Endpoint Privilege Management:

The debate over giving unrestricted admin rights is a constant struggle between IT staff and employees in any organization. While it is convenient to allow full administrative access to workstations – it poses a huge security risk.

The built-in local admin account has full permission to modify and manage the company device. These device permissions may allow an attacker to escalate their way into more sensitive assets in the IT network and gain domain admin privileges. This in turn leads to organization-wide outages and stolen business data that could mean millions of dollars lost either in ransomware or in recovering from the attack.

Employees, developers and technicians look for convenience so they can go about carrying out their daily tasks without interruptions. They feel the need to always have local admin rights on their workstations so they do not have to raise helpdesk tickets for each task. System administrators/IT security personnel look to balance the scales between employee frustration and organizational security.

Managing local admin privileges on Azure AD joined (AADJ), and Hybrid Azure AD joined (HAADJ) devices

Many organizations have fully transitioned to Azure AD or at least maintain a hybrid AD-Azure AD infrastructure for better cloud convenience and reduced maintenance overhead.

In these hybrid SaaS environments, a majority of devices are spread across networks or are remotely accessed by users working from their homes. In both cases, the local admin privileges on the endpoints must be controlled to impede imminent threats.

To avoid hard conversations about granting full-blown system privileges and ensure a secure and productive workspace, sysadmins look to find a middle ground. They rely on a handful of legacy software solutions and workarounds to achieve their needs.

Some companies adopt PAWs (Privileged Access Workstations), others go for a LAPS or WDAC/AppLocker approach.

Privileged Access Workstations (PAWs)

PAWs are certain computers within an organization designated to carry out privileged activities. They are security hardened to allow users to do sensitive tasks within locked down configurations and network restrictions.

Creating a privileged access workstation is a time taking process and quite complicated. Setting up a PAW involves setting up corresponding AD infrastructure configurations, moving tiers, creating backup GPOs and defining firewall rules. It's usually locked down with no internet access, and restricted logons.

Once created, users still need to be assigned a PAW to carry out privileged activity. This creates frustration among users who wish to perform tasks directly from their own workstations and requires raising tickets for getting access to a PAW.

LAPS to manage local administrators

Microsoft LAPS (Local Administrator Password Solution) is currently seen as the easiest fix to the local admin problem. LAPS provides management of local account passwords of domain (Windows server AD/Azure AD) joined computers.

Whenever users need to perform admin actions, they use local admin accounts present in the respective endpoints to do so. Once administrative access ends, the local admin password is rotated by LAPS. However, this means that LAPS does not directly deal with the elimination of local admin rights. It acts as a workaround to constantly rotate the admin credentials in-use and replace them with strong, unique ones.

WDAC and Applocker

WDAC and Applocker are two technologies that are baked into Windows 10 and 11 clients. They can help with basic controls like whitelisting/blacklisting applications and drivers on Windows clients. The difficulty in configuring and managing WDAC leads sysadmins to avoid using it. While Applocker is easier to use when compared with WDAC, Microsoft has stopped giving it feature updates and support.

All the solutions above need additional privilege controls to effectively manage endpoints. Microsoft launched their Intune EPM module (Which is now a part of Microsoft Entra) to help address the individual loopholes that these solutions create. How efficient is it to secure workstation privileges? Let's find out.

Microsoft Intune – A novice product wading into a rapidly maturing market

To bridge the gaps created by its standalone solutions, Microsoft introduced a single cloud-based platform to effectively manage devices, applications and their privileges – The Intune admin center.

Being a Microsoft creation, Intune has been the go-to for organizations that have migrated to Azure AD and wish to manage endpoint privileges. While Intune was created with a goal to unify device management, it is still in an embryonic state when it comes to endpoint privilege management.

The Microsoft Endpoint Privilege Management (EPM) module allows managing local admin passwords and helps enforce application controls on devices that are enrolled with Intune. It offers the following functionalities:

• Enforcing a password requirement for local admin accounts
• Rotating the passwords of local admin accounts
• Creating a back-up of the local admin accounts to Azure AD
• Providing reports on rotated passwords
• Defining policies to control and elevate applications

While Intune EPM handles the basic requirements of a privilege management solution, it misses out on a lot of vital functionality and security controls that we will look at in part 2.