Why Remove Local Admin Rights?

With the wider implementation of new 2nd generation anti-virus, advanced UTM firewalls, intrusion detection and response systems, application whitelisting, or other modern security systems Administrators wonder why remove local Admin rights? Is it necessary? Having these tools and systems in place are good ‘defense in depth’ measures but the reality is that your users/employees and the security on their workstations is potentially the weakest link in your security. Employees although typically well intentioned often can’t tell between good and bad software, or of the negative security impact a setting/configuration change will have until it’s too late. The easiest way to prevent installation of most malware, or to configuration changes that create vulnerabilities is to restrict local admin rights or privileges. Regardless of the other systems that you many have in place it is considered a ‘best practice’ to restrict or remove local Admin rights on user workstations and in various compliance scenarios it is required.

As the old saying goes “an ounce of prevention is worth a pound of cure”. Removing local Admin rights will prevent many types of malware and attacks from ever starting in the first place, can minimize the impact of what malicious actors can do, and can make cleaning up a breach easier which is why it is one of the most cost effective security configurations you can implement. Removing local Admin rights and privileges will enhance all your cybersecurity efforts and is one of the best ways to help stop malware and thwart attackers. Some estimates say that having users run with Standard Privileges can help mitigate 94% or more of Microsoft vulnerabilities.

Aside from the concern of an Employee accidentally taking a false step while having Admin privileges is what a malicious actor can do if they are able to compromise one of your user’s login credentials. When your users have Admin privileges potentially any access that is obtained can quickly escalate into a network wide issue. Attackers use native tools in Windows along with local Admin privileges to successfully manipulate local certificate stores to gain trust, bypass other security tools, and ultimately escalate their privileges to gain access to network admin credentials, secured files, data stores, and resources on your network allowing them to carry out any action remotely at will. This not only gives them the ability to gain access but to do so for extended periods of time while remaining undetected with ample opportunity to cover their tracks.

The reality is that users do from time to time need ‘some‘ Admin privileges for installations, updates, ongoing use of  Line of Business (LoB) applications, or other tasks. Having to coordinate getting your users connected with Help Desk to assist is sometimes extremely difficult and often a productivity killer not only for your users but for your technical staff. Unfortunately Windows privileges on the local machine are an “all or nothing” proposition where the user is either configured as a local Admin and basically has unlimited Admin rights and can do anything, or as a standard user where all Admin rights are restricted. With AutoElevate you can fine tune the privileges across all your clients so that users have limited Admin rights or privileges allowing them do actions requiring Admin privileges but only for what is safe, verified, approved, and needed. Using AutoElevate to configure Limited Local Admin Rights allows you to benefit and leverage the protections for standard users already built into Windows but without the inconvenience to you or your users.