Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

How to Reduce IT Service Desk Tickets by Removing Endpoint Admin Rights

July 31, 2020

  • Blog
  • Archive

The global health pandemic has forced many companies to change their work-from-home policies. But supporting remote workers increases the burden on the helpdesk as users face issues like authentication problems and exposure to more phishing and malware threats.

Removing administrative privileges from endpoints prevents attacks that rely on admin rights to infect systems. Proactive elimination of excess endpoint privileges is also an effective strategy for protecting against zero-day attacks, which aren't detected by antimalware software. Of course, once infected with malware, PCs suffer from instability, data leakage, and operational issues that lead to increased demand on the helpdesk.

Hackers gain access to critical IT infrastructure through local admin rights

Hackers also leverage admin privileges to gain deeper access to critical IT infrastructure, like Windows Server Active Directory (AD), by compromising sensitive account passwords stored on Windows endpoints. Criminals can lay dormant for long periods of time while they perform reconnaissance on the network and then disrupt operations or hold data to ransom.

Organizations that have extended Windows Server AD to Azure AD, Microsoft's cloud-based identity management solution, potentially risk compromise in the cloud if synchronization of accounts between the two directory services isn't carefully configured.

Protecting Windows endpoints with standard user accounts

Endpoints with admin rights have long been the de facto configuration in Windows. But changes to the OS design have made it easier for users to work without admin rights and for developers to create apps that are compatible with standard user accounts.

Windows 'Protected Administrators'

User Account Control (UAC) in Windows provides limited protection for user accounts configured with administrator rights. Often mistakenly considered to be a security boundary, UAC was introduced to encourage developers to create applications for Windows that don't require admin rights to run. But UAC isn't a security feature and it can be bypassed.

UAC relies on users to make security decisions about which processes are safe to launch with administrator privileges. Malware writers trick users into launching applications that look genuine. And often, users make poor decisions about what is safe to run. Because of the risks associated with 'Protected Administrators', Microsoft recommends deploying standard user accounts.

Ensuring compatibility and usability without admin rights

Microsoft is adapting Windows to provide a more secure and reliable computing experience for end users. Windows 10 S Mode and Windows 10X both require that hardware and software be installed without privileged access to the operating system. Software and hardware vendors are acting to make sure their products are compatible.

Endpoints without admin rights are more secure and stable. But users will not be able to perform some operations, like installing system-wide software, adding hardware that doesn't have inbox drivers, and changing system-wide Windows settings.

Software and setting deployment

Organizations that want to remove admin rights from Windows 10 Pro, Enterprise, and similar SKUs can use software management solutions to automatically deploy apps and drivers. Legacy apps can be containerized and deployed using modern technologies, like the Microsoft Store and MSIX. If Windows settings need to be managed, use Group Policy or Mobile Device Management (MDM).

Legacy software that can't be packaged for containerization, or where there is no access to the original code, can still be made to run on endpoints without admin rights. The Application Compatibility Toolkit (ACT), which is part of the Windows Software Development Toolkit (SDK), creates compatibility shims for apps that trick the apps into running under standard user accounts.

But for complete flexibility, enterprise endpoint privilege management solutions let IT manage use of admin rights. IT can require users to provide a reason when running a process with admin rights. Or set up a challenge/response request so that IT must first approve a request for elevated privileges, which can be elevated at the application let, not the user-level, providing further protection against privilege abuse and misuse threats.

Reducing helpdesk costs

Secure and stable endpoints are key to reducing helpdesk costs. But there must be a balance between endpoint security and usability. In my on-demand webinar Removing Admin Rights to Reduce the Burden on the Helpdesk, join me to learn how endpoint admin rights impact the helpdesk and some ways to ensure users remain productive.

Russell Smith, IT Consultant & Security MVP

Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.

Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From July 28, 2020:
Remote Work is Here to Stay: Is your Service Desk Prepared?
From August 4, 2020:
Enabling Secure Remote Access, Telehealth, & mhealth for Healthcare

You May Also Be Interested In:

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

Whitepapers

The Guide to Multicloud Privilege Management

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.