Removing admin privileges without compromising productivity

Removing local admin privileges reduces critical vulnerabilities in your company. 

Yes, according to the ACSC Essential Eight, removing local admin privileges is one of the most important things an organisation can do to protect itself from detrimental and costly cyber-attacks. 

While this control is widely documented and accepted, many organisations struggle to remove local admin privileges effectively. 

From a reluctance to accept the importance of least privilege to concerns with impacting productivity and employee satisfaction, there are a plethora of reasons organisations hesitate to remove admin privileges. This has become a battle between IT teams and employees.  

On one side of the ring, you have IT who just wants to ensure the best security for the organisation, its people and their devices. On the other side of the ring are the employees who just want easy access to the applications they need to work productively without a fight.  

And, what’s the quickest way to achieve this? By granting them admin privileges. But, attackers thrive on the misuse of administrative privileges. 

So, what is the solution? 

Organisations must follow the principle of least privilege as much as possible to maintain what is among the most fundamental security defences. What’s important is that they do so in a way that does not impede employees’ productivity, and without consuming all of IT’s precious time. 

In this blog, I will address the issues I believe lie at the crux of this contentious problem and suggest a way to reduce angst and improve outcomes for everyone when removing admin privileges. 

Why restricting local admin privileges is so important 

Misused and unmanaged admin privileges pose a significant risk to a company. In fact, Forrester Research estimates at least 80 per cent of security breaches involve compromised privileged credentials. 

And as such, the ACSC Essential Eight includes ‘Restrict Administrative Privileges’ as one of its eight security controls and a critical step in achieving cyber resilience. 

System administrators often have the most privileged accounts on computer systems, but this is a risky practice. A malware infection or an account hijacking of a user can be catastrophic. Anyone with an administrative account, whether for operating system activities or business application management, can directly access its configuration and the information within its data stores, and more easily circumvent other security controls. 

Some attackers may use malware, brute force attacks or even credential theft to compromise administrative accounts. And, once they’re in, that’s when they can really start to cause havoc.  

They can disable endpoint antivirus software, install malicious software, encrypt data with cryptolockers or even use the system to access and steal other company resources. 

This is why restricting administrative privileges makes sense. By limiting administrative privileges to only those who need it, and ensuring people have the least privileges required to do their jobs, not only do organisations mitigate the risk of a breach, but they’re able to contain it better. 

Why organisations struggle to implement least privilege

The principle of least privilege sounds sensible enough, but it has proven challenging for many organisations to manage effectively.  

When employees have limited access and permissions, they think they “can’t do their job”. On the flip side, when someone is given too many permissions and privileged access, it’s a security problem. 

Stretched IT teams, faced with people waiting for support to manage things without permissions, decide to give “trusted people” admin rights. But who is a “trusted person” in the eyes of a malicious attacker? Not to mention, losing trust isn’t always a broken promise; it can just as easily be an accidental oversight. 

The reality is most organisations may have occasions when they do need to give local admin privileges to some people to perform specific tasks. But, unless this control is consistently well-managed, it can lead to a lot of heartache and risk for everyone concerned.  

And, that’s when security and productivity are both compromised. 

Any security control that damages the viability of a business is a terrible security control and should never be applied. 

I say that as a passionate security evangelist. 

Every organisation needs to weigh up their requirements when considering a security control around the level of risk they can accept, the needs of the business and how best to manage it. 

Managing admin privileges & employee satisfaction 

When I worked as a security and IT consultant, the local admin conversation came up as a major issue on almost every device management, Standard Operating Environment (SOE) or security project.  

Most people take it very personally when anyone suggests that their local admin should be removed. They often feel this reflects a view they can’t be trusted.

Managing admin privileges doesn’t need to be an emotional issue.  

With the right mix of tools and processes in play and a bit of automation in the mix, restricting admin privileges can become business as usual, where employees can access the applications they need to do their job securely and productively. 

Where there’s automation, there’s a way to remove admin privileges 

Managing local administrative privileges is a great example of a security control that comes undone when left solely to humans.  

The real opportunity lies in managing local admin privileges as part of a modern device security strategy that embraces agentless, cloud-native automation, such as Devicie’s automated platform. 

Approached this way, organisations can meet security and employee needs, and emotionally-driven conversations about the ‘A’ word will become a relic of the past. 

For more information, read our guide on how to remove admin privileges.