![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 30%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
5,099 questions
At the company that I worked for; we had 2 domain accounts. The first was our "normal" account that we logged on to our laptop/desktop with and had access to email and instant messaging. That account had no special access to servers. We had a second "MyName-ADM" account that had administrator access to the servers. We did not share the local Administrator account. We actually disabled that. All admins logged in with their own ADM domain account. (That way we could determine who last "touched" a server when problems arose.)
We found that our biggest vulnerability was ransomware that got into the network via emails. As hard as we tried to block them in Exchange and educate users about clicking on links, they still got in. The "ADM" accounts did not have access to email.
We took security a step further and put servers behind network firewalls. We actually had multiple server subnets that could not access other server subnets. For example, a web server would only have ports 80 and 443 open to the subnet that hosted user laptops/desktops. I could not access the C$ share on a server from my laptop or from many other servers. This was done at the network level, not with the Windows firewall.
I don't remember if we allowed RDP access from our laptops or not. I think we did allow that so that the application support teams who needed admin access on the servers could log on. They too had ADM accounts.
Most server administration was done from what we called a "jump server". It was just a terminal server on a separate subnet that had full network access to all of the server subnets. So from my laptop, I would RDP to the jump server and from there I could use mmc, Powershell, and VB script to do remote admin tasks. (Like querying all servers for disk space usage.)
Scale might be an issue for you. We had dedicated server, network, and security teams because we had thousands of devices that we had to support. You may not have the need or resources to implement the network isolation that we did.
If you do nothing else, ensure that you implement an offsite/offline backup solution. If a server does get hit with ransomware, you can just restore the encrypted files. If your backup server gets encrypted or your datacenter burns down, you have a big problem. A cloud-based backup solution would one idea.
Hope this gives you some ideas.