Privileged Access Management
How I Learned to Stop Worrying and Love Zero Trust
Marty Miller
The principles of Zero Trust, and companies wanting to move to a Zero Trust model, has become a more common theme within the last couple of years. You hear it everywhere, and whole marketing campaigns have come and gone focused on why Zero Trust is the way to go. But what does Zero Trust actually mean for a SysAdmin in an organization who mostly deals with Windows servers and workstations?
The “Good” Old Days
In the past, we used to work with the overall belief that anything that was inside the corporate firewall was safe and trustworthy. The firewall was built to keep the threats from affecting us as Admins and users. It was easier to give our “trusted” users Local Administrator access, and then allow them to have free reign over the devices on the network. As SysAdmins, we had power over all the devices in our environment, because we were local administrators on them. We could do whatever we wanted, whenever we wanted. As long as we used a nice secure password, we would be fine.
Wouldn’t we?
Living in a Zero Trust Paradigm
Of course, the answer was always “no.” We weren’t all that secure, and many organizations weren’t fine. Because of this truth, the principle of Zero Trust was born. Zero Trust works differently than this older model. By its definition, we don’t trust any devices or users to be safe and secure, even if they are behind the firewall and on our local network.
Microsoft has three Zero Trust principles that define Zero Trust for them.
Three Zero Trust Principles
1. Verify Explicitly
Organizations should always authenticate and authorize based on all available data points, including user identity, device health, service or workload, data classification, and anomalies.
All available information should be used to determine if a user or computer that is trying to log in and use company resources is the user or device they say they are. In the SysAdmin world, a classic example is when a Microsoft Entra ID login occurs in the United States (where the user generally logs in from), and a few minutes later the same Microsoft Entra ID account attempts to log in from Spain. In this case, one of those login attempts is likely illegitimate.
2. Use Least-Privileged Access
Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
Organizations should limit access only to users and devices who need the access, and the access should be granted only when the user or device needs the access. One of the ways this can be accomplished with the reduction of Local Administrator accounts is through the addition of Privilege Access Management (PAM) software. PAM software elevates users to Administrator access as needed and removes it after completion. Similarly, you can create configuration rules in Intune that will only allow specific devices to access your environment or defined elements of your environment.
3. Assume Breach
Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Act as if a breach has always already happened. This assumption has some interesting considerations for SysAdmins. Organizations can minimize the blast radius by configuring certain parts of their environment so it is separated from other parts of the environment.
Encryption requires IT teams to always encrypt drives and devices, and then also secure all communication.
Analytics requires reports and alerts to notify teams if devices are straying from their secure configuration to a less secure one.
Change is Hard: Accepting the New Zero Trust Paradigm
Any team or expert who has executed, or attempted to execute, the implementation of Zero Trust policies has heard the same concerns. “If I’m not a local admin on the devices in my environment anymore, how can I fix things? How can I install things? I don’t like this new paradigm!”
Let’s take the questions one at a time.
1. How can I fix things without admin rights?
It definitely makes it more difficult to fix things when you can’t just log in as the administrator with your regular account. However, you can use something like a Privilege Access Manager that allows you to elevate yourself as needed to complete specific tasks. Recast Software’s Privilege Manager will allow a select group of users to elevate themselves on the fly on a select group of computers (or all of them). When the task is complete the user account is reverted to a normal non-administrative account.
For those of you who are used to using Right Click Tools Community as an administrator on all your devices, your ability to run Right Click Tools actions will change if you aren’t a local admin anymore. Luckily, we have a way for you to run actions against devices even when there are no local admins on the device. With an Enterprise license, all you need to do is install a Recast Management Server in your environment and install the Recast Agent on your devices. That way the RMS talks directly with the Agent to run actions—no local administrator is required.
The Enterprise version of Right Click Tools also has some additional dashboards that give you insight into hard drive encryption rates within your environment, while allowing you to encrypt drives remotely that are not currently encrypted. This way you can prove that your environment is encrypted as expected and can take action if you find any problems.
2. How do I install things?
Installations for users who are not local admin on their devices usually utilize Software Center if you have ConfigMgr in your environment or the Company Portal if you are using Intune. Neither of these requires local administrator to run these installations, so users can install as needed or SysAdmins can make installations mandatory if needed.
If you need to verify that an installation has succeeded from Software Center in ConfigMgr, Recast has a tool to make sure you can see that too! Remote Software Center enables you to see the status of installations in your environment, and you can then initiate installations as needed or see error codes if an installation has failed. You can also use the Recast Agent to access the Remote Software Center, even if no one is local administrator on the device.
3. I don’t like this new paradigm!
I feel your pain. It’s a different mindset for sure. SysAdmins have to execute tasks differently than we are often used to in order to make environments and tasks function the way they used to function.
But the good news is that there are solutions to make your workflow more similar to the way it previously was. Losing local admin on all your devices isn’t as difficult or painful as it was in the past.
Living a Post-Local Administrator Life
The Zero Trust paradigm is here (at least until something else takes its place). Thankfully, with some planning and a few additional tools, we can adjust to this new paradigm and effectively manage and support our endpoints as needed to keep our organizations running smoothly.
Additional Resources
Privileged Access Management (PAM)
- Privileged Access Management (PAM) Overview
- Open-Source Privileged Access Management Software: A Solution for You?
Admin Rights
- Removing Admin Rights Hardens your Environment
- 2 Core Rules of Zero Trust with Sami Laiho
- The Principle of Least Privilege
- Principle of Least Privilege: #1 Solution for Security
