FBI pushes lock‑down of admin rights

The FBI announced Operation Winter SHIELD on January 28, 2026 as a two‑month public campaign that distills 10 prioritized, investigatively‑driven actions organizations should adopt to boost cyber resilience. (alston.com) Field offices around the country — including Seattle, Philadelphia and Anchorage — have issued local rollouts and outreach tied to the Winter SHIELD campaign. (meritalk.com) The FBI’s downloadable two‑page slick lists the 10 actions by name, including adopting phish‑resistant authentication, implementing risk‑based vulnerability management, tracking end‑of‑life assets, managing third‑party risk, protecting and preserving security logs, keeping offline immutable backups, identifying internet‑facing services, strengthening email protections, reducing administrator privileges, and exercising incident response plans. (fbi.gov) Microsoft’s Entra Privileged Identity Management (PIM) can enforce time‑bound “just‑in‑time” activation for Azure/Entra and Microsoft 365 admin roles but requires Entra (Azure AD) P2 licensing for full PIM features. (docs.azure.cn) For Apple and Chromebook fleets common in K‑12, Jamf School advertises privilege‑elevation tools that grant temporary admin rights for staff workflows, and Google Workspace supports delegated admin roles and third‑party JIT integrations to reduce standing super‑admin accounts. (youtube.com) On backups, the FBI specifically calls for offline, immutable backups and routine restoration testing, while vendors and practitioners increasingly recommend evolving the classic 3‑2‑1 rule to include an immutable copy and verification (often described as 3‑2‑1‑1‑0). (biometricupdate.com) The FBI’s campaign ties each recommended action to patterns seen in its investigations and urges organizations to exercise incident response plans with stakeholders; CISA publishes ready‑to‑use tabletop exercise packages that districts can run to meet that guidance. (cyberscoop.com)