The #1 Protection Against All Security Threats in Windows
For the past 20 years I’ve worked to solve one of the most long-lasting problems in companies, when it comes to security – Principle of Least Privilege. More friendly name for this project is usually: “Getting rid of end users’ admin rights”. There are a lot of reasons for getting this sorted out, but I’ll start of with the most important one.
Guest post by Sami Laiho
Sami Laiho is one of the world’s leading professionals in the Windows OS and Security. Sami has been working with and teaching OS troubleshooting, management, and security since 1996.
There Can Be No Security If Admin Rights Are Abundant
The Book, user guide for NT 3.1 – the first version of Windows NT, followed by versions like Windows 2000, Vista, Windows 7, 10 and now Windows 11 – states that the security subsystem of Windows is not built to withstand the use of admin rights. So, no security features are supposed to work if you give users admin rights. So if you try to secure a Windows endpoint without removing admin rights, you are fighting against windmills.
To give you a few easy examples, if you turn on AppLocker for Allow-Listing (most recommended security feature by Gartner for many years), any one with admin-rights can bypass it, very easily, by simply switching of a service. If your company tries to make sure your computer uses up to date security settings by using Group Policies or Microsoft Endpoint Manager MDM-policies, you can simply delete them with admin rights. There really is no way to secure an endpoint without removing admin rights. In other operating systems, using the Principle of Least Privilege has been more common, but in Windows people just seem to think that working with the computer is not possible without admin rights.
Zero Day Vulnerabilities Make Admin Rights Dangerous
There a more than 100 security patches per month on average, with usually at least a few Zero day -vulnerabilities to mitigate with them. Removing admin rights can mitigate around 80% of these vulnerabilities without a single patch installed. Even more, it can mitigate close to all vulnerabilities related to the browsers and email clients, which are still today the most common entry points for malware. It’s hard to believe but statistically a company that has no admin rights and does NO PATCHING at all, is more secure than a 100% patched company with admin rights.
CIS (Center for Internet Security) states that the two most important security controls today are “Up to date Hardware Inventory” and “Up to date Software Inventory”. You simply can’t protect if you don’t know what to protect. Well, you’ll say Goodbye to “up to date” the day the user get admin rights. Removing admin-rights from end users gives you the ability to control your environment by blocking users from deciding what you need to protect.
Admin Rights Bring the Hassle with Them
So far all of these reasons have being security related and maybe “boring” for some customers. Let’s talk about why you should not want to be admin, not just why we say you can’t be one. First of all, Principle of Least privilege in my customer projects has lowered reinstallations of Windows by 65%. Computers don’t need to be repaired as much. Removing admin rights allows your computer to run faster, for a longer time, with less interruption for your work. I personally would never go back into using admin rights because my computers work so much better. I also like my computer to be fast and performant. Before 2002 I used to be a person who said: ”You should just reinstall Windows every 6-12 months, as Windows just works better when you “format c:” occasionally. I luckily haven’t done that since. By removing your admin rights, you prevent yourself from writing as much to your disk, which even means that your SSD will live longer and stay faster!
If the previous was an example of personal reasons why not to be admin, the biggest reason for companies is the fact that it’s so much cheaper. In my projects, ranging in size from 1 endpoint to 550000 endpoints, we can lower the amount of Servicedesk tickets by 75%. People say:”If I don’t have admin rights to my computer I can’t fix it” but the reality is “If you don’t have admin rights to your computer, you can’t break it”. So the misbelief that this projects requires more from the helpdesk, is just wrong.
“But I Need Admin Rights Every Now and Then”
There are some cases where the user needs admin rights to certain apps or tasks, to perform their work. That cannot be prevented by security measures. The second your security hinders productivity; you are going to lose the buy-in from users and management. But we can make sure that does not happen. I have a few different cases that I need to cater for:
- A user needs one time admin rights for something, for example for installing a printer at home
- A user needs to be able to elevate certain apps to admin, without 3rd party approval
- A user need to repeatedly perform a task, like changing the time of the computer or changing the IP address, or run a LOB application that just simply doesn’t work without admin rights.
There are different solutions for different cases with different prices. I walk into a customer to solve a problem, not to sell products. This means I use different tools from my toolbox, choosing the correct one for the customer.
Centero Carillon in Managing Admin Rights
Centero Carillon has many benefits with a very low price per endpoint. One, it solves most cases I need. Two, it can work on both on-prem and Azure AD environments, providing simple management of group memberships and a better-than-LAPS solution for mitigating Pass-The-Hash attacks. Centero Carillon can solve the first two cases I described. It can easily, even completely offline, solve the case of the installing a printer. The user tries to install a printer, gets a challenge code, communicates it to the Servicedesk, gets a response code, and installs the printer. This can be integrated into service desk system workflows as well, thanks to the API provided.
Carillon can also allow self-elevation, where for example a developer, can elevate themselves to admin. Compared to standard UAC or RunAs, this can elevate the user to an admin, without changing the identity of a user. This is important. Many devs are put through pain and suffer by their companies making the use two different accounts. This means that when you run Visual Studio as admin and save your product to My Documents, it’s not your documents… It’s the “admins” documents. Dual identity -problem, is what we call it.
If you need to run certain apps or do certain tasks as admin, all the time, maybe many times a day, then Carillon is not the best fit. It does not have rules based elevations, like “always run Adobe Management Studio Tool as admin if I click it”. If you need to open an app 10 times a day, you can’t call SD every time without hindering productivity. If that user can be trusted for self-elevation, then Carillon can solve it. But if it’s the case where you can’t allow the user to decide what gets elevated, but a certain LOB apps still needs to be elevated, then you need to look into other options.
I have not logged on to my personal machines with admin rights for 20 years now. I wouldn’t change back for any price. I simply don’t want my own computer to break or need to be reinstalled. And a company owner I just don’t want to pay for work that can be avoided, and I want to have happy end users.
Centero Carillon – Yes to Better Security, No to Pointless Admin Rights
Our privileged access management solution is called Centero Carillon. It enables you to manage local user IDs and groups in Windows devices in an efficient and centralized manner. With Centero Carillon, you can easily grant temporary admin rights in your Windows environment and enhance security for all users.