By Sami Laiho, Chief Research Officer at Truesec and Microsoft MVP in Windows and Devices for IT.
The User Manual for NT 3.1, published almost 30 years ago in 1993, explains that the security subsystem of the NT operating system is not built to withstand the use of local admin rights. Admins typically set settings and limited users can’t change them. When it comes to configuration, it’s supposed to work so that admins have write access and limited users have read access—cutting a few corners here, but that’s the basic idea. In reality, there is no security in Windows if you logon as an admin—it’s just not built to work otherwise.
Positives Abound: More than Subtractions
During 2022 I have taken away more than a million end users’ admin rights. That is how most people phrase it: “Taken away.” That sounds quite negative. However, I see it another way—I have given more than a million users a more secure and functioning end-user experience. Most people think that if they don’t have admin rights, they can’t fix their computers and will have to call the service desk more often. Statistics show, however, that when end-users don’t have admin rights, they can’t break their computers, and hence they call their service desk less, actually 75% less. That’s a number that makes any PAM solution cheap. Imagine eliminating ¾ of all service desk calls! To validate this data, I have a U.S. customer that has more than 30,000 computers. After removing admin rights, they have had a 65% reduction in reimaging their computers. The ratios are the same for companies of all sizes. If you have 4 computers and 3 keep working all the time, even that pays off.
Removing admin rights keeps Windows working better. I have a very trusted friend who works as a security advisor, and he recently said something that made me proud. A different MVP, new to our program, said on a chat that he was going to buy a Mac as his Windows OS was behaving poorly . . . again. My friend, the security advisor, replied, “Stop logging in as an admin and use a separate admin account on Windows—you don’t need to buy a Mac. You should just do what Sami says.” I could not have been happier. I didn’t, 22 years ago, stop using admin rights because of security. I stopped using them because I didn’t have to reinstall Windows every 6 to 12 months for it to function well. My computer works better without admin rights. Call me lazy, but I simply don’t like things breaking.
Removing admin rights is also one of the most important security controls. More than half of found vulnerabilities yearly don’t function on your computer if you are not an admin. It “patches” more than patching, statistically. The attacker needs a compromised endpoint with admin rights to use the weapons needed to get further into your environment.
Some people, like Devs or IT admins, need admin rights and I will not make their work more difficult. They get 75% less work, and when they need admin rights, they get them. We just don’t give admin rights to the users that read email and browse the web primarily. Those users can only receive temporary admin rights when apps or tasks require them. Sometimes it’s hard to convince these users that the restriction of admin rights benefits them, especially if the conversation only revolves around security. However, these users also benefit greatly, because limiting admin rights reduces what is written to their disk. Therefore, in case of an SSD, their disk lives longer without admin rights. Their computers’ performance stays better for longer periods of time – who wouldn’t want that?
Removing Admin Rights: A Winning Formula
Remember the most important rule in security: “In Security, don’t let perfect be the enemy of good.” You don’t have to stop using admin rights ever, but do keep their use to a minimum.
Check out Recast’s Privileged Access Management Overview to learn more about removing admin rights, zero trust principles, and hardening your environment.
Privileged Access Management (PAM)
- Privileged Access Management (PAM) Overview
- Open-Source Privileged Access Management Software: A Solution for You?
- 2 Core Rules of Zero Trust with Sami Laiho
- The Principle of Least Privilege
- Principle of Least Privilege: #1 Solution for Security