In Part 1, we built the walls of our Tiered Fortress. But even inside a fortress, there is a risk. If a “Guard” has keys to the armory 24 hours a day, 7 days a week, those keys are a liability every second they aren’t being used.

In the world of the Mindful Architect, we solve this with two powerful concepts: JIT (Just-In-Time) and JEA (Just-Enough-Administration).

If a permanent key is a risk, a temporary key is a strategy.

1. Just-In-Time (JIT): “The Key That Melts”

Imagine you need to enter a high-security vault. Instead of being given a heavy iron key to carry in your pocket forever, you are given a digital code that only works for 30 minutes. After that, the code expires and the lock changes.

That is JIT.

• How it works: An admin is a “Standard User” by default. When they need to perform a task, they request elevated rights.
• The Result: They are added to the “Domain Admins” group for a short window (e.g., 2 hours). Once the time is up, Active Directory automatically kicks them out of the group.

Why? Because hackers can’t steal “Admin Rights” from an account that isn’t currently an Admin.

2. Just-Enough-Administration (JEA): “The Limited Toolset”

If JIT is about when you have power, JEA is about what that power can do.

Think of a specialized mechanic. They don’t need every tool in the world; they just need a specific wrench for a specific bolt.

• How it works: Using PowerShell, you can create a “Virtual Console.” When a user logs in, they can only run 3 or 4 specific commands you’ve allowed.
• The Result: A Help Desk tech can “Restart the Print Service” but they physically cannot “Delete a User,” even if they tried.

The Concept of “Privileged Access Management” (PAM)

When you combine JIT and JEA, you are practicing PAM. You are acknowledging that “Static Admin Accounts” are the biggest vulnerability in any network. By making power temporary and specific, you shrink the “Attack Surface” of your city to almost zero.

[Image: Diagram showing a user requesting access, getting a timed token, and the token expiring]

The Architect’s Reflection

In our own lives, we often suffer from “Over-Attachment.” We want to own things, hold onto titles, and maintain control 100% of the time. We think that having more “keys” makes us more powerful.

But a Mindful Architect knows that Attachment is a Burden.

The more “Access” you have, the more you have to defend. By practicing JIT and JEA in your network, you are practicing Mental Lightness. You are learning to use power when it is necessary, and then letting it go. There is a deep peace in knowing that your “Admin Identity” doesn’t exist when you are sleeping.

True security is not about having the most keys; it is about having no keys at all when the doors are closed.

Next in the Series: Closing the Back Doors — Securing legacy protocols.

Is your power permanent? Do you have “Domain Admin” accounts that have stayed in that group for years? It might be time to look into “Privileged Identity Management” (PIM/PAM). Let’s discuss in the comments!

#JIT #JEA #PAM #ActiveDirectory #CyberSecurity #IdentityManagement.