Benefits and drawbacks of giving an Administrator two accounts for elevated rights and another for daily use, such as email

Question

Microsoft has long promoted the need to separate administrative accounts from regular use accounts, as shown with this guidance

MSFT even went to far as create ADMINSDUser rights to put administrative accounts in a separate "class" than regular accounts. They intentionally made it tough to be both an "Administrator" and a user of Activesync

I'm sure none of these design decisions regarding separation of administrative duties were made lightly, or without the input of several smart people.

My question is:

1. What bad habits can an Administrator do that cancels out the benefit of having dual accounts?
   
   • ie: checking email
   • casual surfing the internet, versus surfing the internet to troubleshoot, diagnose, or validate an issue
2. What are we protecting ourselves from?
   • If an Administrator knows they may be visiting a hostile website, they are probably smart enough they should be testing this on an isolated network/machine
   • Administrators usually aren't tricked into running scripts, or hostile code (ActiveX) that other users may be

Suppose a person's daily job is administration, and deals primarily with troubleshooting using their privileged credentials. It seems self-defeating and unproductive to ask them to "RunAs" for every new task.

Taking the last idea a step further, perhaps it would be better to RunAs for non-administrative tasks, such as email, file and print services, etc. Maybe they should use a virtual machine, VDI, etc to check email and update network diagrams (etc).

3 . Does it make sense for an Administrator to use his privileged credentials for signing into his PC, and using RunAs for non-administrative tasks?

Answer 1

Surfing the internet is a risk to an organisation - usually this is mitigated to some extent by having limited functionality for users, so an exploit is limited in what it can do. When an administrator is doing the surfing his account is not limited, so an exploit can have major consequences.

If an Administrator knows they may be visiting a hostile website, they are probably smart enough they should be testing this on an isolated network/machine

Sadly this isn't true - admins are people too

Administrators usually aren't tricked into running scripts, or hostile code (ActiveX) that other users may be

There are attacks already out there that require no interaction other than browsing to a website, and as I said, admins are people too (mostly)

Suppose a person's daily job is administration, and deals primarily with troubleshooting using their privileged credentials. It seems self-defeating and unproductive to ask them to "RunAs" for every new task.

For this, you could argue the case for separating by machine, rather than by account - ie all the admin tasks are carried out on an admin machine which can't connect to the internet etc., and the user type tasks are carried out on another one which can.

Taking the last idea a step further, perhaps it would be better to RunAs for non-administrative tasks, such as email, file and print services, etc. Does it make sense for an Administrator to use his privileged credentials for signing into his PC, and using RunAs for non-administrative tasks?

RunAs downwards is just susceptible to the admin forgetting, or just wanting to do something quickly and easily.

Answer 2

I think that if nothing else in your mind's eye you have that logical separation, a constant reminder to not be cavalier with your admin account. Privileged users are far from invulnerable to attacks.

Should you have an isolated lab to test sites or applications which aren't approved or could potentially elevate exposure of your organization ... if it's not incredibly easy to do - it's not getting done that way.

It doesn't make sense to stay logged in with your privileged account because of human nature. How long would it take before you stop demoting those processes which don't require those elevated privileges.