Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • SolarWinds N-central Automate what you need. Tackle complex networks. Try this remote monitoring and management solution built to help maximize efficiency and scale.
    • SolarWinds RMM Start fast. Grow at your own pace. Try this powerful but simple remote monitoring and management solution.
    • SolarWinds EDR Defend against ransomware, zero-day attacks, and evolving online threats with Endpoint Detection and Response
    • SolarWinds Backup Manage data protection for servers, workstations applications, documents and Microsoft 365 from one SaaS dashboard.
    • Mail Protection & Archiving Protect users from email threats and downtime.
    • Password Management Easily adopt and demonstrate best practice password and documentation management workflows.
      • Passportal Demo
    • PSA & Ticketing Manage ticketing, reporting, and billing to increase helpdesk efficiency.
    • Remote Support Help support customers and their devices with remote support tools designed to be fast and powerful.
  • Solutions

    I'm looking for...

    • Security Solutions
    • Monitoring Solutions
    • Efficiency Solutions
  • Resources
    • Blog
    • Webcasts & Events
    • Ask the N-central Experts
    • Daily Live Demos
    • RMM Foundations Training
    • Upcoming Events
    • Upcoming Webcasts
    • Resource Center
    • COVID-19 Resources
    • Resource Library
      • Case Studies
      • Product Information
      • eBooks
      • White Papers
      • Infographics
    • SolarWinds MSP Free Tools
    • GDPR Resource Center
    • Security Resource Center
    • MSP Institute Webinar Series
    • MSP Advice Project
  • About
    • Contact
    • Customer Success
    • Worldwide sales and support
    • Careers
    • Awards and Recognition
    • Get A Quote
    • Newsroom
      • Press Releases
      • In The News
      • Media Contacts
      • COVID-19 Response
    • Leadership Team
    • Legal
      • Cookie Policy
      • Privacy Notice
      • Software Services Agreement
      • Terms of Use
      • Backup Fair Use Policy
    • Security
      • SolarWinds Security Statement
      • Vendor Data Protection Requirements
    • Support
  • IT Departments
  • Contact Sales
    • Get A Quote
    • General Inquiry
  • TRY NOW
    • SolarWinds RMM
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Passportal
    • SolarWinds N-central
    • SolarWinds Mail Assure
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business IT Support 4 Steps to Managing Local Admin Rights
IT Support

4 Steps to Managing Local Admin Rights

By Nick Cavalancia
28 September, 2017

We’ve always known leaving the local user with admin rights was never a good idea. If your business is still in “break/fix” mode, you may have quite a few users left with admin rights because it’s much easier for you to fix their problems remotely. I completely get that—we’ve all been there. 

But, when the reality of risk around both external and internal attacks sets in, you quickly realize that giving out any kinds of elevated permissions can have dire consequences. All an external attacker needs is local admin rights to establish a foothold in one of your customer’s environments. Same goes for ransomware—give it admin rights and everything from files up to the bios can be affected. While it’s tempting to give out admin rights, you could be asking for trouble.

So, what are some of the ways to manage local admin rights?

First off, the answer is a really big “it depends,” because not every MSP business runs the same.  So, for the purposes of this article, I’m going to start with some simple recommendations and then move towards the more taxing (and expensive) ones. 

Let’s start with taking away admin rights from the user.

Step 1: Implement Least Privilege

restricted_access.jpgThe first step is determining what privileges—beyond that of a local admin—do users really need. In nearly every case, none of your users truly needs elevated privileges. So, we begin with ensuring that users have no local admin rights. A simple run of the command net local group administrators, and you’ll have yourself a list of anyone with local rights. The idea behind least privilege is to assign each user as little privilege as possible. So, instead of “reaching high” on this one, “go for low.”

Step 2: Implement User Account Control

If you want to allow users to make certain OS changes, the best way to facilitate this from a security perspective is to separate out a user’s “regular” user account (for use when they are surfing the web, running Office apps, etc.) and give them a separate local admin account for when they need to make changes to the OS. Configure UAC to prompt for credentials when an operation requires elevated privileges—that way, they aren’t using elevated privileges all the time, and they need to authenticate as the admin for changes that could impact the OS to be made.

Step 3: Implement Privilege Management

deeper_access.jpgUAC is only good for OS changes. Should a user require elevated privileges for a specific application, for example, you’ll need to take things a step further and look for a privilege management solution. These solutions define local policies of who and when elevated privileges are to be allowed. For example, say a payroll user uses an application that requires local admin rights. A privilege management solution can be configured to have the application run with elevated privileges while the user remains a regular user.

Step 4: Implement Privileged Account Management (PAM)

One of the problems with Least Privilege and UAC is that when local admin accounts are used (regardless of whether the user logs on with the local admin account, uses UAC, etc.) credential artifacts—such as clear text passwords, password hashes, and Kerberos tickets—all remain in memory. Cyberattackers know these artifacts exist and, should they be able to compromise a single local admin account, the credentials can be gathered and then utilized to access further systems within your network.

This is why you may need to look at a PAM solution. While PAM solutions have many features, I want to focus this blog on just two: a password vault and an ability to rotate passwords automatically. Here’s the idea, a user must authenticate into a PAM solution as themselves. They are then given a local admin account’s credentials from the vault to use to either log on with, or authenticate via UAC, etc. Once the user is done using the admin account, they check it back into the PAM solution, at which time the password is changed and the local admin account is updated.

This puts the attacker at a severe disadvantage: should they be able to access any credential artifacts, none of them are valid any longer (because the passwords have all been changed by the PAM solution upon check-in).

Putting a Lockdown on Local Admin Rights

Regardless of whether you follow all four steps or not, doing something is better than leaving your users with local admin rights. You can offer each step as an additional tier of service, layering on deeper and deeper levels of security. Based on the needs of the customer and the security service offering tier they’ve signed up for, by following one or more of the steps above, you’ll have a much better handle on both who has local admin rights and how they are used.

 

Nick Cavalancia has over 20 years of enterprise IT experience and is an accomplished executive, consultant, trainer, speaker, and columnist. He has authored, co-authored and contributed to over a dozen books on Windows®, Active Directory®, Exchange™ and other Microsoft® technologies. Nick has also held executive positions at ScriptLogic®, SpectorSoft® and Netwrix® and now focuses on the evangelism of technology solutions.

Follow Nick on Twitter® at @nickcavalancia

 

Click here to find out how SolarWinds MSP is using Machine Learning to help MSPs protect their customers and also do their jobs more effectively.

 

© 2017 SolarWinds MSP UK Ltd. All rights reserved.

 

 

You might also like...
IT Support

Managing Employees’ Internet Usage

MSP Business

What you need to know to get into Linux administration

MSP Business

3 key benefits to proactively monitoring your IT networks

MSP Business

How to keep your IT skills up to date

MSP Business

How to secure your remote control access

MSP Business

The 5 biggest challenges for today's IT admins

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • What the Head Nerds Were Up to in 2020
  • RMM and PSA Tools: How to Make the Most of Both
  • How to Empower an IT Help Desk Team for Success
  • Six Tips That Will Make Managing Your MSP Company Easier
  • January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
Categories:
  • Security (230)
  • Tips & Advice (122)
  • Best Practices (94)
  • Managed Services (86)
  • Backup & Disaster Recovery (83)
  • The Head Nerds (75)
  • Business Growth (75)
  • IT Support (42)
  • Business (39)
  • Automation (37)
  • Cybersecurity (37)
  • Operations (34)
  • Mail (33)
  • Remote Management (28)
  • ITSM (25)
  • Data (21)
  • Cloud Computing (21)
  • Networking (21)
  • Marketing (14)
  • PSA (11)
  • Product (11)
  • Services & Support (5)
  • Service Desk (5)
  • Mobile (4)
  • Risk Intelligence (4)
  • Internet of Things (3)
  • Customer Service (3)
  • GDPR (2)
  • Research & Trends (2)
  • Training (2)
  • Business Risk (1)
  • LOGICcards (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.