure access to restricted environments.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-05-24T23:06:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-18T20:20:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1040\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Inside Track \u2013 retired stories\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Inside Track \u2013 retired stories\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/\",\"name\":\"Protecting high-risk environments with secure admin workstations - Inside Track Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg\",\"datePublished\":\"2018-05-24T23:06:17+00:00\",\"dateModified\":\"2023-06-18T20:20:39+00:00\",\"author\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575\"},\"description\":\"Limited-use client computers\u2014built on Windows 10\u2014help protect high-risk environments from security risks such as malware, phishing, and pass-the-hash attacks, and they provide secure access to restricted environments.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg\",\"width\":1040,\"height\":585,\"caption\":\"Male and female office workers standing at desks with desktop computers.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Protecting high-risk environments with secure admin workstations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575\",\"name\":\"Inside Track \u2013 retired stories\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/ee0de87c339052d5d84852473bd7f213\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g\",\"caption\":\"Inside Track \u2013 retired stories\"},\"description\":\"The content on this page was crafted to highlight a specific moment in time or the solutions that have led us to where we are today. It offers valuable insights into our journey and the progress made over the years. Check out the Inside Track blog page for our up-to-date stories around Microsoft.\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrackarchive\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protecting high-risk environments with secure admin workstations - Inside Track Blog","description":"Limited-use client computers\u2014built on Windows 10\u2014help protect high-risk environments from security risks such as malware, phishing, and pass-the-hash attacks, and they provide secure access to restricted environments.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/","og_locale":"en_US","og_type":"article","og_title":"Protecting high-risk environments with secure admin workstations - Inside Track Blog","og_description":"Limited-use client computers\u2014built on Windows 10\u2014help protect high-risk environments from security risks such as malware, phishing, and pass-the-hash attacks, and they provide secure access to restricted environments.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/","og_site_name":"Inside Track Blog","article_published_time":"2018-05-24T23:06:17+00:00","article_modified_time":"2023-06-18T20:20:39+00:00","og_image":[{"width":1040,"height":585,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg","type":"image\/jpeg"}],"author":"Inside Track \u2013 retired stories","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Inside Track \u2013 retired stories","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/","name":"Protecting high-risk environments with secure admin workstations - Inside Track Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg","datePublished":"2018-05-24T23:06:17+00:00","dateModified":"2023-06-18T20:20:39+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575"},"description":"Limited-use client computers\u2014built on Windows 10\u2014help protect high-risk environments from security risks such as malware, phishing, and pass-the-hash attacks, and they provide secure access to restricted environments.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg","width":1040,"height":585,"caption":"Male and female office workers standing at desks with desktop computers."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-high-risk-environments-with-secure-admin-workstations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Protecting high-risk environments with secure admin workstations"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/59e5f7b07dae629412c990cc1a63b575","name":"Inside Track \u2013 retired stories","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/ee0de87c339052d5d84852473bd7f213","url":"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/24a8c329ab32afd1bc23fd1658d1acc2?s=96&d=mm&r=g","caption":"Inside Track \u2013 retired stories"},"description":"The content on this page was crafted to highlight a specific moment in time or the solutions that have led us to where we are today. It offers valuable insights into our journey and the progress made over the years. Check out the Inside Track blog page for our up-to-date stories around Microsoft.","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrackarchive\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/8320-hero.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-2Kl","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10561"}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/146"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=10561"}],"version-history":[{"count":5,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10561\/revisions"}],"predecessor-version":[{"id":11460,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10561\/revisions\/11460"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/10562"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=10561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=10561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=10561"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=10561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}