Server operators should implement LDAP, AD, IAM as best practice where possible. Two factor authentication is required for any system handling L3/medium risk data and above. See also: Level 2, Level 3, Level 4, SA2, Servers A