How to restrict local administrative privileges and still be popular

Author: Jason Fairburn, Co-founder and COO, Devicie

Forrester Research estimates at least 80% of security breaches involve privileged credentials. Indeed, every security professional knows restricting local administrative privileges is among the most powerful mitigation strategies in securing organisational systems. So why is it so hard for organisations to manage this control effectively?

Local administrative privilege has become a prickly subject between IT teams and employees. On the one hand, IT wants to ensure the best security for the organisation, its people and their devices. On the other, employees just want easy access to the applications they need to work productively without a fight. And what’s the quickest way to achieve this? By granting them administrative privileges.

Organisations must follow the principle of least privilege as much as possible to maintain what is among the most fundamental security defences. What’s important is that they do this in a way that does not impede employees’ experience of productivity, and without consuming all of IT’s precious time.

In this blog, I’m going to address the issues I believe lie at the crux of this contentious problem and suggest a way to reduce the angst and improve outcomes for everyone.

Why restricting local administrative privileges is so important

The ASD Essential 8 includes ‘Restrict Administrative Privileges’ as one of its eight security controls because it is a critical step in achieving cyber resilience.

System administrators often have the most privileged accounts on computer systems, but this is a risky practice. A malware infection or an account hijacking of a user can be catastrophic. Anyone with an administrative account, whether for operating system activities or business application management, can directly access its configuration and the information within its data stores, and more easily circumvent other security controls.

Some attackers may use malware, brute force attacks or even credential theft to compromise administrative accounts. And once they’re in, that’s when they can really start to cause havoc. They can disable endpoint antivirus software, install malicious software, encrypt data with cryptolockers or even use the system to access and steal other company resources.

Restricting administrative privileges makes sense. By limiting administrative privileges to only those who need it, and ensuring people have the least privileges required to do their jobs, not only do organisations mitigate the risk of a breach, but they’re able to contain it better.

Why has it been hard to do well?

The principle of least privilege sounds sensible enough, but it has proven hard for many organisations to manage effectively. When somebody gets less permissions than they need, they “can’t do their job”. On the flip side, when someone is given too many permissions, it’s a security problem.

Stretched IT teams, faced with people waiting for support to manage things without permissions, decide to give “trusted people” admin rights. But who is a “trusted person” in the eyes of a malicious attacker? Not to mention, losing trust isn’t always a broken promise; it can just as easily be an accidental oversight.

The reality is most organisations may have occasions when they do need to give local administrative privileges to some people to perform specific tasks. But unless this control is consistently well-managed, it can lead to a lot of heartache and risk for everyone concerned. And that’s when security and productivity are both compromised.

‘Don’t tell me to calm down!’

When I worked as a security and IT consultant, this local admin conversation came up as a major issue on almost every device management, Standard Operating Environment (SOE) or security project. Most people take it very personally when anyone suggests that their local admin should be removed, immediately assuming this reflects a view that they aren’t smart enough to look after the responsibility or that they can’t be trusted.

Managing administrative privileges doesn’t need to be an emotional issue. With the right mix of tools and processes in play and a bit of automation in the mix, administrative privileges can become business as usual, where employees can access the applications they need to do their job securely and productively.

Where there’s automation, there’s a way

Managing local administrative privileges is a great example of a security control that comes undone when left solely to humans. As humans, we are prone to making errors in judgement. It is near impossible to make the right decision on each case, and even harder to consistently apply it.

The real opportunity lies in managing local administrative privileges as part of a modern device security strategy that embraces agentless, cloud-native automation. Approached this way, organisations can meet security and employee needs, and emotionally-driven conversations about the ‘A’ word can become a relic of the past.

What does best practice look like?

I say this as a passionate security evangelist: Any security control that damages the viability of a business is a terrible security control and should never be applied.

Every organisation needs to weigh up their requirements when they’re considering a security control around the level of risk they can accept, the needs of the business and how best to manage it.

Take a high-risk business, such as a financial institution where users have access to very sensitive data, such as credit card information. In this case, it stands to reason that the organisation is strict about removing administrative privileges from every person who has access to those systems. It makes perfect sense in the context of their regulatory requirements and their risk profile.

For many other organisations, however, where the risk and compliance requirements are not so clear cut, it is often harder to agree what is a best practice.

There are lots of ways organisations can manage this, and although every individual use case might be unique, the challenge is ultimately very similar in every organisation. We have seen it hundreds of times. Take the following examples:

 

“Our developers need to experiment with different tool sets”

“Our IT team needs to set up a proof of concept”

“Our consultant needs to download something while on a client site on a weekend”

“Our PhD students need to try different modelling tools”

 

From an IT or security perspective, these are the same request with slight variation. People may well need local admin access on some occasions. But the framework, questions and automated security controls to manage exceptions should be largely the same in every organisation.

There is no silver bullet for local administrative privilege management, however, Devicie’s automated platform accommodates and assists most scenarios. Once the policy is decided and appropriate controls are set, the platform enables organisations to consistently review and manage local administrator permissions. Most employees won’t ask for them anymore either, because they will have access to the applications they need in a timely manner via their company portal. When application management is automated as part of a layered security approach, everyone can be sure the applications they use are secure and updated, and any risk of local admin being mismanaged or hidden is removed.

If you’d like to know more, you can contact me directly or sign up to receive The Devicie Update.

Related resources

Why securing end-user devices is a key part of the Zero Trust journey

Moving to the future state for device security can quickly uplift organisations towards Zero Trust while also facilitating a positive end-user experience. 

Read more
devicie essential eight capabilities statement

Devicie Essential Eight: Capabilities statement

This document outlines how Devicie helps organisations to quickly implement key ASD Essential Eight controls on end-user devices.

Read more
How Devicie automates Essential Eight on end-user devices

How Devicie automates Essential Eight controls on end-user devices

Devicie automates Essential Eight controls on end-user devices, so organisations can ensure security and productivity.

Read more