Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Don’t fall victim to Privilege Creep!

October 20, 2017

  • Blog
  • Archive

Don’t let privilege creep be the downfall of a project to secure your company’s IT systems.

What is Privilege Creep?

Despite the work Microsoft has done to make Windows easier to run with standard user access, some Windows features and legacy applications still require administrative privileges. When users experience an issue, the first step that the helpdesk often takes is to grant administrative privileges to check that the problem isn’t caused by a lack of access rights.

Even if the problem turns out not to be caused by standard user permissions, administrative privileges are often deliberately left in place so that the user doesn’t continue to call the helpdesk, or the privileges are simply forgotten and never removed. This phenomena of moving from standard user privileges to administrative rights is referred to by system administrators as privilege creep.

What are the Reasons for Privilege Creep?

The motives for granting users administrative privileges vary from one environment to another, some of the most common are:

  • The ability to connect hardware, such as printers and scanners
  • To install new programs or update software
  • Problems associated with legacy applications
  • Access to Windows tasks or features that require administrative privileges
  • Addressing support issues when users take notebooks out of the office
  • Pressure from end users on helpdesk staff

The Consequences of Privilege Creep

While administrative privileges will both solve some issues in the short term and appease users, problems will occur further down the line as a direct result of granting these rights. When users are given administrative-level access to Windows without the assistance of a 3rd-party privilege management solution, the elevated rights cannot be rationally limited to just one task or application. Administrator rights give users, or malicious processes running in the security context of the user, the opportunity to compromise the system and any data processed therein.

Moreover, users can circumvent other controls, such as Group Policy settings, allowing changes to critical system configuration that might render PCs unstable or insecure. Logging in to Windows with administrative privileges also significantly increases the risk that vulnerabilities can be exposed in applications or the operating system, and reduces the overall reliability and stability of Windows, leading to a higher total cost of ownership.

In managed environments where organizations distribute customized Windows images, any configuration work undertaken as part of that process can easily be reversed by administrative users, including the ability to install unlicensed software. It is important to maintain a stable and known configuration to ensure that IT can provide adequate support, comply with regulatory mandates, and secure desktops so that users have a consistent and dependable computing experience.

Avoiding Privilege Creep

  • Understand how privileges are used across your network before admin rights are removed: in the long run, you’ll experience fewer problems with users logging tickets to the helpdesk because they are unable to run applications or complete tasks that require privileged access.
  • Use a third party privilege management solution to allow granular privilege control. Microsoft’s built-in tools do not allow IT to elevate privileges for end users in a way that enables them to carry out the tasks necessary while still providing a secure computing experience.
  • Don’t forget the notebook users. They’re harder for IT to provide support to due to the more infrequent availability of remote access. Do you have the provision to grant your remote users temporary access to a given task or application, without granting full administrative privileges?

Be Secure and Flexible

Whilst some users may be able to support themselves when given administrative privileges, this increases the potential for damage and also prevents organizations from meeting the requirements of industry standards or regulatory compliance mandates, demonstrating poor governance. As such, it is always prudent to remove administrative privileges and implement a 3rd-party solution to give standard users the flexibility to perform the tasks required for their everyday duties.

Russell Smith

IT Consultant & Security MVP

Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.

Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.