Priviledge Accounts Best Practices

Surely there are many.  Here's one:  https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege

If I were you I would document your conversation with him.  Save the email.  Might need an "I told you so" or perhaps an "I told him so".  For CYA. Also, based on information from your profile, he might find the HIPAA rules pertinent:  https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

STANDARD § 164.312(a)(1)  Access Control

The Security Rule defines access in § 164.304 as “the ability or the means necessary to read,

write, modify, or communicate data/information or otherwise use any system resource. (This

definition applies to “access” as used in this subpart, not as used in subpart E of this part [the

HIPAA Privacy Rule]).” Access controls provide users with rights and/or privileges to access

and perform functions using information systems, applications, programs, or files. Access

controls should enable authorized users to access the minimum necessary information needed to

perform job functions. Rights and/or privileges should be granted to authorized users based on a

set of access rules that the covered entity is required to

implement as part of § 164.308(a)(4), the Information Access

Management standard under the Administrative Safeguards

section of the Rule.

https://attack.mitre.org/wiki/Privilege_Escalation

http://cwe.mitre.org/data/definitions/266.html

Even personnel who do need admin privileges should use a non-privileged account whenever possible, and the privileged account whenever necessary.

Thank you d09h!  I really appreciate. This is exactly what I needed.

Happy to help s-bolyard .  With such a cavalier attitude toward security, you may find that your boss has issues on other fronts.  You wouldn't want to be the next ransomware victim.  Maybe you can get a security assessment done somehow to show where work is needed.