262-299-4606info@srekait.com

Admin By Request

This page explains high-level concepts of Admin By Request. More information can be found at our FAQ page and by reviewing the video at the bottom.

If you have any questions, feel free to contact us using the "Contact" menu.

Concept

The problem most companies are still facing is that users need to be local administrators, typically to install software or to run legacy applications. And to some extent, the local administrator rights are abused for personal reasons. To totally avoid this, you (the IT department) would have to script every piece of software any user may need - or alternatively, you would have to manually install software for all users. Both are extremely time consuming and therefore the pragmatic solution is often to let users be local administrators and hope for the best with User Account Control (UAC). Although UAC along with protective software do prevent most viruses, malware and ransomware from being installed, attacks happen anyway. Here is why. What would your users do, if they see this?

Java update

Java? Yes, I probably need that. All it takes is one user clicking "Yes". Think about that for a minute.

The user is not aware that there has to be a valid certificate from "Oracle America, Inc" for it to be the file they expected, nor can they be expected to know so. The file on the image might very well be Russian malware. This is why you need Admin By Request (ABR). When you install ABR on clients, users are no longer local administrators by default, unless you give them a "window". When a user wants to be administrator, the user has to request such a window from you first. If the user has a legitimate reason, you can approve the access, such as the need to install AutoCAD for a new employee. You do not need to remote the computer to do the actual work and you can always audit that the user actually did just that and only that.

Requesting access

The user will see an icon in the system tray, which is green, when the user is not administrator. If the user needs to be administrator, the user would have to right-click to request permission. User interfaces and email communications are automatically localized from English to German, Danish, Spanish and French. More languages will added in the future.

Request Admin rights


When the user does this, two things can happen. Under "My Account" on this web site, you decide, if you always allow administrator access without pre-approval. This is also called Audit Only and can still make sense, because the user is still under full audit. In this mode, the user now becomes administrator under audit (see further down). You can also decide that you must approve each request for administrative access. This is called Admin By Request mode, hence the product name. In this mode, the user will see this window and will have to send a request to you with a reason for this need.

Request Admin right window

Approving Access in Admin By Request Mode

If you are using Admin By Request mode, you will receive a notification email that a user has requested administrative access. When you click the link in the email on your phone or computer (or select "Pending Approvals" under "My Account"), you will see a list of pending requests, including contact information and computer data. You must then simply click the Approve or Deny button for each request. When you press either button, the user will receive an email with instructions. You can also preapprove a session by locating a computer in the inventory and set a pre-approval token.

Approving access

Administrative Session

Once the request has been accepted by you, the user can start the session - or Audit Only mode is used, in which case the session starts right away. Under "My Account", you can configure how much time the user is administrator. The user will clearly see that he or she is temporary administrator and must be careful.

Request Admin rights approved

When the timer starts, the user has the option to run applications elevated, just as a "real" administrator has. If the user needs to run an application elevated, he or she still has to select "Run as administrator" and enter own credentials.

Run TeamViewer setup as administrator

Once the user either stops the timer or the time runs out, the information will be uploaded to this website, so you can see when the window was started and stopped. You can also see which software was installed during the window and a complete list of administrator usage on any given computerm, which you can export the data to Excel, PDF file or a CSV file, in case someone outside IT needs to audit.

Legacy applications

Some legacy applications require local administrator rights, simply because they were written back in the day, when everything was open and using the same folder for application files and data was the norm. You can make a white-list of applications that will elevate automatically. Refer to the policies page for more information.

Tampering protection

The administrators group will be snapshotted before the session starts and restored after session end. If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of the session. If the user tried to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session.

Offline Computers

A user might need to be administrator offline (meaning without internet connection). In this case, the Admin By Request mode window will always appear - even in Audit Only mode - simply because it's impossible to know, what the current configuration is in your portal account. Once the user is online, the request will be send. If at this time, it is detected that Audit Only mode is used, the user will be auto-approved the same way as if you manually clicked "Approve". You can however force Audit Only mode using OfflineMode and AutoApprove policies.

PIN code

If the need to be administrator is urgent and the user cannot get online for what-ever reason, the user can click the PIN code link on the Admin By Request form. The user has to call you to get this PIN code, which you find in the computer details in the inventory. It's a daily PIN code that is unique for this computer on the day. Once the correct PIN code is entered, the window starts. The PIN code is hashed from the computer name, your license ID and the date. Therefore, the same PIN code can be generated by the client and the portal without connection.

Request Admin rights PIN code

Questions?

Please review the video below and check our FAQ page. If this does not answer your question, please feel free to contact us using the top menu. If you need to purchase a license, please contact us and use the Quote options.