Why Remove Local Admin Rights?

Common risks associated with users having unlimited local admin rights

With the wider implementation of new 2nd generation anti-virus, advanced UTM firewalls, intrusion detection and response systems, application whitelisting, or other modern security systems Administrators wonder why remove local Admin rights? Is it necessary? Having these tools and systems in place are good ‘defense in depth’ measures but the reality is that your users/employees and the security on their workstations is potentially the weakest link in your security. Employees although typically well intentioned often can’t tell between good and bad software, or of the negative security impact a setting/configuration change will have until it’s too late. The easiest way to prevent installation of most malware, or to configuration changes that create vulnerabilities is to restrict local admin rights or privileges. Regardless of the other systems that you many have in place it is considered a ‘best practice’ to restrict or remove local Admin rights on user workstations and in various compliance scenarios it is required.

Installation of malicious apps which seem legitimate, fun, or free   

Unknowingly giving a third party access to their machine allowing a foothold to attack the network from the inside

Being tricked into clicking on unsafe website or email links

As the old saying goes “an ounce of prevention is worth a pound of cure”. Removing local Admin rights will prevent many types of malware and attacks from ever starting in the first place, can minimize the impact of what malicious actors can do, and can make cleaning up a breach easier which is why it is one of the most cost effective security configurations you can implement. Removing local Admin rights and privileges will enhance all your cybersecurity efforts and is one of the best ways to help stop malware and thwart attackers. Some estimates say that having users run with Standard Privileges can help mitigate 94% or more of Microsoft vulnerabilities.

Removing Local Admin Rights Will Help Close the Gap On External Threats

Aside from the concern of an Employee accidentally taking a false step while having Admin privileges is what a malicious actor can do if they are able to compromise one of your user’s login credentials. When your users have Admin privileges potentially any access that is obtained can quickly escalate into a network wide issue. Attackers use native tools in Windows along with local Admin privileges to successfully manipulate local certificate stores to gain trust, bypass other security tools, and ultimately escalate their privileges to gain access to network admin credentials, secured files, data stores, and resources on your network allowing them to carry out any action remotely at will. This not only gives them the ability to gain access but to do so for extended periods of time while remaining undetected with ample opportunity to cover their tracks.

Nurture the ‘Principle of Least Privilege’ in Your Environment

Don’t fall for the ruse that only disgruntled employees can do damage or that having anti-virus software and a firewall installed is enough security. Enforcing the ‘principle of least privilege’ by not allowing users to have more privilege than what is necessary to do their job is one of the fundamentals of computer security. Removing unlimited local admin rights should be on your ‘short-list’ of items to put into practice immediately.  Doing so will drastically reduce the attack surface of your managed environments and will improve efficiency, security, and stability.

Effectively Manage Privilege Approval without Jeopardizing Productivity

Lose the worry that you’ll be bombarded with requests or that user productivity will suffer by operating with standard privileges. With AutoElevate Elevated privileges are automated with rules either applied globally, per company, by group of computers, or for an individual machine all in a single click. If you haven’t made a rule for something in advance don’t worry. The traditional 15-30 minute process of helping a client with privileges is now easily turned into just 30 seconds so that your engineering staff  can focus on more critical issues.

Unlimited Local Admin Rights vs. Limited Local Admin Rights

The reality is that users do from time to time need ‘some‘ Admin privileges for installations, updates, ongoing use of  Line of Business (LoB) applications, or other tasks. Having to coordinate getting your users connected with Help Desk to assist is sometimes extremely difficult and often a productivity killer not only for your users but for your technical staff. Unfortunately Windows privileges on the local machine are an “all or nothing” proposition where the user is either configured as a local Admin and basically has unlimited Admin rights and can do anything, or as a standard user where all Admin rights are restricted. With AutoElevate you can fine tune the privileges across all your clients so that users have limited Admin rights or privileges allowing them do actions requiring Admin privileges but only for what is safe, verified, approved, and needed. Using AutoElevate to configure Limited Local Admin Rights allows you to benefit and leverage the protections for standard users already built into Windows but without the inconvenience to you or your users.