IT pros need local admin rights on corporate devices to install software, modify configuration settings, perform troubleshooting and so on. But all too often, business users are also routinely granted local admin rights on their computers.
While giving users these rights can be convenient, it creates serious security gaps. First of all, the users themselves can intentionally install unapproved applications or modify settings to streamline their work, without sufficient understanding of the security risks they might be introducing. Moreover, any user can fall for a social engineering attack — for instance, they open a malicious attachment or click on a malicious link in a phishing email. But if the user has local admin rights, they can inadvertently install malware, which can potentially capture or exploit those admin rights to steal data or do other damage.
Accordingly, it’s a best practice to remove local admin rights from business users on every computer. Here are the 4 steps to take to implement this core security practice.
Step 1: Find out who has local administrator access.
The first step is to identify all users who have local admin rights on each server and desktop. On a Windows system, users are be granted local admin access through membership in the Local Administrators group in one of the following ways:
- Direct group membership — The user account is listed as a member of the group.
- Indirect (nested) group membership — The user account is a member of another group, and that group is a member of the Local Administrators group.
In general, it is wise to avoid nesting with privileged groups, since it makes it more difficult to determine exactly who has privileged access rights.
Unfortunately, there are no native tools that can provide a complete list of local administrators on every system in your IT estate. However, a third-party solution like Netwrix Privilege Secure can provide you with full visibility into the membership of each of your privileged groups, including the Local Administrators groups on your Windows servers and workstations. In addition, Netwrix Privilege Secure will audit all changes to your privileged groups and alert you about suspicious activity.
Step 2: Have group owners review and attest to group membership.
The next step is to determine the owner of each local admin group. This can be a challenging task, so consider using a solution that can identify likely group owners automatically.
Then, the owner of each group should review its membership carefully, with the goal of removing local admin access rights that are not needed to reduce the organization’s attack surface area. This review and attestation process should be repeated on a regular schedule.
Step 3. Ensure that each local admin account has a unique password.
In many organizations, the default local admin account on every Windows device has the same username and password. Therefore, an adversary who obtains those credentials on just one machine has administrative access to every machine, so they can move laterally at will across your domain.
To help, Microsoft offers Windows Local Access Password Solution (LAPS). LAPS will ensure that every computer in a domain has a unique password for the local administrator account, as well as automatically change the local administrator password at a configured interval. LAPS can be deployed using Group Policy or Intune.
Step 4: Empower users and admins to perform their required tasks safely.
The principle of least privilege is a cornerstone of security: Each user should have only the privileges they need to perform their job. Limiting local admin rights is an important step in enforcing least privilege — but both admins and business users sometimes do need to perform tasks that require those rights.
With native Windows functionality, you could have administrators log on to a machine using an unprivileged account and then use the “run as administrator” option for any tasks that require elevated rights. However, this approach still requires standing admin accounts, which are subject to misuse by their owners and compromise by adversaries. A good alternative is to use a purpose-built privileged access management (PAM) solution that replaces standing privileged accounts with on-demand accounts that have just enough access to perform the task at hand and are automatically deleted afterwards. As a result, you will have nearly no standing administrative accounts to constantly worry about.
To allow business users to bypass UAC prompts and run the specific applications they need — without granting them local admin rights, consider Netwrix PolicyPak Least Privilege Manager. This powerful solution can also prevent users from downloading or installing ransomware or other unwanted executables.
Conclusion
Strictly controlling privileged access is vital to avoiding costly breaches, downtime and compliance penalties. With the right tools, you can remove local admin rights from business users without impairing their ability to do their jobs, slashing your attack surface area.
