Advice no one reads from Microsoft, but probably should have. Jumpservers are Fake News(TM)
Microsoft said it themselves, Jumpservers aren’t a mitigation for credential theft
From Microsoft, Windows 10 Credential Theft Mitigation Guide: https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx
Assume breach: two words that should change the way defenders think about compromise in their organization. Microsoft investigations of attacks on customers all too often reveal success in compromising user and administrator account credentials, including domain and >enterprise administrator credentials. Technical features and capabilities alone are not enough: the most effective solution requires a planned approach as part of a >comprehensive security architecture that includes proper system administration and operation.
This was initially published in 2016, and appears to have more recent advice.
From section Use jump servers to administer isolated network segments
:
Although jump servers can provide utility in security architectures, they don’t directly mitigate credential theft and reuse attacks. You cannot maintain security >integrity if a user connects to an administrative jump server from a lower-trust workstation.
Jumpboxes are not a mitigation for credential theft
Jumpboxes are not a mitigation for credential theft
Jumpboxes are not a mitigation for credential theft
Some organizations allow high-privilege accounts like those that are members of the Domain Admins group to perform general administrative tasks or log on to user desktops or other systems used for email and Internet browsing, exposing these credentials to potential attackers.
This is stuff like:
Notably, this is one of the easy wins keeps appearing:
Do not configure services or schedule tasks that use privileged domain accounts on lower-trust systems, such as user workstations.