Privileged Access Management
Principle of Least Privilege: The #1 Protection Against Security Threats in Windows
Receive notification right in your inbox whenever new content like this is released & sign up for our email list!
We’ll send you the latest updates, how-to’s, and solutions to empower you at every endpoint.
By Sami Laiho, Chief Research Officer at Truesec and Microsoft MVP in Windows and Devices for IT. Has applied the principle of least privilege in environments for over 20 years.
For the past 20 years I’ve worked to solve one of the longest-lasting problems within companies when it comes to security— applying the principle of least privilege. This principle is more concisely known as “getting rid of end users’ admin rights.” There are many reasons to prioritize the principle of least privilege implementation, but the most vital is security.
False Security when Admin Rights are Abundant
If you try to secure a Windows endpoint without removing admin rights, you are fighting against windmills. For instance, if you turn on AppLocker for Allow-Listing (the most recommended security feature by Gartner for many years), anyone with admin-rights can easily bypass it by simply switching off a service. If your company tries to make sure your computer uses up-to-date security settings by using Group Policies or Microsoft Endpoint Manager MDM-policies, you can easily delete them with admin rights. There is no way to secure an endpoint without removing admin rights. In other operating systems, using the principle of least privilege has been more common, but in Windows people still believe that working with the computer is not possible without admin rights.
Zero Day Vulnerabilities Make Admin Rights Dangerous
There are more than 100 security patches per month on average, with at least a few zero-day vulnerabilities to mitigate with them. Removing admin rights can mitigate around 80% of these vulnerabilities without a single patch installed. Even more, it can mitigate close to all vulnerabilities related to the browsers and email clients, which remain the most common entry points for malware.
The Center for Internet Security (CIS) states that the two most important security controls today are “up-to-date hardware inventory” and “up-to-date software inventory.” You simply can’t protect if you don’t know what to protect. Unfortunately, you say goodbye to “up-to-date” the day the user gets admin rights. Removing admin-rights from end users gives you the ability to control your environment by blocking users from deciding what you need to protect.
Admin Rights Bring Hassle with Them
So far all these reasons have been security related and “boring” for some readers. Let’s talk about why you should not want to be admin, not just why we say you can’t be one. First, principle of least privilege in my customers’ environments has lowered reinstallations of Windows by 65%. Computers don’t need to be repaired when the principle of least privilege is applied. Removing admin rights allows your computer to run faster, for longer, with less interruption to your work. I personally would never go back to using admin rights because my computers work so much better. I also like my computer to be fast and performant. Before 2002 I used to be a person who said, “You should just reinstall Windows every 6-12 months, as Windows works better when you “format c:” occasionally.” Now, I haven’t reinstalled since removing my own admin rights. By removing your admin rights, you prevent yourself from writing as much to your disk, which means that your SSD will live longer and remain faster.
Beyond these personal reasons to avoid being an admin, the biggest reason for companies is that it’s so much cheaper. In my projects, ranging in size from 1 endpoint to 550,000 endpoints, we lower the amount of service desk tickets by 75% on average. People say, “If I don’t have admin rights, I can’t fix it.” The reality? If you don’t have admin rights, you can’t break it. The misguided belief that this project requires more from the helpdesk is just wrong.
“But I Need Admin Rights Every Now and Then”
There are some cases where the user needs admin rights to certain apps or tasks to perform their work—work that cannot be prevented by solid security measures. The second your security hinders productivity you will lose buy-in from users and management. But this can be avoided. Here are a few different cases that we need to accommodate:
- A user needs one time admin rights for something. For example, they need to install a printer at home.
- A user needs to be able to elevate certain apps to admin without 3rd party approval.
- A user needs to repeatedly perform a task, like changing the time of the computer, changing the IP address, or running a LOB application that doesn’t work without admin rights.
There are different solutions for these cases, all with different prices. I walk into a customer to solve a problem, not to sell products. This means I use different tools from my toolbox and select the correct one for the specific customer.
Privilege Manager by Recast for Managing Admin Rights
Privilege Manager has many benefits with a very low price per endpoint. For one, it solves most cases I need. Secondly, it can work on both on-prem and Azure AD environments, providing simple management of group memberships and a better-than-LAPS solution for mitigating pass-the-hash attacks. Privilege Manager can solve the first two cases I described. It can even do so completely offline, solving the case of installing a printer at home. The user tries to install a printer, gets a challenge code, communicates it to the service desk, gets a response code, and installs the printer. This can be integrated into service desk system workflows as well, thanks to the API provided.
Privilege Manager can also allow self-elevation, where, for example, a developer can elevate themselves to admin. Compared to standard UAC or RunAs, this can elevate the user to an admin without changing the identity of a user. This is important. Many devs suffer when their companies make them use two different accounts. This means that when you run Visual Studio as admin and save your product to My Documents, it’s not your documents – it’s the “admins” documents. This creates the issue of “dual identity.”
Conclusion: Principle of Least Privilege
I have not logged on to my personal machines with admin rights for 20 years now. I wouldn’t change back for any price. I simply don’t want my own computer to break, nor do I want to reinstall Windows every year. As a company owner, I don’t want to pay for work that can be avoided, and I want to have happy end users.
Check out Recast Software’s Privileged Access Management Overview to learn more about removing admin rights, zero trust principles, and hardening your environment.