We have a number of IT staff whose login give them elevated privileges on our network including a couple of domain admins. I want to create a second regular user login for each of them. I could provide them with two workstations
- Login on one using regular user credentials - they can use this workstation to browse the web, read email, and other such activities that are prone to having the workstation picking up malware, viruses, and trojans. These login credentials if compromised would not give anyone elevated privileges
- Login the other workstation using credentials that give the user elevated privileges. This would strictly be used to administer the network, no web browsing or email
Have two workstations per user gets cumbersome so we thought about using a VDI session for one of these roles
- Login the workstation with the elevated account, open a VDI session to browse web, read email, etc
- Login the workstation with the non-elevated account, open a VDI session to used tools like Active Directory Users and Computers
Is anyone using a setup like this?