Hiring your first or second IT person feels like a win. Someone is finally handling the tickets, the printer issues, the password resets. But here is what most small business owners do not think about until it is too late: a junior IT admin with domain admin access and no security baseline is not a solution to your risk — it is a new one.
This is not a knock on junior talent. It is a systems problem. When there is no documented handoff, no access control policy, and no security baseline to onboard against, even a motivated hire will make the kinds of mistakes that attackers are actively hunting for.
And those attackers are getting faster.
The Threat Landscape Your New Hire Is Walking Into
According to The Hacker News, a recent incident revealed an attacker using a suspected AI-generated PowerShell script to enumerate Active Directory — mapping users, groups, and permissions with minimal technical skill required. The script did the heavy lifting. The attacker just needed an environment where AD permissions had not been locked down.
That is exactly what an unsupervised junior admin inherits on day one if there is no baseline in place.
Misconfiguration is the other side of the same coin. The Hacker News also reported that a single misconfigured server — directory listing left enabled, bash history exposed — unraveled three separate Evilginx phishing operations targeting Microsoft 365. One small config error, left unchecked, became an intelligence goldmine. A junior admin who has never been taught to audit internet-facing systems will make these errors. Not out of negligence, but because nobody told them what to look for.
And then there is software. According to The Hacker News, a compromised npm package release dropped a Rust-based infostealer during install — meaning a developer or admin who ran a routine package update got hit with credential-harvesting malware. A junior admin without a software installation policy and no habit of verifying package integrity is one npm install away from the same outcome. We have covered the broader pattern of this risk in our post on npm supply chain attacks and small dev shops.
The Day-One Security Checklist
This is not a 90-day roadmap. This is what needs to happen before your new hire touches anything sensitive.
1. Audit and Scope Their Access Before They Log In
Do not hand over domain admin credentials on day one. Define what they actually need access to and provision exactly that. If they are handling helpdesk, they do not need rights to modify Group Policy. If they are managing endpoints, they do not need access to your backup infrastructure.
Document every account, every group membership, and every elevated permission they receive — and why. This is not bureaucracy. It is the paper trail that saves you when something goes wrong.
2. Establish an Active Directory Baseline
Before your new hire starts making changes, pull a snapshot of your AD environment. Know who has domain admin rights. Know which service accounts exist and what they can do. Know which accounts have not been used in 90 days.
AI-assisted enumeration tools mean attackers can map your AD in minutes if permissions are loose. A junior admin who does not know what "stale privileged accounts" means cannot fix what they cannot see. Walk them through it. Show them the attack surface.
3. Define a Software Installation Policy
Write it down: what software is approved, what requires a request, and what is prohibited. Include package managers. Include browser extensions. Include anything that touches the network or handles credentials.
The infostealer-via-npm story is not an edge case anymore. Supply chain attacks are targeting routine workflows. Your new hire needs to know that npm install from an unverified source is a security event, not a routine task.
4. Enforce MFA on Everything Privileged
Every admin account. Every cloud console. Every remote access tool. No exceptions on day one.
If you are running Microsoft 365, make sure Conditional Access policies are in place before your new hire's account goes live. We walked through the setup order for this in our guide to conditional access policies for small businesses. A misconfigured or missing policy is how a phishing kit bypasses MFA entirely — and a junior admin who does not know the difference between MFA and MFA bypass will not catch it.
5. Show Them What a Misconfiguration Looks Like
Do not just hand them a checklist. Sit with them and walk through your internet-facing systems. Show them what directory listing looks like when it is accidentally enabled. Show them what an exposed config file looks like. Show them your firewall rules and explain which ones exist for a reason.
The Evilginx story is a perfect teaching moment: one enabled setting, overlooked during setup, handed attackers a roadmap. That lesson costs nothing to share and could save everything.
6. Establish Patch and Update Discipline
Define the patch window. Define who approves updates to production systems. Define what happens when a critical CVE drops — who gets notified, what the response timeline is, and who has authority to act.
A junior admin left to their own judgment on patching will either patch nothing (afraid to break things) or patch everything immediately (breaking things). Neither is acceptable. Give them a process.
7. Run a Baseline Vulnerability Scan Before They Start Making Changes
Know what your environment looks like before new hands touch it. A baseline scan documents your existing exposure — open ports, outdated software, misconfigurations — so you have a reference point. If something breaks or a new vulnerability appears after your hire starts, you will know whether it was pre-existing or introduced.
This also protects your new hire. They should not inherit undocumented problems and then be blamed for them.
For context on what this kind of visibility catches, see our breakdown of vulnerability scanning vs penetration testing — the distinction matters when you are deciding what to run first.
The Underlying Problem
Small businesses hire junior IT staff and assume security comes with the role. It does not. Security comes with documented policies, defined access boundaries, and a baseline that everyone can measure against.
Without that foundation, you are not just relying on your new hire's judgment — you are betting your business on it.
Take Action
Before your new hire logs into anything, run a baseline vulnerability scan. Know what you are handing them. Know what attackers already know about your environment.
Oscar Six Security's Radar gives you that baseline for $99 per scan — no enterprise contract, no six-week engagement. You get a clear picture of your exposure so your new admin inherits a documented, understood environment instead of a mystery.
Focus Forward. We've Got Your Six.