Lesson 1
Protect the Admin Surface
Lesson Framing
Why admin accounts deserve different controls from ordinary user accounts.
Reading flow
Visual aids
Lesson Flight Path
Work this lesson as stages instead of one continuous document.
3 stages
1
Orient
Frame the lesson, key idea, and scenario before you start detail work.
2
Absorb
Work through the reading deck and supporting visual aids as separate idea blocks.
3
Prove
Mark the lesson complete once the material and checklist are genuinely worked.
Navigate This Lesson
Jump between the live blocks instead of working top to bottom as one page.
1 of 3 visible
Core Reading Deck
Move card by card instead of parsing one long slab. Each panel is a distinct idea in the lesson narrative.
4 reading cards
Reading flow
1
Administrative accounts are not "just another login." They are privilege boundaries.
2
For admin surfaces, require:
- unique credentials stored in a password manager
- MFA t...
3
If an attacker lands in an admin account, the blast radius is fundamentally different.
4
Good administration assumes compromise is possible and leaves evidence behind.
How to use this section
Read one card at a time and stop after each shift in idea.
Use the scenario and decision cards after the reading, not before.
Treat the checklist as the operational extraction from the deck.
Card 1
Administrative accounts are not "just another login." They are privilege boundaries.
Card 2
For admin surfaces, require:
- unique credentials stored in a password manager
- MFA that is not SMS where possible
- limited account sharing
- controlled recovery methods
- audit visibility for sensitive actions
Card 3
If an attacker lands in an admin account, the blast radius is fundamentally different. They can change routing, content, trust anchors, package state, or identity controls.
Card 4
Good administration assumes compromise is possible and leaves evidence behind.
Field Notes
These are meant to punctuate the lesson, not disappear into it.
Privilege risk
Admin is not a normal account
Compromise here changes trust anchors, routes, packages, and user outcomes, not just one inbox or profile.
Control
Make admin actions attributable
Unique credentials, stronger MFA, and audit visibility matter more than convenience.