I'm often asked how many enterprise admins — the most privileged users on a Windows network — a company should have. The answer is straightforward enough: the bare minimum. Doling out that type of power willy-nilly is a great way to expose your systems to attacks. In fact, the No. 1 way to minimise overall security risk is to minimize the number of enterprise admins you have and how often they need to logon. The specific number depends on the operational needs and business strategies of each environment, but as a best practice, two or three is probably a good amount. At some companies, I've seen anywhere from several dozen to over a hundred, which is far too many. Many organisations simply add every administrator and help desk technician to the enterprise admins group to make it easy for them to fix and configure the computers they need to administer. These employees use their enterprise admin accounts to manage the network, as well as to pick up email and surf the web. Hackers love that.

**Hidden Content: Check the thread to see hidden data.**