The global health pandemic has forced many companies to change their work-from-home policies. But supporting remote workers increases the burden on the helpdesk as users face issues like authentication problems and exposure to more phishing and malware threats.
Removing administrative privileges from endpoints prevents attacks that rely on admin rights to infect systems. Proactive elimination of excess endpoint privileges is also an effective strategy for protecting against zero-day attacks, which aren't detected by antimalware software. Of course, once infected with malware, PCs suffer from instability, data leakage, and operational issues that lead to increased demand on the helpdesk.
Hackers gain access to critical IT infrastructure through local admin rights
Hackers also leverage admin privileges to gain deeper access to critical IT infrastructure, like Windows Server Active Directory (AD), by compromising sensitive account passwords stored on Windows endpoints. Criminals can lay dormant for long periods of time while they perform reconnaissance on the network and then disrupt operations or hold data to ransom.
Organizations that have extended Windows Server AD to Azure AD, Microsoft's cloud-based identity management solution, potentially risk compromise in the cloud if synchronization of accounts between the two directory services isn't carefully configured.
Protecting Windows endpoints with standard user accounts
Endpoints with admin rights have long been the de facto configuration in Windows. But changes to the OS design have made it easier for users to work without admin rights and for developers to create apps that are compatible with standard user accounts.
Windows 'Protected Administrators'
User Account Control (UAC) in Windows provides limited protection for user accounts configured with administrator rights. Often mistakenly considered to be a security boundary, UAC was introduced to encourage developers to create applications for Windows that don't require admin rights to run. But UAC isn't a security feature and it can be bypassed.
UAC relies on users to make security decisions about which processes are safe to launch with administrator privileges. Malware writers trick users into launching applications that look genuine. And often, users make poor decisions about what is safe to run. Because of the risks associated with 'Protected Administrators', Microsoft recommends deploying standard user accounts.
Ensuring compatibility and usability without admin rights
Microsoft is adapting Windows to provide a more secure and reliable computing experience for end users. Windows 10 S Mode and Windows 10X both require that hardware and software be installed without privileged access to the operating system. Software and hardware vendors are acting to make sure their products are compatible.
Endpoints without admin rights are more secure and stable. But users will not be able to perform some operations, like installing system-wide software, adding hardware that doesn't have inbox drivers, and changing system-wide Windows settings.
Software and setting deployment
Organizations that want to remove admin rights from Windows 10 Pro, Enterprise, and similar SKUs can use software management solutions to automatically deploy apps and drivers. Legacy apps can be containerized and deployed using modern technologies, like the Microsoft Store and MSIX. If Windows settings need to be managed, use Group Policy or Mobile Device Management (MDM).
Legacy software that can't be packaged for containerization, or where there is no access to the original code, can still be made to run on endpoints without admin rights. The Application Compatibility Toolkit (ACT), which is part of the Windows Software Development Toolkit (SDK), creates compatibility shims for apps that trick the apps into running under standard user accounts.
But for complete flexibility, enterprise endpoint privilege management solutions let IT manage use of admin rights. IT can require users to provide a reason when running a process with admin rights. Or set up a challenge/response request so that IT must first approve a request for elevated privileges, which can be elevated at the application let, not the user-level, providing further protection against privilege abuse and misuse threats.
Reducing helpdesk costs
Secure and stable endpoints are key to reducing helpdesk costs. But there must be a balance between endpoint security and usability. In my on-demand webinar Removing Admin Rights to Reduce the Burden on the Helpdesk, join me to learn how endpoint admin rights impact the helpdesk and some ways to ensure users remain productive.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.
