This article is part of a series unpacking the NSA and CISA’s Top Ten Cybersecurity Misconfigurations through the lens of real-world breaches and assessment findings.

This entry continues Misconfiguration 2: Inadequate Identity and Access Management, with a focus on the unnecessary exposure of administrative accounts in shared environments like Citrix, VDI, and RDP-accessible hosts. It examines how session persistence, architectural shortcuts, and lack of role isolation create breach paths even in otherwise well-managed environments.

TL;DR

Administrative accounts are high value targets. When allowed to log into shared environments like Citrix or VDI alongside standard users, they become silent escalation paths. This article looks at how session persistence, RDP exposure, and weak separation create risk, and how to reduce it by design.

I think by now, most teams know that using elevated accounts for daily tasks is risky. The issue is not intent, it is exposure by default. Shared desktop platforms often allow admins and users on the same hosts. Sessions stay open. RDP is unrestricted. No one builds the boundary.

In recent assessments, I have seen attackers hijack admin sessions left running on shared infrastructure. No malware. No exploit. Just an open session on a host the attacker already accessed. What starts as convenience becomes escalation. This article unpacks how it happens and how to stop it, even without full isolation.

Hijack by Design: When Admins Share Space with Attackers

It often starts with a small act of convenience. An IT staff member logs into a Citrix or VDI session to check on something after receiving an off-hours call. They use their domain admin account, with no jump host, no session brokering, and no isolation. Just a standard connection to a multi-user environment that also serves helpdesk staff, accounts receivable, and the general user base.

They run a few scripts, check the event logs, troubleshoot a service. It is nothing out of the ordinary. Then they disconnect. Not sign out, just disconnect. The session stays active. So does the token.

Hours earlier, another user on the same system clicked a phishing link. The malware was minimal. It avoided noisy techniques. There was no ransomware, no beaconing, and nothing to trip the alarms. Just enough to give the attacker a foothold and let them explore. Eventually, the attacker lands on the same Citrix or VDI host. They enumerate local sessions and find one that belongs to an account with elevated rights. They scrape LSASS. The token is still there. They do not need to exploit anything. They do not need to move laterally. They simply impersonate the session, elevate, and continue as if they belonged there from the beginning.

I have seen this pattern play out in real environments. Sometimes in Citrix. Sometimes in pooled VDI. Occasionally on unmanaged jump hosts that were meant to be temporary but became part of the operational workflow. No one thought to restrict logon rights. No one built session expiry or automatic logoff into the configuration. And no one questioned whether privileged accounts should ever be allowed to land there in the first place. By the time the token is stolen, the breach has already occurred. The attacker does not need to try anything sophisticated. The design gave them everything they needed. A shared environment. A privileged session. A wide open door, already unlocked.

This is not about blaming the admin who disconnected their session. It is about recognising that when elevated accounts and standard users are allowed to share infrastructure without guardrails, compromise is no longer hypothetical. It becomes operationally likely.

What Should Be Denied by Default

In most environments I assess, RDP access is broadly permitted across administrative accounts. Domain admins can log into dozens or even hundreds of systems, often with no timeouts, no session constraints, and no real boundaries. The assumption is that trust is enough.

But when elevated accounts are allowed to land on shared infrastructure without controls, they stop being a security asset and start becoming a liability. Even the best admin cannot log off every time. Even the most mature team gets distracted. That is where design must step in. If your environment cannot yet support full isolation, here is where to start:

Deny logon rights to shared infrastructure by default
Administrative accounts should not be allowed to connect to Citrix pools, VDI, or general-purpose RDP targets unless explicitly required. Broad access is not flexibility—it is untracked privilege.
Restrict admins to only what they administer
If someone manages firewalls, they should log into firewalls. If someone manages file servers, that is where their access should stop. Most environments do not enforce this. They should.
Route all privileged access through a controlled proxy
Use hardened jump hosts or privileged session managers like CyberArk PSM. These let admins work as needed, but within segmented, monitored environments. Even better when backed by micro-segmentation.
Kill disconnected sessions and enforce idle timeouts
An RDP session that stays open overnight is an attack surface. If an admin walks away and forgets to log off, the system should not let that session linger unattended. Time limits are not a punishment. They are a safety net.
Alert on privileged logins to shared or low-trust systems
If a domain admin logs into a Citrix host or pooled desktop, someone should know. If it was legitimate, great. If it was not, at least you are not learning about it after the fact.
Apply session governance to humans, not just service accounts
Most organisations are making progress locking down service accounts. Fewer are doing the same for administrators. There should be no difference. The exposure is often greater.
Trust people, but verify with control
When a team says, “We trust our admins to log off,” that is not a process. That is hope. Even disciplined staff get pulled away, distracted, or interrupted. Controls are not about distrust. They are about containment.

Start by denying what is not needed. Then control what must remain. The risk is not what admins intend to do. The risk is what their access allows others to do if it is ever left behind.

Separation Without the Ceremony

Not every environment is ready for full privilege tiering, and that is fine. But separation still matters. If standard users and administrators are logging into the same systems, you are creating paths you cannot monitor and risks you cannot contain. Instead of aiming for perfect segmentation, start by doing what is feasible and defensible. Below is a practical sequence that reflects what I see most teams can implement today starting with the simplest changes that yield the most protection.

  
      Level
      Control
      Effort
      Security Impact
      Notes
    

  
      Level 1
      GPO logon restrictions
      Low
      High
      Most orgs can implement immediately
    

      Level 1
      Idle timeout enforcement
      Low
      Medium
      Often overlooked but widely supported
    

      Level 1
      Block interactive logon for privileged accounts
      Low
      High
      Prevents passive token exposure on compromised endpoints
    

      Level 1
      Disconnect idle or stale RDP sessions
      Low
      Medium
      Reduces the window for session hijack or token theft
    

      Level 2
      Pooled infrastructure by role
      Medium
      High
      Stops standard users and admins from landing on the same host
    

      Level 2
      Jump host or session brokering
      Medium
      High
      Enables access control and monitoring without needing full PAM
    

      Level 2
      Alert on privileged logins to shared infrastructure
      Medium
      Medium
      Helps detect drift when policies are bypassed or forgotten
    

      Level 3 and Beyond
      Define and enforce role-based access boundaries
      High
      Medium
      Turns assumptions into enforceable policy across systems
    

      Level 3 and Beyond
      Privileged access zoning and micro-segmentation
      High
      High
      Contains lateral movement, even when credentials are compromised
    

You do not need perfect tooling to reduce administrative exposure. You just need deliberate friction. The controls in this table are not theory. They reflect what real attackers bypass when they find shared infrastructure, open sessions, and unrestricted logon rights.

Start with the Level 1 changes. They are low effort and high value. They create containment. Then build forward toward better access flows, pooled environments, alerting, and eventually architectural separation. You do not need to get to Level 3 all at once. But you do need to stop assuming that administrative access is safe just because the admin meant well. The question is not whether your environment has exposure. It does. The question is how much room it gives an attacker when that exposure is finally used.

Rob Kehl is a Principal Cybersecurity Adviser and educator based in Aotearoa New Zealand. Originally from the United States, his career spans the U.S. Air Force and global consultancies like Sygnia and Cognizant. Rob specialises in architecture assessments, incident response, security operations, and AI security strategies. He applies his international experience to support cybersecurity resilience across sectors in New Zealand.

Get in touch