As a computer user, you may have experienced the convenience of having local administrative rights on your Windows or Apple computer. However, this convenience has significant risks that can compromise your organization’s security. In this article, we will discuss in detail the dangers of local admin rights and why it is crucial to remove them.
Granting local admin access to users poses a significant risk to your organization’s security. An attacker who compromises a user account with local admin privileges can carry out various malicious activities that can harm your business. They can disable endpoint antivirus, install malicious software, encrypt data with ransomware, move laterally within your network, and weaponize your system against your organization. These actions can cause irreversible damage to your company’s reputation and finances.
During a recent internal penetration test, a network security team demonstrated how an attacker could leverage an account with local admin privileges to take over a domain. The team compromised a regular user account and password and then used CrackMapExec to determine that the stolen account had local admin rights on two devices on the network. The team could also download local password hashes of local accounts on those devices, which they could pass to other devices to determine their access levels. Of the two devices that the team compromised, one was the client’s Primary Domain Controller. The team effectively gained complete administrative access to all domain resources by accessing this server with the local admin account.
Removing local admin access might not be well-received by users, but it benefits your organization’s security posture. It lowers the risk of malware infections, ensures antivirus and other protections remain active, and reduces an attacker’s ability to exploit vulnerabilities. In addition, removing local admin access can help you comply with various security regulations, such as PCI-DSS, HIPAA (US Only), and GDPR.
While most employees do not need local admin access to perform their daily duties, some users may occasionally require higher privileges to complete tasks. For these situations, creating a separate account with admin-level access is recommended. Employees should only use the privileged account when necessary to complete their work. An alternative to removing local admin privileges is to discover what privileges to what folders, executables, and registry keys the legacy software preventing the organization from removing local admin privileges are required. This can be done with Diskmon from Sysinternals. The user account can then be customized to have admin access to just the required items, removing the business need for local admin privileges.
Granting users local admin access was a common practice in the past. However, modern security threats require IT professionals to move beyond the mindset of “this is how we’ve always done it.” The risks associated with local admin access far outweigh the benefit of convenience. Removing local admin access from your users is crucial before hackers take advantage of this unsafe, outdated practice. Doing so can protect your organization from potential attacks and ensure compliance with security regulations.
In conclusion, local admin access significantly threatens your organization’s security. As a computer user, it is crucial to be aware of the risks and take necessary steps to mitigate them. Removing local admin access, customizing user accounts to have admin access only to required items, and creating separate accounts for particular circumstances are effective ways to protect your organization from potential attacks.