Privileged Access Management

2 Core Rules of Zero Trust with Sami Laiho 

Topics: Privileged Access Management

Sami Laiho, a Microsoft MVP in Windows OS and a highly regarded security expert, recently collaborated with Recast Software to host a webinar, “Zero Trust with Sami Laiho.” Sami concisely made his case for Windows security in 2022.  

A Brief History of Trust

Admin Epoch – 1985–2005 

  • Users run as local admin  
  • Users install their own software  
  • Apps trusted by default 

Non-Admin Epoch – 2005–2025 

  • Users run as standard user 
  • Admins install software 
  • Apps trusted by default 

App Control Epoch – 2025–?

  • Users run as standard user 
  • Admins install software 
  • Apps trusted when trust is earned 
2 core rules of zero trust

Organizations prioritizing secure environments must follow two core rules of Zero Trust to succeed:  

  1. Implement BitLocker
    • While most view this as a data encryption tool, at its core BitLocker ensures environmental integrity.  
  1. Remove admin rights

Sami has worked with dozens of companies to implement Zero Trust principles, and many bristle when he insists that they remove admin rights across the board. The conversation around Zero Trust too often revolves around the negatives. “You can’t do x” and “you must remove admin privileges.” The gains need to move to center stage—they are too significant to ignore.

Benefits of Removing Admin Rights

When you remove admin rights, environmental and employee performance improves, help desk tickets fall in number while the need for reimaging minimizes greatly, and sysadmins lighten their load significantly. Some sysadmins insist, “If I don’t have admin rights, I can’t fix my computer.” However, the reality is that if they don’t have admin rights, they have a much harder time breaking their computer.  

The conversation and task of removing admin rights often gets personal for some at this point. When resistance arises, Sami reminds both sysadmins and organizational leadership that admin rights are not human rights. During a Zero Trust presentation with over 400 attendees present, one gentleman stood up, clearly disgruntled, and snorted, “You make it sound like we can’t do anything on our computers but work!” Sami grinned and replied, “Yes, that is the purpose of a work computer.” 

Privilege Manager: the privileged access management solution you've been looking for.

Increase security, improve user productivity, decrease service desk tickets, and deploy equiptment faster all within Privilege Manager.

No Security Guarantee in Windows

Windows can’t guarantee security when a user logs on as an admin. Security Authority Subsystem Service (LSASS) for windows was never built to withstand admin rights. For organizations, removing local admin rights shifts the risks to losing only one user’s assets rather than the whole company’s. It also greatly limits the attack footprint for shadow IT intrusions and identity theft. 

If Security Officers still need further convincing, Sami points to new data that recently tilted the scales. 2021 was the first year that environmental vulnerabilities were the primary attack vector, while phishing fell back to second place. Additionally, he emphasizes that organizations that remove admin rights and never patch software have more secure environments than organizations with best-in-class patching policies and software in place with admin rights enabled. 

Developers often interject, too, insisting that they cannot work without admin rights. However, he points to this documentation from Microsoft, certification requirements for windows desktop apps, as evidence against this claim.  

The Rules of Zero Trust Prevent Attacks

Sami wrapped up by reminding attendees of the prevalence of ransomware. In 2020, estimates suggest there were 304 million ransomware attacks worldwide with an average cost of $4.44 million to the organization. Importantly, personal stories from security experts who specialize in ransomware attack management suggest that only a tiny fraction of ransomware attacks get reported publicly, despite transparency being the industry best practice. Some estimates suggest only 1-3% of ransomware attacks are publicly reported. 

Watch the full webinar with Sami Laiho here.

Additional Resources

Privileged Access Management (PAM)

Admin Rights

Recast and Zero Trust

Are you ready for Zero Trust? Privilege Manager is.

Grant the access your end-users need when they need it without compromising security.

About Sami Laiho 

A Microsoft MVP in Windows OS and Devices for IT, Sami has specialized in getting rid of Admin Rights in companies since 2002. Thus far in 2022, he has assisted in removing 1,000,000 endpoint admin rights within companies globally. For more on Sami, read here.

Photo courtesy of Sami Laiho
Back to Top