The company I now work for has decided to separate out admin accounts in Windows. Fair enough, except it's not like a Unix system where you can quickly context switch. Trying to administer Office 365 with two separate Office 365 accounts is an absolutely nightmare!
Sorry, maybe I am missing something here. For local admin, I agree re context switching etc.
But for O365 admin, we have a similar setup and I admin O365 through a separate container tab or Powershell where you need to connect to Azure separately anyways. Seems straightforward to me.
The company I now work for has decided to separate out admin accounts in Windows
Do they know that doesn’t work?
If you do a run-as then you are as vulnerable to PTH as you would be if you just logged in with the admin account anyway... you need to go full PAW these days.
Could you expand on this? we have a similar set up for our domain admin accounts and I heard it was the safest way to do things. What do you mean by PAW?
A PAW is a "privilged access workstation", i.E. a dedicated, hardened machine just for the purpose of admin tasks. Due to the specialized tasks it needs to run, the workstation can be
Pass-the-hash is a common attack on Kerberos - it doesn’t care if you are logged in as an admin or have merely done run-as an admin. See https://microsoft.com/pth for more.
