Secure administration environments

68 views
Skip to first unread message

Heaton, Joseph@Wildlife

unread,
Sep 10, 2025, 2:13:11 PMSep 10
to ntsys...@googlegroups.com

Currently, I have a work laptop, that I log into with my user credentials, and don’t do any admin work directly from this machine.  I have a VMWare virtual machine that I RDP to, and log into using my admin credentials, and that is where I do all my admin work.  Other admins in my department have virtual workstations, where all their admin tools are installed, but they log into them with user credentials and Run As for anything needed elevation.  I know neither of these is the pie in the sky, best practices method.  Used to be, Microsoft recommended Privileged Access Workstations (PAWs), and now they recommend secure admin workstations (SAW), which is a separate, hardware machine that’s locked down. I’m also seeing Secure Administrative Hosts, which can be dedicated workstations, or a member server running Remote Desktop Gateway, or a hyper-v that provides a unique virtual for each admin (like what we use now, but ours probably aren’t locked down at all..)  We don’t have smart cards, but we do do MFA for our O365 and Azure work.  I’m just wondering if we need to totally revamp how we do things, or if I, or the other admins, are on the right track already.

 

Any broad advice/tips?

 

Thanks,

 

Joe Heaton

Managed Services and Operational Support Unit

Information Technology Operations Branch

Data and Technology Division

CA Department of Fish and Wildlife

1700 9th Street, 3rd Floor

Sacramento, CA 95811

Phone: 916-902-9116

 

Book time with Heaton, Joseph@Wildlife

 

 

Kurt Buff

unread,
Sep 10, 2025, 3:07:07 PMSep 10
to ntsys...@googlegroups.com
Uh, if you're on a non-privileged machine (your laptop) and you present your privileged credentials via RDP from that machine to any other machine (your VM), how do you prevent those privileged credentials from being seen by your laptop? If your laptop is compromised, you're toast.

I believe you're working it backward. Laptop should be privileged, never use it to do general browsing, email, document creation, etc. All of those non-privileged activities should be done at the VM into which your RDP.

The RunAs approach is just as wrong. Never present your credentials to an untrusted machine, which is what you're colleagues are in essence doing, and why Microsoft came up with LAPS.

This article is very useful, but the links in it are probably dead, and Microsoft has moved to a much more complex model, which, as far as I'm concerned, doesn't really make much of a difference, except to confuse things.

I have a laptop that I use for privileged activities. On it, I'm running a VMware Workstation Pro VM, on which I do my email and general web browsing. I also have what is in essence a jump box VM on our vSphere cluster from which I do some other privileged activities, and yeah, I MFA (Duo app, Microsoft app or Google app, depending) all the Tier 0 things, including the laptop. It's certainly not perfect, but I can sleep at night. 

Oh, and I have a separate Entra-only account for the O365 admin stuff.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR09MB66863D66DCCECF33832EE319AA0EA%40SJ0PR09MB6686.namprd09.prod.outlook.com.

Heaton, Joseph@Wildlife

unread,
Sep 11, 2025, 1:31:23 PMSep 11
to ntsys...@googlegroups.com

Kurt, thank you for the response.  I brought up some of the article to the other domain admins, and there are things coming down the pipe, such as Zero Trust, etc.  The approach he was looking at was possibly setting up a locked down VDI pool, with all of the admin tools installed, to which we would still log in with our user credentials, and use Run As… I mentioned your concern with Run As, but they were saying that since the VDI would be a “trusted machine” it would be ok.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Wednesday, September 10, 2025 12:07 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Secure administration environments

 

WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments.

 

Wright, John M

unread,
Sep 11, 2025, 1:39:35 PMSep 11
to ntsys...@googlegroups.com

In that kind of arrangement, how would we ensure that techs actually use the VMs for non-admin work?  I’m asking because, in a manner of speaking, I can lead them to water but I can’t make them drink.

 

Also, are you talking about VMs running locally or VDI or something else?

 

I’m interested in doing something along these lines but need a clear, fairly easy-to-implement plan before I push it.  FWIW, in a former job, we simply had two physical workstations for this.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Wednesday, September 10, 2025 3:07 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Secure administration environments

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

Kurt Buff

unread,
Sep 11, 2025, 3:07:51 PMSep 11
to ntsys...@googlegroups.com
I should have also mentioned Domain isolation using IPSec - there are an abundance of article out there, and the concept of zero trust goes with that swimmingly.

I don't use VDI  (have not since Metaframe on NT 3.51) , so can't comment much on that, except to say that the lockdown process had better be pretty thorough. Regardless, it is a mistake to think that elevating from non-privileged credentials to privileged credentials is anything like safe.

I vaguely remember something about MSFT implementing something much like sudo in the future - we can only hope - but until then don't mix your credentials on the same machine.

Kurt

Kurt Buff

unread,
Sep 11, 2025, 3:16:48 PMSep 11
to ntsys...@googlegroups.com
Use GPOs to revoke the ability to log into the VM with privileged accounts, excepting the LAPS admin account, which is only local anyway. Et voila!

In my case, as I think in mentioned (did I?) the VM I'm using is on my laptop running under VMware Workstation Pro (which is free(!) and I'm way more used to that than Hyper-V). I would not at all be opposed to running VMs for standard users in a VDI or cluster environment, but that's not our environment at the moment.

I've pushed for two physical machines as well, but met with resistance from management, so resorted to what I'm doing now.

And, as I discussed on this list years ago, I've fought with the devs, sysadmins and helpdesk people to get them to do as I do, with very, very little success.

Kurt

Wright, John M

unread,
Sep 11, 2025, 3:28:02 PMSep 11
to ntsys...@googlegroups.com

Thanks.  I’ll test that arrangement and see if I can sell management.  I’m not the first to bring this up so there’s always a chance.

Heaton, Joseph@Wildlife

unread,
Sep 11, 2025, 4:24:28 PMSep 11
to ntsys...@googlegroups.com

So… on your physical laptop, where you’re doing admin “stuff”, do you log into it with your admin account?  On this device, according to the article, you want to limit internet access, and all of that, but on the virtual on the same physical device, you allow internet, right?

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Thursday, September 11, 2025 12:16 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Secure administration environments

 

WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments.

 

Use GPOs to revoke the ability to log into the VM with privileged accounts, excepting the LAPS admin account, which is only local anyway. Et voila!

Kurt Buff

unread,
Sep 11, 2025, 4:52:52 PMSep 11
to ntsys...@googlegroups.com
I am logging in with my DA account, which is a sin, I realize, but I don't use it to browse the Internet in general - not even to consult Dr. Google. 

I do visit a few vendor sites, but using management portals, starting tickets or browsing vendor documentation is the extent of what I do. Downloading executables or reading PDFs or reading/writing emails and Office documents is relegated to the VM.

It's the art of the possible for me, and there's a bit of a chicken/egg conundrum in trying to use a laptop for a PAW or SAW, and achieving purity is a work in process, never achieved. Personal discipline is my best tool in this case.

Kurt

Severino Juan Miguel

unread,
Sep 12, 2025, 7:05:58 AMSep 12
to ntsys...@googlegroups.com

As always, it depends on you risk profile and other measures you implemented (network zoning/segmentation, forest separation, XDR, etc.)

The best one is dedicated admin workstations, without any "VMs" for unpriveleged stuff, etc. on that one. Admin is admin. As a possibility, remote desktop elsewhere/Citrix/VDI for unprivileged tasks. But never locally.

Using a "remote desktop" system with MFA, where you can elevate is another option. If anybody catches your credentials (keylogger) on your base workstation, MFA will protect you.

Other possibility is remote desktop without MFA, which is still better than running stuff locally (cached credentials).

Sign in as admin on your laptop and then use a VM for "non privileged stuff" is something I don't like. Credentials are cached on the laptop, it is difficult to keep correctly managed a VM. It is easy to use NAT and impersonate the IP of your base system, vm escape possibilities, etc. and double licensing of almost everything (OS, antivirus, etc.).

What I would never use is VDI VMs. If they are ephemeral, they are the best friend for hackers: No traces. Furthermore, if your VDI infra doesn't work, how are you going to fix it if your admin VDI pool is offline?

Best regards

Seve

Von: 'Heaton, Joseph@Wildlife' via ntsysadmin <ntsys...@googlegroups.com>
Gesendet: Donnerstag, 11. September 2025 19:31
An: ntsys...@googlegroups.com
Betreff: RE: [ntsysadmin] Secure administration environments

 

-!-!-!- EXTERNAL EMAIL -!-!-!- This email originated from outside of SKAN. Do not click links or open attachments unless you recognize the sender and know the content is safe

The content of this message is confidential and shall be used solely for the intended purpose and by the intended recipient. If you received this email by mistake, please inform us immediately and delete this message without disclosing its content to any other person. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. The integrity and security of this email cannot be guaranteed over the internet. The sender shall not be held liable for any damage caused by this message.

Heaton, Joseph@Wildlife

unread,
Sep 16, 2025, 10:53:05 AM (13 days ago) Sep 16
to ntsys...@googlegroups.com

Good points, and I will definitely share that last with the supervisor that’s thinking about the VDI pool approach.  I do still have questions, though:

 

If you’re not logging into the admin workstation with your admin credentials, you still have a situation where you have to Run As to elevate to use your admin tools, correct? But I thought that was a no-no…

 

For instance, if I wanted to run ADAC on the machine I’m logged into. If I’m logged in as my user account, I have to Run As and put in my admin credentials to run ADAC and do whatever needs to be done.  Whereas if I log into the computer with an admin account, I don’t.

 

Now, I will say, that in our last security audit, they didn’t use user credentials at all to do what they did and gain the domain.  There were certificate templates that they said allowed them to enroll a certificate as another user, and then elevation happened after that.

Kurt Buff

unread,
Sep 16, 2025, 11:11:52 AM (13 days ago) Sep 16
to ntsys...@googlegroups.com

Michael B. Smith

unread,
Sep 16, 2025, 11:20:57 AM (13 days ago) Sep 16
to ntsys...@googlegroups.com

Locksmith is da bomb. Using it and cleaning up ADCS deployments has made me a fair bit of money the last few years.

Severino Juan Miguel

unread,
Sep 17, 2025, 7:04:07 AM (12 days ago) Sep 17
to ntsys...@googlegroups.com

As I said, it depends on the measures in place. Security is not only passwords. Think about the Swiss-Cheese risk model and the typical security vs usability trade-offs.

 

It is a misconception that the most powerful user is the domain/enterprise administrator. The most powerful users in your organization are these three groups: the backup administrator, the vSphere/Hypervisor administrator and the PKI administrator.

 

PKIs are tricky. Don't think on your Windows CA only. You may have other "CAs" elsewhere (Netscaler, MDM solutions, etc.) which may be issuing certificates on behalf of users.

Reply all
Reply to author
Forward
0 new messages