Re-evaluating Local Administrative User Rights
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
Another point:
Timed or temporary local admin privileges? Do you feel that is at all any more or less "secure"?
How is it controlled?
For me of course it's still more secure than simply giving the users local admin all the time. But really, why do they need it at all? Is IT so backed up that they can't get to a user request to install an approved something for the user? How often are users needing to install things that they need this access?
I mean, if they are a tester for the company - perhaps they should have a VM that has no access to network resources, say, just internet, and the user had full control over that.. just one idea.
-
@IRJ said in Re-evaluating Local Administrative User Rights:
What's the advantage of giving users admin rights?
This is still under evaluation, as well as evaluating all of the causes or perceived needs for local admin privileges in the first place. As of now, we do not allow any local admins at all (exceptions exists, as well as timed local admin privileges (similar to sudo I suppose in the "timed" way)), so currently, not an issue, but could be better.
This post is about being proactive on the topic, as I have direct influence over some decisions. So I'm gathering as much as possible from as many angles as possible.
I said from the very beginning (not here) that I'm not on board with it and gave quite a few of the reasons we all mentioned here, some of which that were met with a few anecdotal counters.
So, this is my change to gather as much as possible, showing all the points. This is why I'm trying to counter everyone's input, so that I can better prepare for the anecdotal counters thrown my way later.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@IRJ said in Re-evaluating Local Administrative User Rights:
What's the advantage of giving users admin rights?
This is still under evaluation, as well as evaluating all of the causes or perceived needs for local admin privileges in the first place. As of now, we do not allow any local admins at all (exceptions exists, as well as timed local admin privileges (similar to sudo I suppose in the "timed" way)), so currently, not an issue, but could be better.
This post is about being proactive on the topic, as I have direct influence over some decisions. So I'm gathering as much as possible from as many angles as possible.
I said from the very beginning (not here) that I'm not on board with it and gave quite a few of the reasons we all mentioned here, some of which that were met with a few anecdotal counters.
So, this is my change to gather as much as possible, showing all the points. This is why I'm trying to counter everyone's input, so that I can better prepare for the anecdotal counters thrown my way later.
There has to be advantages to make it an actual consideration, correct?
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
Another point:
Timed or temporary local admin privileges? Do you feel that is at all any more or less "secure"?
Better, but seems like too much effort.
-
@IRJ said in Re-evaluating Local Administrative User Rights:
What's the advantage of giving users admin rights?
Bypassing formal IT for basic requests and customizations, and not needing or wanting to put in an automated system to handle those requests.
-
@scottalanmiller said in Re-evaluating Local Administrative User Rights:
@IRJ said in Re-evaluating Local Administrative User Rights:
What's the advantage of giving users admin rights?
Bypassing formal IT for basic requests and customizations, and not needing or wanting to put in an automated system to handle those requests.
Apparently that's not been an issue in another location for another company. However, I'd have to argue, how would you know?
-
@IRJ said in Re-evaluating Local Administrative User Rights:
What's the advantage of giving users admin rights?
Some applications are really tough to get working without it, and many lose support if you take it away. No legit app, of course, but the bulk of businesses run totally ridiculous applications.
-
@scottalanmiller said in Re-evaluating Local Administrative User Rights:
@IRJ said in Re-evaluating Local Administrative User Rights:
What's the advantage of giving users admin rights?
Some applications are really tough to get working without it, and many lose support if you take it away. No legit app, of course, but the bulk of businesses run totally ridiculous applications.
I believe I have heard this may be one of the issues, for some people... however, I'm still not on board for a blanket enablement because of a fringe app or two for less than 0.05% users.
Edit: But again, still evaluating that.
-
@Dashrender said in Re-evaluating Local Administrative User Rights:
How is it controlled?
In a way that works 100% well.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
@scottalanmiller said in Re-evaluating Local Administrative User Rights:
@IRJ said in Re-evaluating Local Administrative User Rights:
What's the advantage of giving users admin rights?
Some applications are really tough to get working without it, and many lose support if you take it away. No legit app, of course, but the bulk of businesses run totally ridiculous applications.
I believe I have heard this may be one of the issues, for some people... however, I'm still not on board for a blanket enablement because of a fringe app or two for less than 0.05% users.
Edit: But again, still evaluating that.
Agreed, just one of the reasons that people state.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
It seems like restricting users to non-admin privileges causes more inconvenience and service desk overhead than it's actually worth.
It absolutely causes more issues when users have local admin rights. I dealt with this crap daily until I finally got buy in from clients across the board to remove admin rights.
If you have a user that needs a local admin right to perform any daily task, the problem is the software being used. Not the user or IT policy.
-
@JaredBusch said in Re-evaluating Local Administrative User Rights:
If you have a user that needs a local admin right to perform any daily task, the problem is the software being used. Not the user or IT policy.
This is the hardest part to tackle. But it's worth tackling. It's amazing how easily this can often be fixed.
-
@Obsolesce said in Re-evaluating Local Administrative User Rights:
And, from a security perspective, doens't really seem like any more of a factor one way over the other.
Of course it is more of a security factor. While, sure most shit can run in local user space, and mess up the user profile, it is restricted to the user profile. Sure the odd 0-day that executes easily will ignore that, but most 0-day have tricks to make them most effective.
-
@scottalanmiller said in Re-evaluating Local Administrative User Rights:
@JaredBusch said in Re-evaluating Local Administrative User Rights:
If you have a user that needs a local admin right to perform any daily task, the problem is the software being used. Not the user or IT policy.
This is the hardest part to tackle. But it's worth tackling. It's amazing how easily this can often be fixed.
It is simple enough to fix with a unique account that has local admin rights and then a
bat
file calling a/runas /savecreds
. I have a number of old service applications that require this at one client. The first time you use the/runas /savecreds
, IT staff can enter the password and then the Windows Credential manager will keep it and the user can just click the icon afterwards.Sure a malicious user will be able to figure out what is happening and exploit that, but that is not an IT problem. That is a HR problem.
-
What about cases where a computer is used for dev work on which the users are using mob programming practices and running docker containers?
What are some ideas in that space?
-
If you think about it, letting the users run as admins shouldn't be a problem. Not if you have designed your network with zero trust in mind - assume every computer sits directly on the internet, assume everything is compromised.
So the only thing they should be able to screw up is their own computer - in which case you should be able to bring it back quickly with automation.
That said, I think developers need their own server(s). A test environment where they can create and destroy VMs and run containers and whatever else they need. Do development and run performance tests. Let them run wild in there. It could be cloud or on-prem or whetever it is they are developing.
-
@Pete-S said in Re-evaluating Local Administrative User Rights:
If you think about it, letting the users run as admins shouldn't be a problem. Not if you have designed your network with zero trust in mind - assume every computer sits directly on the internet, assume everything is compromised.
LANless design
-
@Pete-S said in Re-evaluating Local Administrative User Rights:
So the only thing they should be able to screw up is their own computer - in which case you should be able to bring it back quickly with automation.
In theory, but even in a zero trust, simple rebuild you need a process for them determining that they need to be rebuilt, a rebuild, an update.
you can make the system ephemeral, but it almost always causes a productivity loss.
-
@Pete-S said in Re-evaluating Local Administrative User Rights:
That said, I think developers need their own server(s). A test environment where they can create and destroy VMs and run containers and whatever else they need. Do development and run performance tests. Let them run wild in there. It could be cloud or on-prem or whetever it is they are developing.
Devs don't need to be admins to do that. I have devs, they can do this... without admin rights. Could they be admins in dev? Sure, not a big deal. But no reason for them to waste time doing that, either.
-
@scottalanmiller said in Re-evaluating Local Administrative User Rights:
@Pete-S said in Re-evaluating Local Administrative User Rights:
So the only thing they should be able to screw up is their own computer - in which case you should be able to bring it back quickly with automation.
In theory, but even in a zero trust, simple rebuild you need a process for them determining that they need to be rebuilt, a rebuild, an update.
you can make the system ephemeral, but it almost always causes a productivity loss.
agreed - sure, it's only their computer screwed up, but isn't that bad enough? Removing admin removes a lot, granted not ALL, but a lot of the risks, enough that not giving them admin, or at minimum, not running as local admin is worth it in my mind.