Should We Give Users Local Admin Rights?

A common debate in cyber security is “can a user have admin rights to their machine?”
Personally, I’ve always been on the side of no but recently been I’ve been torn.
Hence why I’m now brain dumping on my blog.

For the past couple of months, during my vendor “engagements”, I’ve been trying to get a sneak peak into how other companies handle the idea. These aren’t just run of the mill companies, I’m talking Microsoft level and each of them answered “yes, my account is admin to my machine”.

When you start to hear “yes” more and more, you start to think that maybe you’ve got it wrong.

Now when I answer “no” it’s because my first thought is that the majority of malware and ransomware based attacks thrive on the user having local admin rights. This is because they need to write to certain directories or inject/modify registry keys. That being said, in some cases these attacks are often twinned with credential-less exploits such as Wannacry and EternalBlue.

This attacks have higher success rates on personal devices as during the setup, your granted admin rights straight away. I doubt most people bother to create a separate account and remove their admin access. When your talking about an enterprise though, you have a lot more to lose.

Here are just some examples of the risks clients and user bring to the environment:

As you can see, granting admin access to the user could result in a spread of malware. This is because clients often have so much freedom inside the network. Simply because we trust our own network by default and the users require firewall rules to be lifted in order to access services.

Think of the recent IE zero day. The exploit could allow remote attackers to run malicious code on the affected system, giving them the same privileges as those of the current user. If the crafted sites is tried to run for a user that didn’t have admin rights, it would fail.

Now there are multiple scenarios where this concept will apply and not having local admin will always appear to be the smarter move…..but is it?

Why are so many big companies happy to grant local admin access to their users?

If you look at the world today, IT has significantly changed. Cloud computing is allowing us to basically start again and challenge the norm. Traditional security and networking models simply don’t work in the new world and the castle and moat that once protected your data center is starting to crack.

Some companies such as Google are starting to look towards newer models such as Zero Trust: https://ctrlaltdel.blog/2019/06/25/exploring-the-zero-trust-model/

Other traditional designs focus on securing the devices. “If we secure our devices and limit what the user can do, we will stay safe”. All this is fine but how sure are you that your users are only using those devices to access your company services/data?

That is why I think that the focus has shifted from endpoint protection to data and Identity management. These two are the new crown jewels and here is why…

For data it’s simple. Its your company data and you obviously want to secure it.
That means applying basic controls around limiting user/network access and having the data encrypted in transit and at rest.

You certainly don’t want to hear that your data is available online. Take the recent capital one breach: https://www.bleepingcomputer.com/news/security/capital-one-data-breach-affects-106-million-people-suspect-arrested/

It’s not just embarrassment, you could also be breaking the law if data is left unsecure and stored without purpose.

Now…….you may be thinking that data is obvious but why is identity management more important that securing your endpoints?

Ask yourself this, can you only access your company data or services from your company device. Are you blocked from accessing services like email and cloud storage on your personal devices?

I’m guessing not. You are most likely free to be on any device but are required to use some form of authentication such as user credentials (With MFA). These credentials are basically your identity. This is how you access your applications, infrastructure and services. That is unless you have extremely strict controls in place and your user are tied to a single device. We live in a world where access anywhere is the norm and securing yours and others identity is crucial.

Long ago, you would have to run a Exchange environment in order to provide email as a service. This service was restricted to your company network. Remote users would have connected via VPN so that they could access their emails. You could exposure it onto the internet but this would come at a risk. One that some companies don’t take. Things slowly moved on and mobile phones requires access forcing you to open up.

Now fast forward to today. Cloud services like O365 help us break free from the chains and allow our users to access their email from anywhere, meaning that the endpoints are no longer static. You can focus all your efforts to lock down your company devices but what if they are accessing their email on their personal phone that you don’t audit or manage.

O365 is just one example and if your start to leverage cloud service the same concept applies. The users will be accessing these services using their identity and this is why it’s important to secure and monitor it.

The cloud movement is not just at enterprise level. Think of your personal phone.
Long ago, you needed to make sure that you backed up all of your contacts and files to an SD card and then transfer them to your new one. Either that or Bluetooth or infrared it across (Good times).

Nowadays all your data is tied to your account and stored in the cloud. Once you login to your new iPhone or Android device, all your synced data starts to pull down. The device itself becomes less relevant and you only apply security controls to protect it during the time your have it. If it is stolen or lost, you can simply wipe it and move on.

I’m not saying don’t spend time securing your devices because definitely do!
What you need to keep in mind though is that your users will have their own phones and laptops and it might be handy for them to have their emails on there. If there are no restraints, they will do it, even if it’s against “written policy”.

Sorry I waffle…

Circling back to the original question. If we are starting to move to an access anywhere policy and our users are moving away from the network, can they start to become admins of their own machines?

Still no, but…. What about if you gave them an admin account (if they need it that is).
Below is a potential design you could run today. There are obviously other vendors out there, I just took some of the top ones from Gartner.

This shows a user who has no location restrictions and only uses their VPN solution once every so often. They may even have an SDP solution which is controlled at the user level and no longer at the network level. Their device can be remotely managed by a UEM solution such as Intune and all of their services and requirements are in the cloud. They have very little visibility or access to the data center as they simply don’t need it.

You may be thinking that you could definitely give the user local admin rights to their machine. I’m starting to think that in this situation, maybe you could but I’m just a stickler for separation.

How about you let them create a local account and grant it local admin rights?
What this does is not only isolate the privilege locally but also breaks any malicious attack that runs ‘as user’. Remember attacks can bypass UAC. What this also means is that it is local only and cannot be used to access or spread malware to other machines.

You may ask, how am I going to support them?

Quite easily actually. The service desk don’t always need admin rights to remotely assist a user. They can get a remote session using multiple tools such as TeamViewer or Windows assist. To go one step further, the user could just share their screen through services like Zoom, WebEx, Skype and Teams.

Still not convinced. Let’s play out a common scenario. The service desk have local admin to all clients in order to “troubleshoot”. What if one day that service desk member gets Phished, logs into a device with a keylogger or even worse, has a terrible password which is guessed during an attack.

“They are separate accounts though”. Still the same issue. What about tools such as Mimikatz. If the account they are using everyday to troubleshoot gets compromised, it could mean big trouble!

Either option has there pros and cons and both work in certain designs/models. With the right user training, either can work and potential improve productivity and security.

If you wanted the separate local account, you may ask, “How would we automate?” Well, here is a simple Powershell script which removes the current user from local admin group and create a new local account: Link

I didn’t add the password complexity to the script as this should be done at policy level. Otherwise, you could just reset it again to Password. Also you may want to tweak and put the code behind a custom application.

“What about LAPS”. Microsoft LAPS is a brilliant free solution. For this post though we are talking about moving the clients away from the network. For LAPS to continuously change the local admin password it needs connectivity. It also gives other users awareness of other clients admin accounts. In the scenario where we are trying to empower our users, this doesn’t work. Still a great tool though and definitely recommended!

To summarize then. If the need for your users to have admin rights to their machine grows, create some isolation, have strong controls in place to protect and manage your identities. Then come up with a policy and train the users before granting access. You will also need to take some kind of inventory.

One thing I am sure on is that your identities and data management will reflect how secure you are in the modern world. Still protect those devices but keep in mind that you don’t manage them all. You do however have the possibility to manage how and where your identities and data are used.