Re-evaluating Local Administrative User Rights



  • When re-evaluating whether or not users should be local administrators on their own devices, what are all of the considerations present-day?

    When I say "local admin", I do NOT mean domain admin. I mean a regular user, who has local administrative privileges on only their own device, as in, their user account is a member of the device's local "Administrators" group, nowhere else.

    I do know that back in the Windows XP days, it was definitely more secure to not allow users local administrative privileges, but companies did anyways because of the non-admin limitations. However, in the more modern days, Windows 7 and up, and especially in the Windows 10 era, even when a user is a local admin, they aren't really a local admin until they need to do something "administrative", in which they are prompted... UAC for example.

    If the concern is about malware, well, most malware is just as dangerous in the non-admin user space anyways. Also, the AV should pick up that type of malware / bad apps anyways. Other stuff woudl run in the user space where local admin wouln't matter.

    Zero days, for example in these cases, doesn't matter as the exploit is typically used to gain system privileges regardless of logged on user privileges.

    It seems like restricting users to non-admin privileges causes more inconvenience and service desk overhead than it's actually worth. And, from a security perspective, doens't really seem like any more of a factor one way over the other.

    If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.

    What other considerations, factors, or concerns are there? If the horse dies, i still want to beat it. I'd like to really examine this technically.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    If the concern is about malware, well, most malware is just as dangerous in the non-admin user space anyways. Also, the AV should pick up that type of malware / bad apps anyways. Other stuff woudl run in the user space where local admin wouln't matter.

    Security is multifaceted and Admin rights is merely one facet.
    A/V is another but you can't do without it just because you have no local admins.

    A/V isn't 100%, just as removing admin rights isn't a 100% effective security measure but together they make a really good combo.

    Granted not all malware needs rights to run, especially if it just sits in RAM and is returning info to a C&C server but I'd say that most malware wants to write something to the local PC. Having removed admin rights, you have defeated something that the A/V vendor doesn't yet have a signature for.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    It seems like restricting users to non-admin privileges causes more inconvenience and service desk overhead than it's actually worth. And, from a security perspective, doens't really seem like any more of a factor one way over the other.

    The sacle of security vs convenience is a hard one to get right.
    This is where having a software library for sanctioned applications (not part of the SOE) can be held so users can install themselves. For example, the SCCM Software Center.

    Yeah, there's going to be some initial pain with certain functions not being available but this is where SOME things can be done by members of the Power Users group.



  • @nadnerB said in Re-evaluating Local Administrative User Rights:

    I'd say that most malware wants to write something to the local PC.

    Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.



  • @nadnerB said in Re-evaluating Local Administrative User Rights:

    Having removed admin rights, you have defeated something that the A/V vendor doesn't yet have a signature for.

    Not necessarily, with UAC, programs ran as users in the local Administrators group still runs as a standard user and requires elevation.



  • At first glance I was going to say - what, are you crazy - of course we still remove local admin rights, for the same reasons we did before, but perhaps the biggest reason was keeping bad programs at bay, and as you mention, that's barely a thing anymore with zero day flaws, privilege escalation, etc.

    A few reasons to still do it

    1. keep users from installing software not sanctioned by the company/IT - try to keep shadow IT at bay
      At first glance I was going to say - what, are you crazy - of course we still remove local admin rights, for the same reasons we did before, but perhaps the biggest reason was keeping bad programs at bay, and as you mention, that's barely a thing anymore with zero day flaws, privilege escalation, etc.

    A few reasons to still do it

    1. keep users from installing software not sanctioned by the company/IT - try to keep shadow IT at bay
    2. keep people from removing your management tools

    As for software/viruii that don't require local admin rights, uhuhm - CHROME, rights levels don't matter. As mentioned in the OP, viruii can frequently run as the local user, and reek plenty of havoc without the need for admin rights. Getting local admin rights likely ensures their ability to become persistent or any user on the computer, but non local admin, they still still easily be persistent for the same user.

    UAC - this is frequently disabled by viruii programs, so that thing is really more of just a hassle for users than a real roadblock for malware.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.

    An ounce of prevention is better than a pound of cure.

    Policies are only good if they followed, HR & management are only good if they have the balls to do something.
    Chances are that a rogue actor won't care about policies or HR.



  • @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.

    An ounce of prevention is better than a pound of cure.

    Policies are only good if they followed, HR & management are only good if they have the balls to do something.
    Chances are that a rogue actor won't care about policies or HR.

    Right - but IT shouldn't be doing anything that HR and management aren't standing behind them on.

    I know I hate this thinking/logic as much as most of the next IT pros, but if you really think about it, IT is an extension of the business - it really needs to allow/not allow only the things the business specifically cares about. Getting in the way of the rest just because "we know better" is not a reason to do it.

    I have to remind myself of this on a near daily basis.

    Example - we had users logging into Chrome on shared computers. This really bothered me because they never logged out before walking away. I rolled out a policy on those computers forcing them all into incognito mode, which prevented their ability to log in - of course it also changed the display to black and huge letters of incognito mode... I did inform all the users of the change, but still got push back.

    Then one of the stake holders told me - remind me to tell you to not install a rollcage in my car - when I told him why the change was done. basically, he was telling me it wasn't my place to protect him because that was not an onus he or the other stakeholders put on me. He was right of course, and I instantly removed the incognito mode.



  • @Dashrender said in Re-evaluating Local Administrative User Rights:

    At first glance I was going to say - what, are you crazy - of course we still remove local admin rights, for the same reasons we did before, but perhaps the biggest reason was keeping bad programs at bay, and as you mention, that's barely a thing anymore with zero day flaws, privilege escalation, etc.

    A few reasons to still do it

    1. keep users from installing software not sanctioned by the company/IT - try to keep shadow IT at bay
      At first glance I was going to say - what, are you crazy - of course we still remove local admin rights, for the same reasons we did before, but perhaps the biggest reason was keeping bad programs at bay, and as you mention, that's barely a thing anymore with zero day flaws, privilege escalation, etc.

    A few reasons to still do it

    1. keep users from installing software not sanctioned by the company/IT - try to keep shadow IT at bay
    2. keep people from removing your management tools

    As for software/viruii that don't require local admin rights, uhuhm - CHROME, rights levels don't matter. As mentioned in the OP, viruii can frequently run as the local user, and reek plenty of havoc without the need for admin rights. Getting local admin rights likely ensures their ability to become persistent or any user on the computer, but non local admin, they still still easily be persistent for the same user.

    UAC - this is frequently disabled by viruii programs, so that thing is really more of just a hassle for users than a real roadblock for malware.

    What I'm getting at, is if the device is actually REALLY any bit safer without the user having local administrative access? I mean, if someone external wants in to a device, is the assigned user not having local administrative access making the device any more secure?

    The concern isn't necessarily about downloading a piece of malware.



  • I can understand an ALL-or-NOTHING approach, but this really is pretty much impossible. All-or-nothing as in 100% of company with zero local administrative user access on all devices.... not even exceptions or not even for a limited amount of time.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    What I'm getting at, is if the device is actually REALLY any bit safer without the user having local administrative access? I mean, if someone external wants in to a device, is the assigned user not having local administrative access making the device any more secure?

    I would answer this and say - yes it is still more secure. If you're a target, then next to nothing is going to protect you. But come on, how many people are actually targets? 0.1% maybe? probably not even that many.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    I'd say that most malware wants to write something to the local PC.

    Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.

    This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    I can understand an ALL-or-NOTHING approach, but this really is pretty much impossible. All-or-nothing as in 100% of company with zero local administrative user access on all devices.... not even exceptions or not even for a limited amount of time.

    You're right, a zero exception time - in that case, regarding an AD setup, and admin could accomplish no work as domain admin level rights are needed to do 99% of the work, if not 100%.

    If we remove IT from the pool of people we're talking about - of the 200 or end users I support over multiple companies, only one requires local admin rights for an application to function. And for that I found an app that allows that single app to run as local admin, not the user. Now yes, someone who knows what they are doing, Might be able to exploit that app to get local admin privileges, but it's such a backwater 3rd party app that whomever is doing it would specifically be targeting that client and more specifically, that user - and we already agreed that a targeted user stands little chance against a skilled hacker.



  • @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    I'd say that most malware wants to write something to the local PC.

    Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.

    This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.

    Frankly, in an admin'ed environment - there is really no reason anything should execute from the user's profile, but then most of the run on demand remote admin tools wouldn't function, but I did start by saying an admin'ed environment, so perhaps in those cases, we'd have to get IT involved for a third party to do a remote control session - think tech support on a software package.



  • @Dashrender said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.

    An ounce of prevention is better than a pound of cure.

    Policies are only good if they followed, HR & management are only good if they have the balls to do something.
    Chances are that a rogue actor won't care about policies or HR.

    Right - but IT shouldn't be doing anything that HR and management aren't standing behind them on.

    I know I hate this thinking/logic as much as most of the next IT pros, but if you really think about it, IT is an extension of the business - it really needs to allow/not allow only the things the business specifically cares about. Getting in the way of the rest just because "we know better" is not a reason to do it.

    I have to remind myself of this on a near daily basis.

    Example - we had users logging into Chrome on shared computers. This really bothered me because they never logged out before walking away. I rolled out a policy on those computers forcing them all into incognito mode, which prevented their ability to log in - of course it also changed the display to black and huge letters of incognito mode... I did inform all the users of the change, but still got push back.

    Then one of the stake holders told me - remind me to tell you to not install a rollcage in my car - when I told him why the change was done. basically, he was telling me it wasn't my place to protect him because that was not an onus he or the other stakeholders put on me. He was right of course, and I instantly removed the incognito mode.

    Always do what your boss wants, sure.
    In my case, we've given our security requirements from further up the food chain, so our management don't have a choice in the matter.



  • @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Dashrender said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    If it's about users doing something to work around company device management and security software, well then at that point it becomes a matter of company policy, management, and not an IT issue.

    An ounce of prevention is better than a pound of cure.

    Policies are only good if they followed, HR & management are only good if they have the balls to do something.
    Chances are that a rogue actor won't care about policies or HR.

    Right - but IT shouldn't be doing anything that HR and management aren't standing behind them on.

    I know I hate this thinking/logic as much as most of the next IT pros, but if you really think about it, IT is an extension of the business - it really needs to allow/not allow only the things the business specifically cares about. Getting in the way of the rest just because "we know better" is not a reason to do it.

    I have to remind myself of this on a near daily basis.

    Example - we had users logging into Chrome on shared computers. This really bothered me because they never logged out before walking away. I rolled out a policy on those computers forcing them all into incognito mode, which prevented their ability to log in - of course it also changed the display to black and huge letters of incognito mode... I did inform all the users of the change, but still got push back.

    Then one of the stake holders told me - remind me to tell you to not install a rollcage in my car - when I told him why the change was done. basically, he was telling me it wasn't my place to protect him because that was not an onus he or the other stakeholders put on me. He was right of course, and I instantly removed the incognito mode.

    Always do what your boss wants, sure.
    In my case, we've given our security requirements from further up the food chain, so our management don't have a choice in the matter.

    Weird way of saying it - but you're right - middle management never really does have a choice.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    I can understand an ALL-or-NOTHING approach, but this really is pretty much impossible. All-or-nothing as in 100% of company with zero local administrative user access on all devices.... not even exceptions or not even for a limited amount of time.

    It doesn't have to be.
    Power users, accounts with local admin right for specific users... it depends on how you/yur business want to skin the cat.



  • @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    I'd say that most malware wants to write something to the local PC.

    Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.

    This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.

    I read that over 90% of ransomware, for example, does not require local admin rights...



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    I'd say that most malware wants to write something to the local PC.

    Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.

    This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.

    I read that over 90% of ransomware, for example, does not require local admin rights...

    Right why would it? Assuming it can just run in user space - so many people/companies just allow full access to everything to their users so the crap just runs and gets what it can...



  • @Dashrender said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    I'd say that most malware wants to write something to the local PC.

    Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.

    This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.

    I read that over 90% of ransomware, for example, does not require local admin rights...

    Right why would it? Assuming it can just run in user space - so many people/companies just allow full access to everything to their users so the crap just runs and gets what it can...

    I mean, the worst things that could happen, don't seem to matter if the user has local admin rights anyways.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @nadnerB said in Re-evaluating Local Administrative User Rights:

    I'd say that most malware wants to write something to the local PC.

    Right, but there are a lot of places on the PC you can write to that does not require local administrative privileges.

    This is true, but that leaves very few places to write to. Chiefly, the users profile. Things executing from there should be heavily scrutinised by the A/V. Whilst not solving the issue, it does provide better protection.

    I read that over 90% of ransomware, for example, does not require local admin rights...

    Yeah, the miscreants are getting smarter.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    When re-evaluating whether or not users should be local administrators on their own devices, what are all of the considerations present-day?

    I stick to... I wouldn't give myself local admin rights, why would I give it to an end user?



  • @scottalanmiller said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    When re-evaluating whether or not users should be local administrators on their own devices, what are all of the considerations present-day?

    I stick to... I wouldn't give myself local admin rights, why would I give it to an end user?

    Is your device safer without your login having local administrative privileges? Why or why not?



  • @scottalanmiller Basically, with zero cases of local admin privileges, no exceptions... then yes I an on board there. But this isn't always and can't always be the case. So here were are.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @scottalanmiller said in Re-evaluating Local Administrative User Rights:

    @Obsolesce said in Re-evaluating Local Administrative User Rights:

    When re-evaluating whether or not users should be local administrators on their own devices, what are all of the considerations present-day?

    I stick to... I wouldn't give myself local admin rights, why would I give it to an end user?

    Is your device safer without your login having local administrative privileges? Why or why not?

    Yes, because I'm not tempted (or tricked) to do admin level tasks while also doing non-admin level tasks. If I'm putting on my IT hat, rather than my user hat (which should be very rare) then I have to do so intentionally and switch users.

    Separating your own roles helps a lot in making your brain aware of what you are doing. Malware can't easily trick me to give it admin privs because I never see those situations while also have admin access.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    @scottalanmiller Basically, with zero cases of local admin privileges, no exceptions... then yes I an on board there. But this isn't always and can't always be the case. So here were are.

    Not sure what you mean from this statement. Obviously local admin happens sometimes in some companies. But...

    1. Just because it happens once somewhere doesn't affect the decision elsewhere. There is no connection because they are "local".
    2. If it is MY business, I fix the underlying problems that create that problem in the first place. No really good excuse for why it would be needed if you are able to look at IT from the CEO/owner's level.


  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    However, in the more modern days, Windows 7 and up, and especially in the Windows 10 era, even when a user is a local admin, they aren't really a local admin until they need to do something "administrative", in which they are prompted... UAC for example.

    The problem there is that that pops up so often than it's no longer meaningful, at all, to normal users (and likely not to IT.)



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    If the concern is about malware, well, most malware is just as dangerous in the non-admin user space anyways.

    Ransomware, yes. But not general malware.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    Also, the AV should pick up that type of malware / bad apps anyways.

    Working as an MSP, this isn't the case all that often. Most malware (that works) are trojans and use the user to bypass the AV. AV is surprisingly useless these days. Not that I recommend not having it, certainly have it. Just don't think that it is providing much protection.



  • @Obsolesce said in Re-evaluating Local Administrative User Rights:

    It seems like restricting users to non-admin privileges causes more inconvenience and service desk overhead than it's actually worth. And, from a security perspective, doens't really seem like any more of a factor one way over the other.

    This just doesn't match what we see in the real world. At least not as an MSP. If we give users admin privs, we have to charge more, because their machine will be infected or broken easily 1,000% as often. They will install apps and not do so properly, they will get tricked into putting on the wrong apps, they will get loaded with trojans, they will fill their machines with apps that they don't use or know what they are, they will expose themselves unknowingly to all kinds of things (often from emails that depends on tricking them), and they will pirate software willy nilly (often intentionally, but sometimes by accident.) Sometimes users even remove themselves from AD, or more often just break random hooks to apps.

    End user shadow IT is terrible, unless your IT department is a train wreck. In which case, yeah, they might need to work around them (see the thread we had last week.)


Log in to reply