Local administrative access is necessary for IT staff to perform tasks like installing software and fixing server and desktop issues. Often users outside IT also end up with local admin rights so they too can install software on their own machines or make other configuration changes. However, many organizations lack processes for monitoring and maintaining the local admin groups that control these rights. This gap creates a serious security risk. All it takes is one employee with admin rights clicking on a phishing email to open the door to Ransomware and other attacks.
Use these 3 steps to take control of administrative rights to servers and desktops:
The first step is identifying the direct members in the local admin group on every server and desktop. Finding members isn’t easy because there are many ways to grant local admin access, i.e., through user accounts or domain groups in Active Directory (AD) or through local users on the system itself. Since native tools cannot provide a complete list of local administrators on every system, security pros must look elsewhere. STEALTHbits, for example, offers a Local Administrators report that collects the membership of local admin groups, specifying user membership type and password and account status – all regardless of how the rights are granted.
Once an organization knows who has effective access, the next step is to determine the owner of each local admin group. A common approach is to break down the information gathered by geography, domain, application ownership, and job role. STEALTHbits’ Probable Owners report can identify likely owners at the domain level. These potential owners can be surveyed to confirm their ownership. Once confirmed, the owners can use STEALTHbits’ Access Information Center to centrally manage local admin group membership by granting or removing access. This centralized management is impossible with Windows systems, which cannot manage resources that aren’t in AD.
Owners can use the Principle of Least Privilege to guide their decision-making around who should have local admin access. Best practice is to limit access to only a few security and IT employees who need it to do their jobs. Other pre-emptive measures companies take include:
Security leaders go beyond the basics to adopt practices that significantly reduce risk such as:
Organizations that take control of local administrator access benefit from a reduced threat surface, with less chance of falling victim to Ransomware or insider threat. These companies also improve compliance and lower IT labor time and cost.
To identify local administrators in your environment, check out our Credential and Data Security Assessment.
Tuula Fai is the Senior Marketing Director of StealthAUDIT at STEALTHbits. For the past 20 years, she has worked in a variety of roles within the software industry, starting as a developer and implementation engineer before moving into product marketing and digital campaigns. Having worked in both customer service and human resources, she is passionate about safeguarding customer and employee data as part of overall security initiatives. She graduated Summa cum Laude from Georgetown with an MBA in marketing and IT, and has won two technology marketing awards. You can find her running and writing in the Rocky Mountains of Colorado.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.