The misuse of admin rights and privileges is a key way attackers are gaining access to networks.
One of the biggest takeaways from the assessments, analysis, and research we’ve conducted is that administrative rights are dangerous to the health and well-being of your network. In fact, some security bulletins (which detail patch and vulnerability information) suggest that “77% of critical Microsoft vulnerabilities would be mitigated by removing admin rights across an enterprise.”
Even beyond Microsoft concerns, misuse of administrative privileges is such an important issue that the Center for Internet Security’s (CIS) Critical Security Controls routinely lists this as a top-five priority for organizations to address.
Now, if you could all but ensure you are protecting your network from clear and present danger, doesn’t it seem like a no-brainer to do so? Yet time and again, we hear how specific user types, whole departments, or even, all employees have local administrative privileges to their workstations. We’ve seen it across all industries and business sizes. And we hear all sorts of seemingly logical reasoning as to why.
I’m going to shoot down those reasons. Here are the top five arguments against removing local admin rights—and why they’re incorrect.
Mobile Users Need Admin Rights So They Can Connect Remotely
Years ago, it was next to impossible to give your sales team the ability to connect to any random hotel or client wi-fi hot spot when on the road unless they had local administrator rights. But, today it is very easy to give non-admin users explicit rights to specific administrative tasks (like choosing a wi-fi connection or a printer) without giving them full administrative privileges.
In fact, in Microsoft Windows, you have the ability to choose from pre-configured group memberships or create a group policy setting that addresses the needs of your mobile users.
Plus, if you have to comply with requirements like HIPAA, you probably want to reconsider giving users to ability to print potentially sensitive information somewhere that you don’t have control over—like their homed.
My Apps Need Admin Rights So They Can Run
Even with legacy software applications, it’s rare that the software actually needs administrator rights, but more likely it’s the “easier” implementation route.
The majority of applications that fail to run as standard users fail because they are writing to an area of the registry, operating system, or hard disk that admins normally have access to and other users do not. Try using a command prompt to find out what the applications are doing, and then allocate rights to those areas to the specific users who run the software using group policies.
And, talk to the software company. They have a responsibility to put out software that addresses security as part of its functionality.
My Users Have Always Had Admin Rights and Taking Them Away Would Cause More Trouble Than it’s Worth
Giving users administrative privileges is not a statement on whether you trust them or not. And it’s not about users knowing (or not knowing) what they are doing. It’s about limiting their (and your organization’s) exposure to risk—plain and simple.
So, why do users think they need these privileges?
If it’s about needing the ability to perform specific tasks, then group policy settings should address it. If it’s about issues running software, then allocating rights also using group policies is the way to go. If it’s about needing the ability to install software for personal use or “not bothering IT” to download software for work reasons, then you need to re-think what you are allowing users to do.
Asset Management
The heart of any solid information security program is knowing what your assets are so you can best protect them.
If you give users the ability to download software, you’ve lost key insight into one of your most important (and potentially most risky) assets. Not only do users run the risk of downloading malicious code with whatever application they are installing, but you lose visibility over what is running on your network. If you don’t know what’s running, you can’t patch it, which means your entire network is now more vulnerable.
This is why account types are so important.
It’s worth noting that software inventory ranks higher than administrative privileges on the Critical Security Controls list, because it’s that important to know and manage what’s running on your network.
My Executive Team Needs it Because They Run the Company
This may not be as big an issue in larger organizations, but we see it quite frequently in small- to medium-sized businesses (SMBs). I’m going to try to address this as delicately as possible:
Your executive team does not need administrative access.
The type of access granted is not a direct correlation to how much the user is trusted or how smart they are. Attackers today are targeting IT and executives.
They go after IT because these are, by the definition of their jobs, the users with all the access. And they go after executives because they are often granted access beyond their job needs and aren’t as skilled in how to recognize or prevent an attack.
Unless an executive is the one managing the network, they do not need admin rights. It may only do more harm than good.
But, I realize for some this is an argument not easily won.
And for those, I suggest you consider this:
My IT Team Needs it to Do Job
Now that we’ve whittled down the number of users with administrative access to those who legitimately have a business need for it, we need to lock it down.
Any user who has an admin account should also have a standard user account. They should use the standard user account for much of their day-to-day activities and only use the administrator account when required.
Administrative accounts should be locked down to only the tasks required. If you are an email administrator, then you likely don’t need administrative access to other systems other than the email server. All external network access should be removed as well (i.e. email and internet access).
By separating out the accounts and controlling what access each account has, you are requiring administrators to make an explicit decision to take an action using administrative privileges.
Monitor, Train, and Continually Evaluate Your Risk
Administrative (particularly Windows administrator) credentials are key targets of attackers looking to infiltrate and exploit a network. For the administrative accounts that remain after you take stock, make sure you are monitoring the activity related to them. Strong, centralized logging, monitoring and auditing of these credentials can provide early warning that nefarious activity is taking place.
Continue to communicate with and educate your users. When you implement a significant change like removing admin rights, make sure you are explaining the reasoning behind the change. It’s important that they understand a change in privileges is about protecting them—they can’t defend themselves against attacks they aren’t even aware of. Your users are much more likely to support initiatives like this when they understand the reasoning behind it.
And continually educate your security team. Make sure they are staying current on threats, technology, and industry best practices. The threats are constantly evolving and good technology is also evolving.
If you aren’t doing so yet, conduct a risk assessment to see where you are most vulnerable. For those risks that can’t effectively be mitigated today, make time to re-evaluate them periodically for updates and advancements—like administrative access.
I encourage you to download the latest Critical Security Controls and take stock of your organization’s security posture against these top 20 controls.
For more information on administrative policies, risk assessments, and more, visit frsecure.com.
Your last paragraph to me is the biggest argument against all the previous points made. Everybody should be constantly re-evaluating their tools, practices and strategy which means users need to be able to try out new software and make changes that would require administrative privileges. By taking away the rights of users, especially those in technology, innovation will be stifled.
In reply to you Andy, I whole Heartily disagree. You can setup a virtual machine in a sandbox to try out systems and software and allow users to evaluate there. Or you could have a non network mchine to run such tests, OR, you could have a process in place to evaluate a software system and if it is not a security concern could be placed on a white list and the IT department could install it for the user so they can evaluate.
There are many options to install software that don’t require the user to have local admin rights. It might mean the IT staff needs to take customer service training, and it might mean a bit of a work load increase for IT, but the safety and security of the network trumps those small inconveniences.
There are several ways to dish out “Temporary Admin Access” to users that need this for installing a program, or other such tasks. If your company has not looked into a Privileged Access Management solution, you really should. The threats that are coming out are more and more destructive to companies across the board as time goes on… No offense Andy, but that old-school 80’s thinking is what needs to change in the industry. There are many great solutions that smart companies are using to control local admin access, do a bit of research on them, and pick one that fits your company needs and budget.
Trust me, if we can get a PAM solution working for 15k people, then it’s possible in any size business. And no, we do not have a slow-down in productivity, it’s actually LESS clicking and typing to use a PAM solution, as it can auto-elevate applications you deem “safe” – bypassing UAC prompts entirely!
I’m a full Senior level IT Administrator, and I have been running without local admin access for almost 11 months now, and my job has not been negatively impacted, besides the small learning curve to work with our chosen PAM solution.