What can we help you with?

Supercharged PAM

Combine the best of Session Management and Credential Management solutions at a new, incredible value!

Learn More Learn More

What is BeyondTrust?

Get a closer look inside the BeyondTrust identity & access security arsenal.

Learn More Learn More

Gartner Peer Insights

Find out how customers & analysts alike review BeyondTrust.

Learn More Learn More

Go Beyond Customer & Partner Conference

Our biggest customer conference of the year is happening in Miami and virtually on May 1-5, 2023.

Learn More Learn More

Watch Our Video

Find out more about our integrations.

Learn More Learn More

Leader in Intelligent Identity & Secure Access

Learn how BeyondTrust solutions protect companies from cyber threats.

Learn More Learn More

Ensuring desktops are secure is a priority for nearly all companies. This is fueled by an increased recognition of the threat unsecured desktops pose, as well as a need to meet compliance regulations. However, most companies have struggled with implementing security solutions that truly protect desktops from the myriad of threats today. Removing administrator rights from end users when they log into their desktop is the Holy Grail of desktop security. Implementation of this level of security has been difficult due to the fact that ordinary activities an end user needs to do for their job, such as running certain applications, performing authorized installations, or managing certain desktop settings require users to have administrative privileges. These limitations have caused many organizations to continue to allow users to run with local admin privileges.

The good news is that the technologies exist to eliminate the need for end users to have administrative privileges on their desktop to perform their job tasks. This paper presents the benefits or removing admininstrator privileges from end users, the combination of technologies needed for effective implementation of this level of security, and how to best remove local admin privileges, while maintaining the users’ access to all applications.

Introduction

Everyone knows the story about corporate desktop security. If you ask 100 different companies about their end user desktop security, you will find that over half don’t have any security beyond the ubiquitous and all too ineffective firewall and antivirus software. While three-quarters of the companies are actively trying to improve their desktop security, they feel as if they don’t have a viable solution. This is how it has been for a longtime in corporate America.

Unfortunately, it is still the same story in corporate America today. For many people searching for a security solution it is like trying to read a mystery novel for the 10th time, all the while hoping to find a different ending. Unfortunately, the story of corporate users using their desktop computer as Administrator has not changed, just as your novel will not write a new ending on its own.

The implementation of the Principle of Least Privilege and Least Privilege User Access (LUA) are solutions to users requiring administrative privileges on their desktop. The “LUA bug” is defined as the set of ordinary activities a user has to do in their course of business, such as running applications, performing authorized installations, or managing certain desktop settings that require users to have administrative privileges. This “LUA bug” has plagued corporate America since the onset of PCs on every desk. The good news is that there are solutions and LUA can be achieved, allowing corporations to greatly improve corporate desktop security. There are reasonably priced and efficient methods to provide a way for standard employees to use their desktop with “least privileges” and remove their need to run as Administrator. Using existing Microsoft technologies, combined with some third party solutions, the “LUA bug” can be exterminated and the ending to the story of corporate desktop security rewritten.

Principle of Least Privilege

The term Principle of Least Privilege has been thrown around for many years, many times over, and in many venues. It was defined best by the United States Department of Defense. The Department of Defense knows very well the ramifications of allowing users to run with excess privileges, as well as the benefits of having a user to run with limited privileges on their desktop. The Department of Defense defines the Principle of Least Privilege as:

“[The Principle of Least Privilege] requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.”