Top three considerations when limiting local administrator rights

Ideally we would always remove administrator rights from all users. But in the real world, we unfortunately must deal with years of technical debt and poor architecture decisions that make the complete elimination of administrator rights difficult (or financially non-viable) for many organizations. So when faced with the task of prioritizing the removal of admin rights from users, where should you start?

There are many things to consider when removing administrator rights and these won’t apply to everyone (for instance some organizations are dealing with specific legacy software that requires admin rights).  But when working with clients Rendition Infosec uses these considerations as our top three:

  1. Does this user have access to particularly sensitive information? This is especially important if the data is covered by regulatory compliance requirements.
  2. Is the machine regularly used to surf the Internet or open email from outside the organization? In the incident response cases we work at Rendition, a primary initial entry method used by attackers is malicious email attachments, so this is particularly important.
  3. Is the machine being used exposed directly to the Internet? Examples of this might be an email or web server. A surprising number of “power users” (e.g. web admins) have logins with admin rights to Internet exposed systems.

If the answer to any of these questions is yes, prioritize removing administrative rights from the users who log in there.

If your users need special software that requires administrative permissions, consider mitigating your risk by giving the user a second machine. Remove local administrator permissions on the machine that the user logs into for email, web browsing, etc. and then make the other machine (with local admin rights) accessible via remote desktop. This increases costs for the limited number of users who require these permissions, but the cost of a second machine is far less than the cost of an incident response – it’s pretty easy to demonstrate ROI.

If you don’t give your users local admin permissions, then attackers will have to elevate their permissions when they compromise a machine. This activity often makes more noise than the initial exploit itself.  Forcing the attacker to make noise to accomplish their goals works hand in hand with network security monitoring and gives you the chance to stop attackers before they embed themselves deep in your network.

As always, don’t hesitate to contact Rendition Infosec for your information security needs.