A single compromised workstation shouldn’t mean your entire network falls. But that’s exactly what happens when attackers use lateral movement to spread from system to system, turning a minor incident into a full breach.
Local admin rights are why this works. Remove them, and you cut off most pathways attackers use to spread.
How Lateral Movement Attacks Work
After gaining access to one machine, attackers don’t stop there. They explore your network, steal credentials, and work toward high-value targets like domain controllers and file servers. The initial breach point is rarely their actual objective.
They leverage legitimate Windows features like PsExec or PowerShell remoting to execute commands on other systems. Because they’re using built-in administrative tools, the activity often looks like normal IT operations.
The process repeats on each new system. Harvest credentials, identify the next target, move laterally. Each hop gets them closer to whatever they’re actually after, whether that’s sensitive data, complete network control, or deploying ransomware across your entire infrastructure.
Almost all of these techniques either require local admin rights or become significantly easier when those rights exist.
Why Admin Rights Enable Attacks
When users have permanent administrator privileges, malware inherits those same permissions. This means attackers who compromise a user account can do serious damage.
With admin access, attackers can:
- Dump credentials from memory: Tools like Mimikatz extract passwords and authentication tokens, which work on other systems
- Disable security software: Endpoint protection can be turned off or bypassed entirely
- Install persistence mechanisms: Scheduled tasks, registry modifications, and services that survive reboots
- Modify system files: Change configurations and install backdoors that are difficult to detect
- Execute commands on other systems: Use stolen credentials to authenticate and spread laterally
The credential theft piece is particularly dangerous. Once attackers have those credentials, they can authenticate to other systems and repeat the process. This is how a breach on one workstation becomes a breach of dozens or hundreds of machines.
Without admin privileges, attackers hit a wall. They can’t access privileged areas of the operating system, install persistence mechanisms that survive reboots, or dump the credentials they need to move laterally. The breach gets contained to that single system.
This containment gives your incident response team time to detect the intrusion, investigate, and remediate before attackers can spread through your infrastructure.
Solving the Productivity Problem
The reason organizations don’t just immediately remove admin rights is simple: users need to install software, update drivers, configure network settings, and perform other tasks that traditionally require elevated access. Strip away those rights without providing an alternative, and your help desk gets buried in support tickets.
Endpoint Privilege Management (EPM) solves this by letting users elevate specific applications on demand without granting permanent admin rights. Admin By Request’s EPM solution gives users the ability to run approved software with elevated permissions when they need it, while IT maintains complete visibility and control through audit logs and approval workflows.
Here’s what makes this approach better than having permanent admin rights:
- Application-level elevation: Users elevate individual applications, not their entire session. If malware runs, it doesn’t inherit admin rights because the user isn’t an administrator.
- Approval workflows: Unknown or high-risk applications can require IT approval before elevation is granted, catching suspicious requests before attackers can abuse them.
- Complete audit trails: Every elevation gets logged with full details about what was elevated, when, and by whom.
- Temporary access: Even when users get elevated access, it expires. No permanent admin accounts sitting around for attackers to compromise.
This maintains security without sacrificing productivity. Users can still do their jobs. IT maintains control. Attackers lose their most reliable method of spreading through your network.
Getting Started
Deploying EPM and removing admin rights works best as a phased approach rather than a big-bang rollout. The discovery phase is critical. Before revoking anything, you need to understand what users are actually doing with their admin rights. Most EPM solutions include a learning mode that logs elevation activity without blocking anything, giving you data on which applications need pre-approval and where users will need the most support.
A pilot program helps you work out the kinks before going company-wide. Choose a department that’s willing to adapt, implement the solution there, and use what you learn to refine your policies. Pre-approving common applications eliminates most friction since trusted software can elevate automatically without creating support tickets.
The security benefits start immediately, while the adjustment period fades as users get accustomed to requesting elevation when they need it.
What About Developers?
Developers will push back hard on losing admin rights. They’ll point to package installations, environment configurations, and build tools that won’t work without elevated access.
They’re not wrong that they need elevated permissions. But they don’t need them sitting there permanently, ready for attackers to abuse the moment a workstation gets compromised.
Most development work doesn’t require full admin sessions. Installing Visual Studio Code, running Docker, or elevating build tools works fine with per-application elevation. The system can pre-approve trusted development tools or use AI to automatically elevate commonly used applications across your organization.
For the rare cases where developers need sustained elevated access (setting up complex build environments, troubleshooting permissions issues), time-limited admin sessions provide that flexibility. Request access, work with elevated privileges for a set period, then drop back to normal. Everything gets logged.
If an attacker compromises a developer machine, they can’t dump credentials or move laterally without admin rights. Even during an active admin session, once time expires, the attacker loses those privileges. No persistent access, no lateral movement.
Part of a Broader Strategy
Removing admin rights isn’t the only defense you need, but it’s one of the most effective. Combine it with network segmentation to limit how far attackers can reach even if they do move laterally. Use multi-factor authentication to make stolen credentials less useful. Keep systems patched to close the vulnerabilities attackers exploit for privilege escalation.
Among all these controls, removing admin rights stands out because it stops the majority of lateral movement techniques without requiring expensive hardware or complex configurations. It’s straightforward to implement, doesn’t disrupt operations with the right EPM solution, and delivers immediate security benefits.
The Spread Stops Here
Lateral movement works because attackers abuse the same permissions your users rely on daily. When everyone has admin rights, every compromised credential becomes a potential pathway to your entire network. Removing those rights with proper EPM means users keep the access they need while you eliminate the techniques attackers use to spread.
Start with our free plan for up to 25 endpoints or book a demo to see how Admin By Request EPM works in practice.
