Five ways to improve Windows Server hardening
Microsoft offers two relatively recent approaches to limiting authority delegations: Just Enough Administration and just-in-time (JIT) administration.
In many administrative situations, a user performs a small number of tasks that would traditionally require a high level of privilege. The user ends up with far more privileges than they need to complete the job.
With Microsoft's Just Enough Administration, a senior administrator gives a user access to only the PowerShell commands needed to perform the required tasks -- and no more.
Windows Server 2016 allows connections over PowerShell Direct, secure file copies between Just Enough Administration points and a Just Enough Administration mode for PowerShell consoles.
JIT administration lets a user request elevated privileges to perform certain tasks. JIT is complementary to Just Enough Administration -- IT organizations can use them individually or together as JitJea.
JIT relies on privileged identity management and privileged access management. When the administrator approves a user request, JIT applies privileges through a new bastion forest that is isolated from common applications or user forests. It automatically revokes privileges when the user completes the work or the allotted time expires.