Local Admin: How To Revoke Without The Revolt!
By Jeff Jones
Privileged Access Management for the masses
You replaced their Simpsons desktop wallpaper with corporate messaging. You blocked them from checking Kim Kardashians Facebook page. Candy Crush got… crushed.
Being the IT professional in charge of your organisations desktop security, your policies are about as popular as an unexpected Windows 10 update. That said, there is a general begrudging acceptance that your dictatorial edicts are probably sensible and for the good of the company. After all, you are merely following Management guidelines: For staff computing practice, productivity trumps personality every time. Right?
After putting it off for years, the task of revoking and properly managing Local Admin rights company wide can be delayed no longer. Failure to complete would almost certainly trigger an embarrassing ‘non-conformity’ in your next security framework audit, resulting in an embarrassing, and expensive, reassessment.
So what’s the hold up?
Well perhaps it’s the negative consequences of revoking Local Admin rights. These are easy to predict. Developers, Designers, Sales & Support will all be up in arms, forming an unlikely union of mass protest. Before you know it, they’ll all be wearing yellow vests to work.
Local Admin right is not a human right!
The problem for you is that this time, you find yourself in unfamiliar territory: the wrong side of the productivity argument.
Without Local Admin rights, staff simply can’t do many of the simple and safe things they need to do, when they need to do them. Install printer drivers at home, set up VPN software late at night from a hotel room, or even install an online meeting software plugin.
To do any of these things would now require immediate (and likely always urgent) involvement from you or your IT staff. The result is an operational drag on the workforce and worse, constant disruption for your already stretched (and likely even more unpopular) IT department.
Such a traumatic arrangement would therefore not last long. Staff would go behind your back to complain to your superiors. Top management would be sympathetic to your intentions but without cold hard facts to add to an executive risk assessment, you’d likely lose the argument, and with that, a chunk of your authority too.
Staff 1 : Geeks 0.
Admin By Request: Rights revocation done RIGHT
Admin By Request is a Privilege Management Solution that is easy to deploy, even easier to use, and requires the tiniest of local system resources to run. However the ingenious functionality is not limited to the technical capabilities we have built into the product. At FastTrack Software, we understand that deployment of the best product in class might not result in a successful implementation, if the ‘socio-political’ aspect of rights removal are not carefully planned.
And so, with Admin By Request, we deliberately put a great deal of thought in to designing our solution to enable IT Departments to perform the ‘humane disposal’ of Local Admin rights.
What does that really mean? It means you get to complete your project, without being reported to the United Nations on a humans rights violation!
Set phasers to stun! (actually, more like ‘none’ than stun)
After downloading the free trial and confirming that Admin By Request does everything you need, you order your subscription, and immediately push the tiny 3MB client MSI out to all staff. Come the morning, you adopt the posture of ‘Doctor Doom’ and observe (with an evil grin) as the mass Local Admin cull begins. Right?
Well, actually … wrong!
The key to a successful Local Admin Rights removal project depends on three factors:
Learning mode (AKA ‘Stealth mode!’)
Rather than an initiate an immediate an humiliating revocation of all Local Admin rights, we recommend a softer approach.
Set up your Admin By Request portal with minimal restrictions for all (no authorisation required) and enable ‘Learning Mode’ which disables the rights revocation ability. Users are simply shown the new and super easy way to get Local Admin rights, either using ‘Run As Administrator’ mode or ‘full session’ local admin. They won’t mind, because it’s easy, and they still get admin. Happy days!
Unknown to them, as the name suggests, Learning Mode is quietly logging every single thing that is getting elevated.
Complaint avoidance by stealth
You may be all seeing and all knowing, but it’s just possible that there are some obscure (but important) applications which certain departments need to run as admin for jobs to be done, that you are not aware of. Learning Mode will show these up in the ‘Learning Mode Collection’, enabling you to consider them for white-listing. When it comes to finally revoke rights, all white-listed apps will get automatic elevation. This means no cause for complaint, no loss of productivity, and no egg on face for you.
Evidence of risk / compliance breach
For me, as an ex IT Manager, this is the killer. At the end of your Learning Mode period, you would not only have identified the use of ‘safe approved apps’ for white-listing, but also bad apps, and perhaps some unintentional bad practice too. Accidental elevation of email clients and web browsers, perhaps.
Before you remove rights, you submit this long list of misdemeanours to your superiors who will no doubt recoil in horror and ask you to do something about it. Learning Mode comes off, you tighten things right up. Now any complaints to senior management will receive short thrift. Victory is yours!
Now I know what you are thinking. You mentioned stealth, evidence and flexibility. What’s flexible about this, it sounds down right sneaky and pretty brutal right!?
Bear with me…..
Flexibility in.. delegation
Admin By Request has an extremely powerful ability to granularise settings in to ‘sub setting’ groups.
You would start everyone off at most strict, and as each department head comes to you begging for leniency, you can be gracious and offer compromise. However on one condition: That THEY, the departmental heads themselves, take the responsibility of handling the approvals and denials for their own teams.
This is a win-win for both. Departmental heads get more control, independence and responsibility, whilst IT are no longer burdened with the day to day processing of – let’s face it – generally trivial requests for every day trusted tasks.
Final thought: Forget the human aspect of rights management at your peril!
The takeaway message I would like to leave you with here is this.
Admin By Request not only solves your Local Admin problem, but with our Learning Mode feature, it presents you with a method to achieve this with the minimum of emotional trauma for you, your management, and your staff.
Yes we are all human and we all have rights. Just not Local Admin!