Raja Viswanathan

May 17 · 4 min read

In the previous two parts (part 1 and part 2), we dealt with the importance of local admin accounts, the associated security risks, the need for managing them properly, and the risk mitigation strategies. In this part, let us analyze the pros and cons of eliminating local admin rights altogether.

One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and making everyone a standard user. But this approach leads to the introduction of the ‘request-approval’ concept, which is inefficient. Employees might have to wait for permissions resulting in delays, productivity loss, and frustrations.

This leads to the pertinent question: Is there a way to eliminate local admin accounts, overcome these hurdles and make the process seamless?

Yes, absolutely!

Local accounts with administrator privileges enable users to carry out software installations, change certain system settings and perform many other tasks without relying on help desk technicians and system administrators. When local administrator rights are removed, striking a balance between security and productivity becomes critical. This is where endpoint privilege management solutions come into the picture.

Endpoint privilege management basically relates to removing local administrator rights on Windows endpoints and elevating applications for standard users. The most important aspect here is that the privileges are NOT elevated for users; only the applications and processes are run with privileges. Users will always remain standard users.

Local admin rights removal goes together with application control

While removing the local administrator rights forms just one part of the process, the other part relates to establishing a policy-based application control process. Administrators should be able to define and control which applications/processes can be run by standard users. This, in turn, leads to whitelisting trusted applications and preventing unapproved and malicious applications. This empowers standard users to seamlessly run approved applications (that would normally require admin rights) whenever needed.

There may be occasions when specific users would require broader privilege. There may be contingencies that would mandate full access to certain users. There should be provision for granting a time-limited, fully controlled, and comprehensively audited temporary administrator access on a need basis. Such access should be controlled by a well-defined workflow, which would take care of automatically revoking the access.

How does eliminating local administrator rights help reduce risks?

From an IT security perspective, eliminating local administrator rights on endpoints presents multiple benefits:

  • As discussed in the previous posts, over 90% of critical vulnerabilities in Windows are stated to be related to local admin privileges. This crucial security gap could lead to major breaches and could be easily mitigated by removing local admin rights. Least privilege enforcement on endpoints is now a necessity.
  • Malware quickly and easily spreads through the installation of unapproved software, pirated tools, opening malicious email attachments, clicking malicious URLs, visiting harmful pages (drive-by downloads), and so on. Even tech-savvy end-users can unintentionally fall prey to any of these attacks and malware would gain a strong foothold. In the absence of admin rights, users will be able to run only approved applications and processes. You can prevent the installation and use of unapproved software and thereby block malicious software from getting into the organization. This significantly reduces the risk of malware or ransomware.
  • Removal of local administrator rights helps enforce least privileges across the organization. You can ensure that all your users have just enough access to the IT infrastructure. This, in turn, helps in significantly arresting the lateral movement of hackers who happen to gain a foothold on one machine.
  • In short, by eliminating local admin rights, you can significantly reduce the attack surface.

It is clear that eliminating local administrator rights is the best practice approach. How do we implement a least privilege model without impacting productivity?

This is where privilege management solutions like Securden Windows Privilege Manager come into the picture. Manual approaches could at best help you eliminate administrator rights. But only a policy-based, automated approach can help you achieve application control and ensure that user experience is not adversely impacted. Without the right tool, elevating applications, processes, scripts, and tasks for standard users could be counterproductive and frustrating.

How does Securden Windows Privilege Manager help?

Securden Windows Privilege Manager helps you to eliminate local admin rights without impacting productivity. It seamlessly elevates applications for standard users. Through robust workflows and policy-based controls, end-user experience remains the same even when administrator rights are removed. Securden makes the process seamless and scalable.

Granular application control, robust policy-driven approach

You can elevate administrator privileges to trusted applications for standard users through a fully policy-driven approach. Basically, you will whitelist applications, create policies and associate them with users and devices for seamless elevation on-demand. You will have granular control on which applications are to be elevated on specific endpoints, and by specific users or groups.

  • You can enforce policies without impacting end-user productivity.
  • You will also reduce the workload of your IT in managing endpoint privileges.

Seamless end user experience, various options

Even when local admin rights are removed, end users will be able to perform their activities without any interruption.

  • They will be able to run the whitelisted processes and applications without requiring any approvals.
  • For installing/running new applications, Securden provides a self-service portal for standard users to get approval for application elevation well in advance or whenever needed.
  • When broad administrative privileges are required to meet specific requirements, users can raise a request and get approval for temporary administrator access. The lightweight agent that sits at the endpoints grants elevation just-in-time and for a limited duration after security controls. At the end of the approved time, Securden revokes the privilege and automatically closes the elevated applications. It also records and reports the list of applications elevated during the session.

Continuous monitoring, complete control

One of the critical requirements mandated by various IT regulations is continuously monitoring the privileged access scenario. Even when the least privileges are enforced, organizations should be able to demonstrate the same. It requires continuously tracking and reviewing user access entitlements and auditing activities.

  • Securden records all user activities, including the applications elevated and run by standard users.
  • It also tracks the creation of new admin accounts and shows them in reports.
  • You can also review the membership of various privileged AD groups from Securden itself and manage membership.

Download a 30-day free trial or book a demo today.

In summary, to reduce the risks associated with local admin accounts, you should carefully consider the mitigation strategies. The two options you have are: Eliminate the admin rights altogether or manage them properly. And whatever option you choose, you need the right solution. Check out Securden Windows Privilege Manager and Securden Unified PAM.

Recent Topics