Protecting elevated authentication credentials is one of the best defense-in-depth strategies any company can deploy.In today\u2019s pass-the-hash, pass-the-Kerberos-token, steal-any-credentials world, preventing credentials from falling into the wrong hands can be the entire battle. Identity is security. If an identity and its authentication credentials get into the wrong hands, often enough, it\u2019s game over.For decades we\u2019ve told people not to stay logged in as admin or root all the time. Alternatively, they should have two accounts: one for regular user duties (email, browsing the Web, and so on) and another elevated one for administrative duties.That\u2019s the old way of thinking. Today\u2019s advice includes using just-in-time credentials, two-factor authentication, and least-privilege delegation.Minimize permanent membershipStart by minimizing the number of permanent members of any elevated group as much as possible. The Holy Grail is zero members of any elevated group. If you can\u2019t get to zero, get to near zero. Your processes, tools, services, and applications should be able to work in a world where no one needs to be an elevated admin all the time. This is the 21st century, after all.Use two-factor authenticationMany companies have been compromised because their users and admins either had their credentials phished away or they reused a password on both corporate and unrelated, third-party sites and services. The bad guys break into the third-party site, then see if they can reuse stolen credentials on the corporate network.That\u2019s why anyone who can be elevated to do something administratively should be required to use two-factor authentication (or better) to log on in. Two-factor authentication doesn\u2019t provide as much protection as most people think (for example, pass-the-credential attacks are still viable), but they help, mainly because admins can\u2019t be phished out of a plaintext password or PIN anymore.Delegate, delegate, delegateEven in a Holy Grail environment of zero permanent admins, admins are needed -- or more precisely, people who need to perform administrative-level tasks are needed. But we need to make sure most of those administrative tasks are performed by people who are less than full admins.Most administrators do not need everything a full admin credential gives them. Some tasks absolutely require full admin privileges, but those scenarios are not typical. In the majority of cases, an elevated credential can be a \u201cdelegated\u201d permission or privilege, while still remaining least privilege -- only the bare essential access to do the job. Even then, it should be accorded only while needed.Implement just-in-time credentialsI\u2019m a huge fan of systems that give users elevated privileges and permissions for only as long enough for them to perform their admin duty -- after which they\u2019re taken away. These are known as just-in-time systems.A decade or so ago the idea of delegated, just-in-time was promoted as the best access control model in what is known as role-based access control. I\u2019ve been a believer of it ever since. The idea was that the application developers are the only ones who really know which rights and permissions are needed to perform a particular application task.Developers figure out what\u2019s needed and hard-code those various permissions and privileges to particular tasks, which are then collected into particular application roles. Users and application administrators place application users into various application roles; those users are then allowed to perform these predefined tasks while in the application and only while in the application.To assign permissions and privileges any other way is really a bit insane. How did our computer networks evolve so that network administrators are the ones who guess at and assign permissions? They aren\u2019t the application owners -- and are almost never the masters of every application -- yet they\u2019re expected to outthink application developers about who needs which rights and permissions.I\u2019m fairly confident that role-based access control will be the ultimate and only access control model we all use. But we're struck in another critical transition between what we have and what we will eventually have. Until then, just-in-time, two-factor, least-privilege delegation is the way to go. I don\u2019t care how you get there. It can be a program that does all the behind-the-scenes work for you, or you can do it manually or using scripts. How you get there is not as important as getting there.Require armor-plated boxesA recent addition to the just-in-time model is the new requirement that all administrative credentials are entered, and all administrative tasks performed, only on very secure computers. No more logging on as admin to your regular computer, which could be already compromised by malware or a hacker. Nope, admins should be restricted to using only dedicated computers (physical computers are better than virtual machines). The systems they connect with should accept admin connections from only these secure computers.Secured computers should not have an Internet browser or be allowed to initiate or accept connections from the Internet (or only allowed to accept connections from a small set of predefined sites). Application control software should restrict which programs the admin can run -- and only a small set of software programs should be on that list.What secure administration really meansAdministrators should use the most secure admin methods possible. Logging on to other computers in a way that leaves credentials hanging around for the hacker to steal should be forbidden or minimized. If possible, admins should use remote methods that do not send stealable credentials at all. Get your admins out of the habit of using GUIs that require full local or remote logons.I\u2019m not unique in offering this advice. This, and more, is recommended by many organizations. Heck, some companies have been running this way for decades.My only somewhat new suggestion: Your secure admins running on secure admin workstations should also include all your application admins. Data theft doesn\u2019t require a hacker to steal operating system admin credentials. Often, all that\u2019s needed is the access of a regular user. I\u2019ve seen some applications with dozens to hundreds of all-powerful admins. Do they need that power? Are they properly protected? Almost never in both cases.Credentials are the main battlefront in our ongoing computer security war. Deploy everything you have to protect them.