2 Core Rules of Zero Trust with Sami Laiho 

Sami Laiho, a Microsoft MVP in Windows OS and a highly regarded security expert, recently collaborated with Recast Software to host a webinar, “Zero Trust with Sami Laiho.” Sami concisely made his case for Windows security in 2022.  

A brief history of trust

Admin Epoch – 1985–2005 

  • Users run as local admin  
  • Users install their own software  
  • Apps trusted by default 

Non-Admin Epoch – 2005–2025 

  • Users run as standard user 
  • Admins install software 
  • Apps trusted by default 

App Control Epoch – 2025–?

  • Users run as standard user 
  • Admins install software 
  • Apps trusted when trust is earned 
sysadmins at work

Organizations prioritizing secure environments must follow two core rules of Zero Trust to succeed:  

  1. Implement BitLocker. While most view this as a data encryption tool, at its core BitLocker ensures environmental integrity.  
  1. Remove admin rights.  

Sami has worked with dozens of companies to implement Zero Trust principles, and many bristle when he insists that they remove admin rights across the board. The conversation around Zero Trust too often revolves around the negatives. “You can’t do x” and “you must remove admin privileges.” The gains need to move to center stage—they are too significant to ignore.

Benefits of removing admin rights

When you remove admin rights, environmental and employee performance improves, help desk tickets fall in number while the need for reimaging minimizes greatly, and sysadmins lighten their load significantly. Some sysadmins insist, “If I don’t have admin rights, I can’t fix my computer.” However, the reality is that if they don’t have admin rights, they have a much harder time breaking their computer.  

Privilege Manager banner

The conversation and task of removing admin rights often gets personal for some at this point. When resistance arises, Sami reminds both sysadmins and organizational leadership that admin rights are not human rights. During a Zero Trust presentation with over 400 attendees present, one gentleman stood up, clearly disgruntled, and snorted, “You make it sound like we can’t do anything on our computers but work!” Sami grinned and replied, “Yes, that is the purpose of a work computer.” 

No security guarantee in Windows

Windows can’t guarantee security when a user logs on as an admin. Security Authority Subsystem Service (LSASS) for windows was never built to withstand admin rights. For organizations, removing local admin rights shifts the risks to losing only one user’s assets rather than the whole company’s. It also greatly limits the attack footprint for shadow IT intrusions and identity theft. 

If Security Officers still need further convincing, Sami points to new data that recently tilted the scales. 2021 was the first year that environmental vulnerabilities were the primary attack vector, while phishing fell back to second place. Additionally, he emphasizes that organizations that remove admin rights and never patch software have more secure environments than organizations with best-in-class patching policies and software in place with admin rights enabled. 

Developers often interject, too, insisting that they cannot work without admin rights. However, he points to this documentation from Microsoft, certification requirements for windows desktop apps, as evidence against this claim.  

Conclusion 

Sami wrapped up by reminding attendees of the prevalence of ransomware. In 2020, estimates suggest there were 304 million ransomware attacks worldwide with an average cost of $4.44 million to the organization. Importantly, personal stories from security experts who specialize in ransomware attack management suggest that only a tiny fraction of ransomware attacks get reported publicly, despite transparency being the industry best practice. Some estimates suggest only 1-3% of ransomware attacks are publicly reported. 

Watch the full webinar with Sami Laiho here.

Additional Resources

Privileged Access Management (PAM)

PAM and Admin Rights

Recast and Zero Trust

About Sami Laiho 

A Microsoft MVP in Windows OS and Devices for IT, Sami has specialized in getting rid of Admin Rights in companies since 2002. Thus far in 2022, he has assisted in removing 1,000,000 endpoint admin rights within companies globally. For more on Sami, read here.

2 Core Rules of Zero Trust with Sami Laiho
Photo courtesy of Sami Laiho
See how Right Click Tools are changing the way systems are managed.

Immediately boost productivity with our limited, free to use, Community Edition.

Get started with Right Click Tools today:

Support

  • This field is for validation purposes and should be left unchanged.

Contact

  • This field is for validation purposes and should be left unchanged.

By submitting this form, you understand that Recast Software may process your data as described in the Recast Software Privacy Policy.