Local Admin Accounts Management:
Removing Admin Rights and Controlling Applications (Part 3)

In the previous two parts (part 1 and part 2), we dealt with the importance of local admin accounts, the associated security risks, the need for managing them properly, and the risk mitigation strategies. In this part, let us analyze the pros and cons of removing local admin rights altogether.

Removing admin rights: The productivity set-back

One of the most effective approaches to reducing risks is removing the local admin rights altogether and making everyone a standard user. But this approach leads to the introduction of the ‘request-approval’ concept, which is inefficient. Employees might have to wait for permissions resulting in delays, productivity loss, and frustrations. On the other hand, the IT helpdesk might get choked with innumerous requests and again lead to frustration.

This leads to the pertinent question: Is there a way to remove local admin rights, overcome these hurdles and make the process seamless?

Yes, absolutely!

Endpoint privilege management: Balancing security and productivity

Local accounts with administrator privileges enable users to carry out software installations, change certain system settings and perform many other tasks without relying on help desk technicians and system administrators. When local administrator rights are removed, striking a balance between security and productivity becomes critical. This is where endpoint privilege management solutions come into the picture.

Endpoint privilege management basically relates to removing local administrator rights on Windows endpoints and elevating applications for standard users. The most important aspect here is that the privileges are NOT elevated for users; only the applications and processes are run with admin privileges. Users will always remain standard users.

Local admin rights removal goes together with application control

While removing the local administrator rights forms just one part of the process, the other part relates to establishing a policy-based application control process. Administrators should be able to define and control which applications/processes can be run by standard users. This, in turn, leads to allowlisting trusted applications and restricting users from running unapproved and malicious applications through blocklisting.

Apart from allowing and blocking certain applications, the IT administrator is also responsible for granting elevated access to specific applications wherever applicable. The IT administrator can design and enforce privilege elevation policies and empower standard users to seamlessly run specific, approved applications (that would normally require admin rights) whenever needed.

There may be occasions when specific users would require broader privilege. There may be contingencies that would mandate full access to certain users. There should be provision for granting a time-limited, fully controlled, and comprehensively audited temporary administrator access on a need basis. Such access should be controlled by a well-defined workflow, which would take care of automatically revoking the access.

How does removing local administrator rights help reduce risks?

From an IT security perspective, removing local administrator rights on endpoints presents multiple benefits:

• As discussed in the previous posts, over 90% of critical vulnerabilities in Windows are stated to be related to local admin privileges. This crucial security gap could lead to major breaches and could be easily mitigated by removing local admin rights. Least privilege enforcement on endpoints is now a necessity.
• Malware quickly and easily spreads through the installation of unapproved software, pirated tools, opening malicious email attachments, clicking malicious URLs, visiting harmful pages (drive-by downloads), and so on. Even tech-savvy end-users can unintentionally fall prey to any of these attacks and malware would gain a strong foothold. In the absence of admin rights, users will be able to run only approved applications and processes. You can prevent the installation and use of unapproved software and thereby block malicious software from getting into the organization. This significantly reduces the risk of malware or ransomware.
• Removal of local administrator rights helps enforce least privileges across the organization. You can ensure that all your users have just enough access to the IT infrastructure. This, in turn, helps in significantly arresting the lateral movement of hackers who happen to gain a foothold on one machine.
• In short, by removing local admin rights, you can significantly reduce the attack surface.

It is clear that removing local administrator rights is the best practice approach. How do we implement a least privilege model without impacting productivity?

This is where privilege management solutions like Securden Endpoint Privilege Manager come into the picture. Manual approaches could at best help you remove administrator rights. But only a policy-based, automated approach can help you achieve application control and ensure that user experience is not adversely impacted. Without the right tool, elevating applications, processes, scripts, and tasks for standard users could be counterproductive and frustrating.

How does Securden Endpoint Privilege Manager help?

Securden Endpoint Privilege Manager helps you to remove local admin rights without impacting productivity. It seamlessly elevates applications for standard users. Through robust workflows and policy-based controls, end-user experience remains the same even when administrator rights are removed. Securden makes the process seamless and scalable.

Granular application control, robust policy-driven approach

You can elevate administrator privileges to trusted applications for standard users through a fully policy-driven approach. Basically, you will allowlist applications, create privilege elevation policies and associate them with users and devices for seamless elevation on-demand. You will have granular control on which applications are to be elevated on specific endpoints, and by specific users or groups.

• You can enforce policies without impacting end-user productivity.
• You will also reduce the workload of your IT in managing endpoint privileges.

Seamless end user experience, various options

Even when local admin rights are removed, end users will be able to perform their activities without any interruption.

• They will be able to run the allowlisted processes and applications without requiring any approvals.
• They will also be able to elevate and run apps that are associated with privilege elevation policies.
• For installing/running new applications, Securden provides a self-service portal for standard users to get approval for application elevation well in advance or whenever needed.
• When broad administrative privileges are required to meet specific requirements, users can raise a request and get approval for temporary administrator access. The lightweight agent that sits at the endpoints grants elevation just-in-time and for a limited duration after security controls. At the end of the approved time, Securden revokes the privilege and automatically closes the elevated applications. It also records and reports the list of applications elevated during the session.

Continuous monitoring, complete control

One of the critical requirements mandated by various IT regulations is continuously monitoring the privileged access scenario. Even when the least privileges are enforced, organizations should be able to demonstrate the same. It requires continuously tracking and reviewing user access entitlements and auditing activities.

• Securden records all user activities, including the applications elevated and run by standard users.
• It also tracks the creation of new admin accounts and shows them in reports.
• You can also review the membership of various privileged AD groups from Securden itself and manage membership.

Try Securden Endpoint Privilege Manager, Free for 30 Days!

Get hands on experience in managing privileges with this free trial. Available in On-Premise and Cloud Editions.

Download Trial Cloud Sign Up

In summary, to reduce the risks associated with local admin accounts, you should carefully consider the mitigation strategies. The two options you have are: Remove the admin rights altogether or manage them properly. And whatever option you choose, you need the right solution.

Check out Securden Endpoint Privilege Manager and Securden Unified PAM.