Domain Controllers & Break Glass Accounts
We are starting to implement the Logon App for our mission critical servers in our enviornment to prevent unauthorized access to specific resources.
As a precaution, we also created a 'break glass' account if AuthPoint or Internet access at our site isn't available. This was just setup as a regular domain user, no elevated credentials except on the specific servers, and setup to be able to bypass MFA with a very long encrypted password.
Question is...how would this be handled in a domain controller environment? We'd like to lock down our DCs to prevent only authorized administrators from being able to log into them, but we also want to be able to have a backup account that doesn't use MFA to be able to login in case of emergency.
Does anyone have any similar solutions? If I create an account on the DC with admin credentials...that makes that account a domain administrator which defeats the purpose of a specialized account...