Hacker News new | ask | show | jobs
by heraldgeezer 95 days ago
"Principle of least privilege" as MS calls it.

Do not use global admin or admin account as daily driver for one. Dont save it in browser etc either.

Limit roles, even within the application, here Intune.

Office 365 also has conditional access and many policy leavers to tweak, many cases of people locking themselves OUT of 365. So the gates work but you need to configure them.

"Break glass" global admin accounts now also require MFA. https://learn.microsoft.com/en-us/entra/identity/authenticat...
2 comments
pixl97 95 days ago
At the end of the day someone needs remote wipers privs, and in a large company it's something done pretty often.
link
mulmen 95 days ago
Ok and who has access to the global admin and how resistant are they to Iranian operatives?
link
heraldgeezer 95 days ago
What are you asking?

For Stryker specifically? We don't and probably won't know details.

For companies in general? Background checks, security clearance etc are done if the company determines this necessary and are willing to pay for the process and higher salary.

link
mulmen 95 days ago
I’m asking if it’s possible to secure the MDM process in a way that Iranian operatives can’t simply torture an administrator into pushing the big red MDM button.
link
butlike 94 days ago
https://xkcd.com/538/
link
mulmen 94 days ago
Yes I made this reference upthread.
link