You can reduce the attack surface for privileged identities (discussed in the previous section) with each of the mitigations described in the following table:
Attack vectors |
How to mitigate |
More privileges than are necessary |
Implement Just Enough Administration (JEA) for all IT pros who administer Windows Server and the apps and services (such as Exchange Server or Exchange Online) running on Windows Server by using Windows PowerShell. |
Signed in with elevated privileges all the time |
Implement Just in Time (JIT) administration for all users who require elevated privileges so that the elevated privileges can only be used for a limited amount of time. Many organizations use the Local Administrator Password Solution (LAPS) as a simple yet powerful JIT administration mechanism for their server and client systems. |
Compromised identity and Pass-the-Hash attacks |
Implement Microsoft Advanced Threat Analytics (ATA) to help detect compromised identities in on-premises workloads and servers. ATA is an on-premises solution that you can use to manage physical and virtualized workloads. |