Zero Trust and the Principle of Least Privileged Access

In my previous blog I covered Zero Trust principles in general. Now I’ll talk more about how Centero’s services contribute to certain areas of Zero Trust. It should be pointed out that the security model in question has several areas, all of which can be strengthened in numerous different ways. Centero Carillon and Centero Software Manager alone are not the keys to invincibility, but they have a radical impact on the defense on the position they are playing.

Principle of least privileged access

If you live in an apartment block, you do not have the master key to the entire building. In an IT environment, a normal user is just like a tenant in an apartment block: they should not have admin rights, i.e., the master key.

Nowadays IT work means you are constantly challenged for authentication in different systems, devices, and services. Generally speaking, you should always be logged into these with as low user privileges or role as possible. This way the end-user can’t harm the environment, be it accidentally or intentionally. And if a possible attacker gets their hand on the end-user’s credentials, the restrictions limit the harm done here as well.

Windows operating system has had different roles connected to user ID’s for as long as I can remember.  Usually, you are either a user or/and an administrator. The description for Windows 10’s Users-group is as follows: “Users are prevented from making accidental or intentional system-wide changes and can run most applications.”

In Zero Trust security model you do not trust a single user by default. That’s why no end-user should belong to the administrator group.

In 2020, BeyondTrust released a report on Microsoft’s vulnerabilities in 2019. The report is a pretty scary read in discussing access rights’ role in exploiting vulnerabilities.

  • 77 %of the Microsoft’s operating systems’ critical vulnerabilities could have been mitigated by denying local system admin rights from users.
  • When looking at the most common workstation operating systems, Windows 10, 8.1, and 7, the number was a whopping 80 %.
  • The same number for Microsoft Edge and Internet Explorer browsers was a round 100 %.

Check out below what the esteemed cyber security expert Sami Laiho had to say about these issues in our webinar in February 2021.


Check out below what the esteemed cyber security expert Sami Laiho had to say about these issues in our webinar in February 2021.

In other words, by removing local administrator rights you can tackle most of the critical vulnerabilities in your own workstation environment.

Some people think that updating the operating systems on a monthly basis does the same trick. The protection from an operating system update isn’t valid until the update has been installed and the device restarted.  Now, think how long it takes for your organization to update all the latest security patches onto all of the organization’s devices.

A study by Ponemon (Ponemon 2019) shows that on average, exploits on a critical or high-level vulnerability are spotted for 43 days after a security patch was released for the vulnerability. The same study shows that on average, organizations take 16 days to update a software that has a critical vulnerability.

Drawing conclusions from these studies, you could say that on average, 80 % of the cases where a critical vulnerability is exploited during those 16 days, before the organization gets the security patch installed, could be mitigated.

Zero-day vulnerability means a situation where there isn’t an update or a patch available for a vulnerability when it becomes common knowledge. Cyber criminals are very active in using the zero-day vulnerabilities, as these can’t be patched right away. This is why a sensible access right management is the most efficient medicine against zero-day vulnerabilities.


The ideal situation, cyber security -wise, is to keep all of the end-users in the Users-group. However, in real life there are always exceptions, and sometimes an end-user needs to execute an action in the operating system with elevated rights.

In some cases, the users are given a separate local administrator ID, sometimes they even get to use a domain-level admin ID, and occasionally the user’s account in Azure AD is set as an extra local admin. All of these examples basically just trust the user to be able to use their account securely. However, there is never a 100% guarantee for this, as external threats are always lurking around the corner and searching for the weakest links in IT environments.

Zero Trust’s message is to always verify, and Centero Carillon enables this. A user can be logged in with their personal ID that belongs just to the Users-group. When they need to elevate their access rights, Carillon can do this with a separate account. All you need to do is ask the organization’s IT support (or other party that’s been agreed on) for an activation code: with that, you are set to perform the elevated action. This is the right way to manage local access rights.

If you want to balance a bit more between usability and cyber security, Carillon also has a self-service model. There the more advanced users can perform an elevated action by entering their reason for elevated rights to a UAC field (User Account Control). In both cases it’s easy to manage and report the elevations.

With Centero Carillon you can perform actions that require admin rights safely as a self-service.

Complicating lateral movement

Access rights play a significant role when there is a security breach and you want to complicate any lateral movements and make it more difficult for the attacker to get a foothold in your system. Logging into devices with elevated rights might be too easy, if it isn’t limited in any way.

There are too many organizations that use the same password for the local admin ID on every device. Usually this is a so-called back-up ID, used for logging in when all others fail. There are plenty of recommendations out there to follow, but the basic principle is that if a single account is jeopardized, other devices shouldn’t be in danger.

Carillon is a solution to this problem as well. Every device can have a completely unique user ID, one that’s passive as default, and its password is changed constantly.

You cannot deny the facts. Take your organization to the Zero Trust era and start using Carillon. If you’re still not agreeing, you’re invited to discuss the subject with me in the virtual cyber security laboratory at the Centero Cave.


Additional reading material and sources: