When Life Gives You Lemons
Local admin rights leave a sour taste in one’s mouth.
They give your end users complete flexibility over their machines, which may sound like a good idea: it means your users can do things like download and run programs, install drivers and manage their account settings, all without needing to ask for assistance from an IT admin.
But ‘complete flexibility’ translates into ‘too much power’.
With local admin rights, your users have the power to:
- Download and execute malicious software, leading to infections that could sweep across your entire network from a single device.
- Make changes to the operating system, resulting in potential unfavourable system and security modifications that can have far-reaching ill effects.
- Access the data of other users on the network, with the ability to create, delete and modify other user accounts. This can lead to data breaches, privacy issues and potential privilege escalation.
It is the end user who often paves the way for attackers and malware within the network – and it’s usually because they have local admin permissions on their computers.
The more end users you have with local admin rights, the larger your attack surface.
To decrease the size of your attack surface, you need to decrease the number of users with local administrator rights in your network.
Zesting Up your Defences
Using a Privileged Access Management (PAM) tool is the ideal way to do this.
PAM manages user access by incorporating the Principle of Least Privilege (POLP) and Just-In-Time Elevation (H), meaning users have only bare minimum privileges required to successfully do their jobs, and privileges are only elevated when and where the situation deems it absolutely necessary.
Not So Easy Peasy
So if we all agree that revoking local admin rights is necessary and should have been done from day one, why then, do most organisations still have the majority of their end users as local admins?
Because the task of revoking admin rights is a rather large, daunting and difficult one – and most PAM tools don’t offer many solutions to make this task much easier.
However, Admin By Request is a PAM solution that takes all of the problems involved with removing local administrator privileges from your end users, and solves them.
It’s as Easy as (Lemon) Pie
Here is a list of the major concerns you may have with revoking end user privileges, and how Admin By Request can help:
1. Loss of productivity for your end users
Your end users argue that they cannot be efficient and productive without local admin rights. If they can’t install and run programs when they need to, how will they get their jobs done?
Admin By Request revokes admin rights so smoothly that your end users will barely notice the change. The power is still in your user’s hands: with Admin By Request’s Run as Administrator method, users can request to use an application with elevated privileges. With the Elevated Session option, users can request a timed session during which they can operate with admin privileges for a certain amount of time. All of these requests are made from the end users device: from the comfort of their office chair. With Admin By Request’s whitelisting option, applications recognised as ‘safe’ are marked as such, and users are free to use them as they please without making a request at all.
2. Re-education and extra training required
Changing how the end user works often results in a need for re-education and extra training for your end users, taking up resources and valuable productivity time. However, re-education and training is only necessary when there is change in how the end user needs to operate.
With Admin By Request, the user continues to work the same way they always have, often simply adding the simple step of requesting to Run as Administrator or have an Elevated Session where necessary. This means no re-education or training is needed and the average end user workday continues as normal.
3. More resources required
Revoking local admin rights usually means your IT department will have to pick up the slack. This is likely to result in a need for more resources in IT to manage the extra work IT admins will need to do once the end user loses their local admin rights and can’t do certain things by themselves that they could before.
With Admin By Request’s elevation methods, your IT admins simply need to approve end user requests for elevated privileges as they come in; or not:
The Require approval option in Admin By Request’s user portal settings can be set to ‘on’ or ‘off’.
This means your IT admins don’t have to approve requests in order for the user to do what they need to do – and your users don’t have to wait for approval from IT admins. Win-win!
4. More support required
Similarly, changes in how the end user operates calls for extra support from support personnel, so you would expect an increase in support demand after local admin rights are revoked – most likely with no extra resources available for the Help Desk to cope with this increased demand.
With Admin By Request, when the change is so miniscule it’s barely noticeable, the need for more support from Help Desk simply isn’t there.
5. Lack of visibility
You may be concerned about a lack of visibility into what a PAM software solution would actually be doing: what are end users using their local admin rights for? System tools? App updates? Legacy applications? If you’re going to manage user access, you at least want to know what, exactly, your users are accessing and why.
Admin By Request recognises that transparency is important. That’s why this solution gives you full visibility of what your end users are using their local admin rights for. With the software’s Learning Mode, you get a full breakdown of what your users are doing before admin rights are revoked. You can see the patterns, trends and outliers, and you can use this data to decide which applications should be whitelisted when the time for revoking comes around. Once admin rights have been revoked, you’ll know who’s doing what because requests for elevation, along for a reason for the request, will appear in real time within the Admin By Request user portal and in the mobile application. On top of that, everything your users do while they are running an application as administrator or having an elevated session is recorded in the auditlog. Visibility = check.
6. Solutions being too complicated
Many PAM solutions take over 9 months to deploy. They involve lots of new back end servers, expensive licenses, IT training and project managers. This means lengthy set up times, costly changes, extra people needing to be involved, and valuable time being spent on re-education rather than work.
Admin By Request is somewhat a rarity: with 90% of customers having the software fully implemented within 3 months, meaning you get a very positive return of investment and a secure IT environment in a short span of time. The reason for this lightning-fast setup is because there is no infrastructure needed and no AD Sync or ADFS required. The installer MSI file itself is a tiny 2.58 megabytes which takes seconds to install, and basic setup within the Admin By Request user portal can be done in minutes.
7. Why make the change when nothing has gone wrong?
You’ve gotten this far without your company burning to the ground, so why stop now? Ambition: In this case, the preference to gamble that nothing goes wrong rather than settle for a PAM solution that doesn’t cover absolutely everything.
Admin By Request is a solution that is both simple and covers everything. It takes one unchecked end user with local admin rights to potentially compromise your entire network – don’t take the risk.
Although it’s easy to be put off by the many PAM solutions out there that are tiresome, expensive and difficult to implement and work with – the right solution really can be easy peasy (as cheesy as that sounds).
Request a free demo of Admin By Request right here, right now, and you’ll be set up and ready to go in the time it takes to… squeeze the lemon