What is local admin?
On the Microsoft™platform, local admin privileges include the full control of files, directories, services, and other resources on a local device as well as the ability to create other local users, assign user rights, and assign permissions. Beyond just the default administrator account on machines, this level of access is provisioned to all the members of the administrators group. Any user of a Microsoft Windows™ computer – even those without expanded access – can open a command prompt (cmd.exe) instance and run “net localgroup administrators” to see who the local administrators are on their computer. These accounts can take control of any and all local resources and data at any time.
The path of least resistance that some organizations have followed is to allocate local admin privileges to users and allow them to manage their own machines. In theory, the organization then spends less time and money establishing baselines, user roles, and access security controls while relieving an administrative burden for the IT department.
Risks of local admin
When misused, local admin privileges can cause severe damage to the user’s computer, expose other computers on a given network, and make machines more susceptible to viruses and malicious actors, which creates even more challenges and problems for the organization’s IT department.
But not all challenges and problems are equal. In a best-case scenario regarding the challenges of local admin privileges, user machines become much more difficult to manage because of the deviation in configurations and patches across all machines. In a next-level scenario, users inadvertently disable features or download unauthorized software using these privileges, which can make the machine more susceptible to viruses. While viruses and malware are operationally a hinderance, the worst-case scenario for an IT department regarding local admin privileges is when malicious actors gain access to the machine with local admin privileges and proceed to cause catastrophic damage to an organization.
What can threat actors do with local admin?
Threat actors in control of an account with local admin privileges essentially have the keys to the castle for that specific machine and all that it touches. But what can they access with these keys? With this level of privilege, threat actors can:
- Access all files and data stored on the device, including sensitive and confidential, because of the ability to bypass built-in security controls by either deleting or pausing processes. They can also exfiltrate data more easily than on a standard user account by enabling features and installing exploitation tool kits.
- Control the system configurations, disable services such as antivirus software, disable monitoring tools, and disable firewalls. Exploiting these privileges allows attackers to disable prevention and detection controls to perform adverse actions without being noticed.
- Install and run exploitation tools to perform a variety of tasks, such as collecting credentials, scanning ports, monitoring traffic, and identifying vulnerabilities. Doing so enables lateral movement and privilege escalation and provides full visibility to an organization’s intranet.
- Access and exploit credentials. Once credentials have been harvested from a machine, anywhere these credentials are reused comes into reach for threat actors. Depending on the strength users’ password management practices (or lack thereof), threat actors can engage in a range of escalation opportunities.
Elevated privileged accounts are very attractive to malicious actors. These accounts enable attackers to escalate their privileges, move laterally across a network, and propagate more sophisticated attacks against an organization. Access and exploit credentials. Once credentials have been harvested from a machine, anywhere these credentials are reused comes into reach for threat actors. Depending on the strength users’ password management practices (or lack thereof), threat actors can engage in a range of escalation opportunities.
Mitigation strategies
Local admin privileges can be a significant threat to established security measures, presenting challenges in maintaining a robust security posture. To combat these risks and assert control over the provisioning of elevated access privileges, organizations can implement the following strategies:
- Establish the principle of least privilege (PoLP). Implementing the PoLP means that users are granted only the privileges necessary to perform their role. Restricting local admin privileges to those that require them reduces the attack surface and minimizes potential damage.
For the PoLP to be effective, organizations need to clearly define user role requirements and understand what local admin privileges entail. Organizations should also require separate credentials and user account identifiers for elevated access to a local administrative account. This separation can help mitigate the risk of threat actors harvesting user account credentials during everyday account operations.
-
Use privileged access management (PAM) solutions. Sometimes referred to as privileged identity management solutions, PAM solutions provide access controls specifically for privileged accounts and help mitigate insider threats, unauthorized access, and potential misuse of privileged credentials. They do this by monitoring, detecting, and preventing unauthorized privileged access to critical resources through providing visibility into who is using privileged accounts and what they are doing with this access.
Other methodologies for delivering the access to local admin accounts include:
- Windows Local Administration Password Solution (LAPS). LAPS is a combination of Microsoft Active Directory™ group policy and local software agents that enforces the authorization to access passwords when needed. It only covers local administration, excluding domain, service, and application accounts and does not cover non-Windows environments. LAPS, compared to a PAM solution, is much less broad in its scope of administrative account types and features.
- Just-in-time (JIT) privileged access. This technique can be achieved through certain commercial solutions or through homebrewed scripting to provision local admin access temporarily on an as-needed basis. JIT privileged access allows organizations to retain control over password requirements enforcement, password rotation, and revocation of access while also being able to allocate impromptu privileges.
-
Provide virtualized environments. Implementing virtualized environments can enhance system security when managing local admin privileges. Virtualization technology allows organizations to create isolated and controlled environments for users with administrative access requirements such as:
- Sandboxing. Isolation allows users to perform administrative tasks within a controlled and segregated space, preventing the privileges from escalating to another machine or environment. Sandboxing reduces the risk of unintentional or malicious actions affecting the production environment (such as database servers, web server infrastructure, application servers, and network infrastructure devices) and minimizes the potential impact of a security incident.
- Dynamic virtual machines. IT administrators can quickly create or remove virtual instances for authorized individuals, granting access only when needed and promptly revoking it when no longer required – like the JIT access concept. This approach helps minimize the window of time that a system might be vulnerable through administrative access.
-
Perform access reviews. Regularly reviewing and updating user permissions to align with job roles and responsibilities is essential to confirm that elevated access is appropriately provisioned to users. This process involves systematically evaluating and adjusting user access privileges so that they remain appropriate and aligned with changing organizational needs.
Access reviews should be performed by individuals responsible for a system and by those who have the knowledge of which users should (and should not) have access to elevated privileges. This responsibility is generally provided to IT or system owners who can perform the access reviews and then attest to the access review if part of an internal audit or investigation. This task is made much more efficient by the many access solutions that offer built-in access review functionality, including most PAM solutions, as well as group policy object (GPO) enforcement to achieve least privilege when accessing local admin accounts. GPO enforcement is most effective in simple environments. The more complex an environment is, the less effective GPO enforcement becomes.
Enforcing access controls becomes particularly challenging when users' machines are not uniform or fall outside the scope of standard security requirements. Striking the right balance between access restrictions is essential. Overly restrictive access can lead to operational issues, but unrestricted access can result in unauthorized actions and security breaches. Additionally, tracking and auditing local admin activities can be challenging, making timely threat detection and response more cumbersome.
Who should be a local admin?
Who, then, represents an exception and requires local admin privileges? Ideally, nobody should be assigned the local admin role. Some users might claim that they require autonomy over their machines and that they have the capability to manage and troubleshoot IT issues on their own. User roles that tend to fall under this umbrella include IT administrators, software programmers, and network engineers because of their technical nature. Evaluating the requirements of these roles or the use case for elevated privilege can help determine whether to provide access.
Every allocation of local admin privileges should require the execution of stringent access controls to mitigate the potential risks of these accounts being compromised, as well as ticketing and monitoring to track these exceptions. Expanded privileges should only be bestowed via a separate account used for individual activities that require elevation of privilege, and management should be made aware of the risks and explicitly sign off on each exception.
Taking action
The potential risks of local admin privileges and their impact on an organization’s cybersecurity cannot be overstated. From increased attack surfaces to the propagation of malware and ransomware, the consequences of mishandling local admin privileges can be devastating. Therefore, a formidable defensive strategy for safeguarding the administration of local admin privileges must include the implementation of the PoLP, PAM solutions, virtual environments, and regular access reviews. These measures, when integrated into an organization’s security framework, offer major security benefits and support the administration of elevated privileges only to the appropriate users.
While no security approach is without gaps or flaws, by addressing the dangers associated with local admin privileges, organizations can bolster their system security, protect sensitive data, and maintain operational continuity. Recognizing the importance of responsible access management and implementing appropriate controls, businesses can harmonize productivity and security, safeguarding their business from potential disruptions.
