Do you have local admin rights?
shochan
Member Posts: 1,014 ■■■■■■■■□□
This discussion came up at work recently & the majority of the admins I work with do want to have local admin rights to their wkstns. However, majority of them do have elevated admin privileges when using their token. I really don't think it is necessary to have local admin rights on your workstation as it does create a weakness on your network with that system. So, if that system was to become compromised via malware, phishing, etc, then the attacker could pivot off your system to gain access to other systems.
What does your company do or enforce?
A local telemarketing company was forced to shutdown recently due to being hit with some ransomware encryption (I believe, not for certain) because maybe their backups were not working or didn't have a disaster recovery plan in place...maybe their admins had local admin rights on their boxes?? who knows, I just know it devastated a lot of employees (approx. 300) right before xmas. I don't know the specifics, but I wonder if their IT company just had their hands tied due to restricted IT budgets to have safeguards in place or if they just had an incompetent security posture in place. I believe they had their own IT staff but it could have been outsourced to a local MSP.
What does your company do or enforce?
A local telemarketing company was forced to shutdown recently due to being hit with some ransomware encryption (I believe, not for certain) because maybe their backups were not working or didn't have a disaster recovery plan in place...maybe their admins had local admin rights on their boxes?? who knows, I just know it devastated a lot of employees (approx. 300) right before xmas. I don't know the specifics, but I wonder if their IT company just had their hands tied due to restricted IT budgets to have safeguards in place or if they just had an incompetent security posture in place. I believe they had their own IT staff but it could have been outsourced to a local MSP.
CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
Tagged:
Comments
-
tedjames Member Posts: 1,182 ■■■■■■■■□□IT and security staff have local admin rights. General staff do not.
-
LonerVamp Member Posts: 518 ■■■■■■■■□□I've always had local admin rights on my workstation, but I'm also typically the one who holds those keys in the first place.Discussing this topic is nuanced and also includes other defenses in depth. In fact, I actually ask this question when I interview other security folk (I actually use "domain admin" in my question just to add another layer to it).Sidenote: Don't confuse the conversation by also accidentally including "domain admin" rights and conflating that with local admin rights. You can have local admin rights and not be a domain admin. Domain admins should NOT be allowed to log into their normal local workstation interactively nor should those identities be allowed to browse or do untrusted things on systems (check email, open files, browse the web, download exe's from the internet...) Anyone with DA access should have a non-privileged account they normally operate as, just like any other user on the network.This is best taken by layers and it entirely depends on the maturity of the IT department of the organization, the security interest/maturity of the org, and the budget to manage workstations "properly." For instance, small shops may run with local admins, just because locking that down and supporting those users with subsequent IT needs costs more.As maturity and size moves up and your IT team can support workstations through centralized deployment means, then it becomes useful to take local admin rights away from groups of lesser-technical users, often who all have the same software needs to do their jobs. It expands from there to start including others who don't have interesting needs.Some of the last groups are often your most technical ones...research, sysadmins, developers, security, workstation admins. It takes quite a lot of maturity and advanced practices to lock those systems down properly. Sometimes this is gotten around (arguably!) by having separate systems to do management tasks, or local VMs or something. All of this is work and complexity if you find it worthwhile.So, while you might have something in between with some users running with local admins, then yes, you have higher risk on those systems. I mean, even barring random web browsing and installing bad software, a malicious insider could start poking at local hashes and logging to try to escalate to higher privileges on the network/domain.For me, I've always had needs that require very regular local admin access over the years, from my years doing workstation support, to systems administration, to security. It honestly just makes me and my team(s) more efficient. But yes, that increases the risk. This is partially why I do extra things like run NoScript in Firefox and live a life of browsing a neutered web...RE Ransomware: Ransomware may also move laterally due to lack of patching systems internally or from pilfered hashes from a system where those hashes are accepted by other systems (shared local admin or domain user who has local admin everywhere).
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
wd40 Member Posts: 1,017 ■■■■□□□□□□We had local Admin rights I think 5 years ago, then it was decided that all local Admin accounts will be disabled and to get a temporary admin access you need to follow a certain process.We hated it back then, but now I understand why this is necessary.Listen to podcasts below .. you might change your mind about having local admin accounts.Shadow BrokersNotPetya
-
JDMurray Admin Posts: 13,099 AdminIn places that I control, nobody has local admin rights by default on any OS on any device. If you need root/admin access to perform some privileged operation you must (temporarily) elevate to it using logged and non-anonymous authentication. I would hope that the security design of embedded systems (IoT) also adheres to the "lowest necessary privilege level" rule but probably most do not.
-
yoba222 Member Posts: 1,237 ■■■■■■■■□□Can't remember off the top of my head but I believe this is a control item in the CIS benchmark for Windows hardenings -- to not allow local admins.A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP -
tedjames Member Posts: 1,182 ■■■■■■■■□□In the early '90s, I worked for an unnamed software company that gave EVERYBODY superuser rights on a UNIX system. That was a recipe for disaster, though it's amazing that I never heard of anything blowing up there. I think that most people were afraid to try to do more than their job.
-
TechGromit Member Posts: 2,156 ■■■■■■■■■□I have Admin rights to install software, but do not have the authority to disable or uninstall antivirus software as well as other monitoring tools. If I want to use USB media, I have to log into the computer with a different account, which does not have share drive or email access. When first preparing a new computer, local admin is used, but once it authenticates to the domain, the local admin account and password are changed so local IT does not know what it is.Still searching for the corner in a round room.
-
TechGromit Member Posts: 2,156 ■■■■■■■■■□shochan said:I don't know the specifics, but I wonder if their IT company just had their hands tied due to restricted IT budgets to have safeguards in place or if they just had an incompetent security posture in place. I believe they had their own IT staff but it could have been outsourced to a local MSP.Still searching for the corner in a round room.
-
shochan Member Posts: 1,014 ■■■■■■■■□□TechGromit said:shochan said:I don't know the specifics, but I wonder if their IT company just had their hands tied due to restricted IT budgets to have safeguards in place or if they just had an incompetent security posture in place. I believe they had their own IT staff but it could have been outsourced to a local MSP.CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
-
DZA_ Member Posts: 467 ■■■■■■■□□□Generally here, local administrative rights are disabled unless there is an exception to be made to execute the tasks. This is followed by requesting temporary access to the local admin account (logged) also it's password is changed every couple of hours.
One interesting product that we're testing out here is Beyondtrust's product at our org: https://www.beyondtrust.com/endpoint-privilege-management I'm not sure if anyone here else has this product running in their environment but it's mainly for the developer use case.
-
LonerVamp Member Posts: 518 ■■■■■■■■□□I applaud all the places that run without local admin rights. As someone who's been around a long time, I totally get the risks and the situation that arises when one has to support that environment. I just don't look forward to that.(I'd have more opinion if I ran the department that handles workstations/endpoints, as really they shoulder the burden of that posture decision.)
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
LonerVamp Member Posts: 518 ■■■■■■■■□□yoba222 said:Can't remember off the top of my head but I believe this is a control item in the CIS benchmark for Windows hardenings -- to not allow local admins.Without looking back at it, I believe the benchmark just calls out that you need to be aware of (known list) and limit your local administrators as much as possible.Other overarching principles such as least privilege should drive it more.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
averageguy72 Member Posts: 323 ■■■■□□□□□□We had deployed managed state across our whole organization about a year before being acquired. Now we're part of a very large company and everybody has local admin, nutty.CISSP / CCSP / CCSK / CRISC / CISM / CISA / CASP / Security+ / Network+ / A+ / CEH / eNDP / AWS Certified Advanced Networking - Specialty / AWS Certified Security - Specialty / AWS Certified DevOps Engineer - Professional / AWS Certified Solutions Architect - Professional / AWS Certified SysOps Administrator - Associate / AWS Certified Solutions Architect - Associate / AWS Certified Developer - Associate / AWS Cloud Practitioner
-
TechGromit Member Posts: 2,156 ■■■■■■■■■□averageguy72 said:We had deployed managed state across our whole organization about a year before being acquired. Now we're part of a very large company and everybody has local admin, nutty.Still searching for the corner in a round room.
-
cyberguypr Mod Posts: 6,928 ModTechGromit said:averageguy72 said:We had deployed managed state across our whole organization about a year before being acquired. Now we're part of a very large company and everybody has local admin, nutty.
Wow, had a flashback to my colleague in 2001 who used to do this to solve issues as "recommended by the vendor". True story. -
DatabaseHead Member Posts: 2,757 ■■■■■■■■■■Those days are long gone from my perspective. Worked a few short term contracts recently and held some perm roles and none of them allowed it.....