Shyam Senthilnathan
October 6 · 4 min read
The debate over giving unrestricted admin rights is a constant struggle between IT staff and employees in any organization. While it is convenient to allow full administrative access to workstations – it poses a huge security risk.
The built-in local admin account has full permission to modify and manage the company device. These device permissions may allow an attacker to escalate their way into more sensitive assets in the IT network and gain domain admin privileges. This in turn leads to organization-wide outages and stolen business data that could mean millions of dollars lost either in ransomware or in recovering from the attack.
Employees, developers and technicians look for convenience so they can go about carrying out their daily tasks without interruptions. They feel the need to always have local admin rights on their workstations so they do not have to raise helpdesk tickets for each task. System administrators/IT security personnel look to balance the scales between employee frustration and organizational security.
Many organizations have fully transitioned to Azure AD or at least maintain a hybrid AD-Azure AD infrastructure for better cloud convenience and reduced maintenance overhead.
In these hybrid SaaS environments, a majority of devices are spread across networks or are remotely accessed by users working from their homes. In both cases, the local admin privileges on the endpoints must be controlled to impede imminent threats.
To avoid hard conversations about granting full-blown system privileges and ensure a secure and productive workspace, sysadmins look to find a middle ground. They rely on a handful of legacy software solutions and workarounds to achieve their needs.
Some companies adopt PAWs (Privileged Access Workstations), others go for a LAPS or WDAC/AppLocker approach.
Privileged Access Workstations (PAWs)
PAWs are certain computers within an organization designated to carry out privileged activities. They are security hardened to allow users to do sensitive tasks within locked down configurations and network restrictions.
Creating a privileged access workstation is a time taking process and quite complicated. Setting up a PAW involves setting up corresponding AD infrastructure configurations, moving tiers, creating backup GPOs and defining firewall rules. It's usually locked down with no internet access, and restricted logons.
Once created, users still need to be assigned a PAW to carry out privileged activity. This creates frustration among users who wish to perform tasks directly from their own workstations and requires raising tickets for getting access to a PAW.
LAPS to manage local administrators
Microsoft LAPS (Local Administrator Password Solution) is currently seen as the easiest fix to the local admin problem. LAPS provides management of local account passwords of domain (Windows server AD/Azure AD) joined computers.
Whenever users need to perform admin actions, they use local admin accounts present in the respective endpoints to do so. Once administrative access ends, the local admin password is rotated by LAPS. However, this means that LAPS does not directly deal with the elimination of local admin rights. It acts as a workaround to constantly rotate the admin credentials in-use and replace them with strong, unique ones.
WDAC and Applocker
WDAC and Applocker are two technologies that are baked into Windows 10 and 11 clients. They can help with basic controls like whitelisting/blacklisting applications and drivers on Windows clients. The difficulty in configuring and managing WDAC leads sysadmins to avoid using it. While Applocker is easier to use when compared with WDAC, Microsoft has stopped giving it feature updates and support.
All the solutions above need additional privilege controls to effectively manage endpoints. Microsoft launched their Intune EPM module (Which is now a part of Microsoft Entra) to help address the individual loopholes that these solutions create. How efficient is it to secure workstation privileges? Let's find out.
To bridge the gaps created by its standalone solutions, Microsoft introduced a single cloud-based platform to effectively manage devices, applications and their privileges – The Intune admin center.
Being a Microsoft creation, Intune has been the go-to for organizations that have migrated to Azure AD and wish to manage endpoint privileges. While Intune was created with a goal to unify device management, it is still in an embryonic state when it comes to endpoint privilege management.
The Microsoft Endpoint Privilege Management (EPM) module allows managing local admin passwords and helps enforce application controls on devices that are enrolled with Intune. It offers the following functionalities:
While Intune EPM handles the basic requirements of a privilege management solution, it misses out on a lot of vital functionality and security controls that we will look at in part 2.
Mother of all breaches – Reinforces the need for enhanced password security
Yes, you read it right. 26 billion records have been leaked online. Researchers from Security Discovery...
Zaheeruddin Ahmed
Feb 7 · 4 min read
Local admin rights for Developers – Balancing the scales between basic necessity and security risk
Local admin rights for Developers – Balancing the scales between basic necessity and security risk...
Shyam Senthilnathan
Jan 25 · 5 min read
Privileged Access Management Best Practices for Unparalleled Security
Privileged accounts are the keys to your kingdom. Protecting and managing access to these sensitive...
Pradhyumnan
Dec 21 · 5 min read
Endpoint Privilege Management: Filling the gaps in Intune (Part 2)
Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner ...
Shyam Senthilnathan
Oct 10 · 3 min read
Endpoint Privilege Management: The local admin rights dilemma (Part 1)
The debate over giving unrestricted admin rights is a constant struggle between IT staff and ...
Shyam Senthilnathan
Oct 6 · 4 min read
2013 Target Data Breach: 10 Years On, but the Same Threat Pattern Looms Large!
Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a...
Himaya Presthitha
July 25 · 6 min read
Password management best practices: Practice or Pay!
Passwords leaked from data breaches in the past continue to cause ripples in 2023, even amidst...
Shyam Senthilnathan
May 26 · 5 min read
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Zaheeruddin Ahmed
Dec 27 · 4 min read
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Rajaraman Viswanathan
Nov 25 · 4 min read
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Zaheeruddin Ahmed
Nov 21 · 2 min read
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Shyam Senthilnathan
Oct 20 · 4 min read
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Zaheeruddin Ahmed
Oct 10 · 2 min read
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Raja Viswanathan
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
Balasubramanian Venkatramani
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
Raja Viswanathan
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Jithukrishnan
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Raja Viswanathan
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jithukrishnan
Jun 12 · 8 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Raja Viswanathan
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Balasubramanian Venkatramani
Mar 13 · 6 min read