By Andrey Pozhogin, Endpoint product manager at CyberArk.
The idea of removing local admin rights from every single user in your organisation is likely to spark strong reactions. But local admin privileges are like juicy colourful fruit waiting to be picked by threat actors and used to penetrate a network, so give me a chance to explain its importance.
The need – and urgency – to remove powerful privileges from ‘regular’ business users’ endpoints, is considerable. Ordinary users at work don’t need full access to their systems, let alone the ability to execute arbitrary code with elevated privileges. That’s far too dangerous.
The challenge though? These rights still need to be given to a small number of users with very specific business needs.
The support desk, the team responsible for maintaining the infrastructure, the database administrators, and the backup operators. These employees certainly need high-level access to keep a business running smoothly. However, security teams lack the time and resources to manually grant the additional permissions required. Also, they’d need to do it all the time.
This doesn’t mean privileged users have to be local admins. If an account with such permissions falls into the wrong hands, malicious actors can cause irreparable damage, including changing or disabling configurations, accessing and deleting data, as well as encrypting files. Basically, they can access, modify or leak all the company’s secrets.
The bottom line is, with full admin rights, even the most dedicated and well intentioned employee has too much control over an organisation’s digital environment, putting critical data and identity security systems in jeopardy.
Eliminating local admin rights across the board
An attack doesn’t succeed or fail based on gaining admin rights, and attackers may ultimately slip past some endpoint defence-in-depth layers. However, taking steps to remove local admin rights across the board, and enforcing least privilege at the endpoint (and everywhere else), will make it much harder for attackers to achieve their goals.
Removing these rights as an identity security measure is not a radical security measure. However, restricting users to working with standard user accounts has a significant impact on identity security. You might think reducing administrative privileges would create friction for users and make security even more difficult? In reality, not doing so hurts an organisation more than it helps.
A pragmatic approach to identity security
Identity security issues can be solved with a well-rounded endpoint privilege manager. This manager can remove local admin rights and then, based on policies, elevate certain programs or tasks in a transparent manner so prompts aren’t seen by users, and they don’t feel the need to ask IT for assistance. In special cases, the user can request elevation, which can be approved without ever needing to connect to a machine remotely. On the backend, an effective endpoint privilege manager will even integrate with an IT ticketing system for smooth workflows and fast elevations.
Just adopting any endpoint privilege manager isn’t enough either. Organisations need to ensure the solution they adopt is as seamless as possible to integrate with their existing layers of defence. If all users start without admin rights, then systems need to be set up to automatically to elevate end-user privileges, in real-time and with little or no involvement from a helpdesk. But then the next task is to really tailor those elevation policies to the roles that users carry, so that every user or role have just enough privileges for frictionless work and at the same time the attack surface is minimal.
Organisations should also ensure they don’t rely solely on reducing administrative rights for all of their identity security needs. Measures need to be put in place to block ransomware by tightly controlling application permissions based on precise, conditional business rules. With credential and security tokens-based attacks on the rise, they also need to protect against credential and cookie theft as well as web session hijacking by safeguarding credential stores – in browsers, third-party applications or the operating system itself, which helps deter attackers while reducing the attack blast radius.
Removing local admin rights for all users is certainly not a one-and-done job. This is an ongoing process that should focus on improving the user experience by giving the right people and the right apps, the right access to the right resources at the right times. However, this process can be greatly simplified with a tool that provides full visibility and control over privileged actions on endpoints. Only then can it be considered a strong identity security measure that complements other tools as part of a defence-in-depth cyber security strategy.