Why Remove Local Admin Rights
An FRSecure Self-Help Document of Guidelines and Best Practices
The Case for Removing Local Administrator Rights
The misuse of administrative privileges is a key method used by attackers to gain unauthorized access to our networks. In fact, misuse of administrative privileges is such an important issue that the CIS (Center for Internet Security), in their latest release of the Critical Security Controls 6.0, moved it from 12th to 5th in order to make it a higher priority for organizations to address.
The risk of being a local administrator is that you can install programs on the computer without asking anyone’s permission. The alternative is a standard user account, which can use programs and change settings that do not affect the security of the computer. When standard users try to do something that they do not have permission to do, the computer requests the credentials for an account that has local admin privileges.
5 Reasons to Remove Local Admin Rights
- Helps keep malware off computers – Our computers can’t differentiate between good and bad software, so the only way to prevent the installation of malware is to prevent installations in general. If a malware infection occurs, the malware generally has the same rights as the person who is logged in which means that malware could be far more damaging if the person who is logged in has administrative permissions.
- Helps maintain protections that are in place – Administrators have the ability to turn off organizational protections that have been put in place, like your antivirus, firewall, encryption and Group Policy. If the administrative account is running malware, the malware has the ability to do the same thing!
- Keeps computers in compliance with organizational policies – Local admin group policies take precedence over Group Policy. This means a user with local admin rights (or an attacker masquerading as the user) can create their own policies or deny the system from reading Group Policies, effectively invalidating much of the security controls that the organization has put in place.
- Closes vulnerabilities – An annual report from Avecto on Microsoft patch analysis reveals that removing local admin rights mitigates: a. 85% of all Critical vulnerabilities
- 99.5% of all Internet Explorer vulnerabilities
- 82% of all vulnerabilities affecting Microsoft Office
The statistics are similar for other software programs as well. Fewer vulnerabilities mean fewer opportunities for attackers to compromise your network.
- Helps defends against hackers – Administrative credentials are key targets of attackers looking to penetrate and exploit a network. Local administrator accounts provide enough privilege for attackers to impersonate other logged-on users or run exploit tools locally which can then be used to gain valuable information to further pivot into a network, escalate privilege and locate sensitive information.
By minimizing the number of local admin accounts, you reduce the opportunities for an attacker to gain sensitive access on your network. For the administrative accounts that remain, make sure you are monitoring the activity related to them. Strong, centralized logging, monitoring and auditing of these credentials can provide early warning that nefarious activity is taking place.
Communicate the Importance of Removing Local Admin Rights
When making a significant change to the network like removing local administrative rights, it is important to communicate with and educate your users on the reasoning behind the change. It’s important that they understand a change in privileges is about protecting them (they can’t defend themselves against attacks they aren’t even aware of!) and not about lack of trust or trying to limit their ability to do their job effectively. Your users are much more likely to support initiatives like this when they understand the reasoning behind it.
See Appendix A: Definitions
Waivers from certain policy provisions may be sought following the FRSecure Waiver Process.
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.