Controlling Local Administrator Access
Local administrative access is necessary for IT staff to perform tasks like installing software and fixing server and desktop issues. Often users outside IT also end up with local admin rights so they too can install software on their own machines or make other configuration changes. However, many organizations lack processes for monitoring and maintaining the local admin groups that control these rights. This gap creates a serious security risk. All it takes is one employee with admin rights clicking on a phishing email to open the door to Ransomware and other attacks.
Use these 3 steps to take control of administrative rights to servers and desktops:
Step 1: Find out who has local administrator access
The first step is identifying the direct members in the local admin group on every server and desktop. Finding members isn’t easy because there are many ways to grant local admin access, i.e., through user accounts or domain groups in Active Directory (AD) or through local users on the system itself. Since native tools cannot provide a complete list of local administrators on every system, security pros must look elsewhere. STEALTHbits, for example, offers a Local Administrators report that collects the membership of local admin groups, specifying user membership type and password and account status – all regardless of how the rights are granted.
Step 2: Have group owners review and attest membership
Once an organization knows who has effective access, the next step is to determine the owner of each local admin group. A common approach is to break down the information gathered by geography, domain, application ownership, and job role. STEALTHbits’ Probable Owners report can identify likely owners at the domain level. These potential owners can be surveyed to confirm their ownership. Once confirmed, the owners can use STEALTHbits’ Access Information Center to centrally manage local admin group membership by granting or removing access. This centralized management is impossible with Windows systems, which cannot manage resources that aren’t in AD.
Step 3: Implement the Principle of Least Privilege
Owners can use the Principle of Least Privilege to guide their decision-making around who should have local admin access. Best practice is to limit access to only a few security and IT employees who need it to do their jobs. Other pre-emptive measures companies take include:
- Nesting Active Directory groups that provide admin access inside the local admin group on a server or desktop so they can be controlled through group policy
- Requiring the use of unique passwords for all admin accounts and ensuring password changes comply with company policy
- Having IT staff logon to a machine with an unprivileged account and then run commands and applications “as administrator” to make changes so credentials are not stored
- Practicing security basics like applying the latest patches, performing regular back-ups, and training employees to avoid phishing scams
Security leaders go beyond the basics to adopt practices that significantly reduce risk such as:
- Implementing Change & Access Monitoring to see if administrative accounts are being used appropriately and to block changes that violate policy like modifying AD Group Policy Objects. STEALTHbits provides real-time monitoring without native logs.
- Using a Privileged Identity Management (PIM) password vault and check-in/check-out process to control access to admin accounts. STEALTHbits’ integrates with PIM to give companies more insight into these accounts and their attributes.
Start Benefiting Today
Organizations that take control of local administrator access benefit from a reduced threat surface, with less chance of falling victim to Ransomware or insider threat. These companies also improve compliance and lower IT labor time and cost.
To identify local administrators in your environment, check out our Credential and Data Security Assessment.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Tuula Fai is the Senior Marketing Director of StealthAUDIT at STEALTHbits. For the past 20 years, she has worked in a variety of roles within the software industry, starting as a developer and implementation engineer before moving into product marketing and digital campaigns. Having worked in both customer service and human resources, she is passionate about safeguarding customer and employee data as part of overall security initiatives. She graduated Summa cum Laude from Georgetown with an MBA in marketing and IT, and has won two technology marketing awards. You can find her running and writing in the Rocky Mountains of Colorado.
Related Posts
- PROTIP – How to Purge Data in StealthAUDIT
- PROTIP – Fulfill a DSAR with StealthAUDIT 11.0
- Best Practices – Setting up StealthAUDIT SQL Server Database
- ProTip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for Oracle
- Pro Tip – StealthINTERCEPT DB Maintenance Best Practices
- PROTIP: Policy Registration & Managing StealthINTERCEPT via PowerShell and Editing StealthDEFEND Investigations & Categorizing Playbooks
- PROTIP: How to Update the “Have I Been Pwned” (HIBP) Breach Dictionary in StealthINTERCEPT Enterprise Password Enforcer and StealthAUDIT
- Protip: How to Setup User Activity & Database Logon Scans in StealthAUDIT for Oracle
- ProTip – The Power of Character Substitution Checks in StealthINTERCEPT Enterprise Password Enforcer
- Protip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for SQL
Leave a Reply