Local Administrator Rights and Privileges: Security Best Practice Series – Part 1

In this blog series, I will be discussing some basic, and not so basic, security practices that you could, and should, be implementing at your business to tighten your security posture.

Time, it gets away from us, right? We wake up on Monday to go to the office and before we know it, the weekend has hit us in the face. We blink an eye and a month, if not two, has gone by. Why do I bring this up? Because if we don’t manage our time correctly as IT professionals time is going to slip away from us and we will fall further behind from a security aspect. The “there is always tomorrow” mindset in IT is very real, but the issue is that tomorrow is always tomorrow and just like that, we haven’t implemented anything to help make us, our employees, or businesses more secure. My hope is that with this series you will come away with identifiable, actionable items that you can put to use immediately that will help make your network more secure.

Where do we start? There are multiple areas that we could start with, but first let’s knock off an easy one – Local Administrator access rights. We should all be administrators and be allowed to do whatever we please, right? No, that is not the case. Operate under the mindset that less is always more when it comes to access rights on your network and devices. By controlling and or limiting administrative access on your devices you are going to be able to help limit the scope when it comes to security concerns. Notice how I stated “limit”.  There is nothing that is full proof. There is no magic button or light switch we can flip to make everyone and everything secure 100% of the time. There are multiple steps that we can take though that will help us “limit” the scope; that is what we are trying to do here.

I know what you are thinking, “My users are going to be upset when they can’t install programs at will.” Well, isn’t that part of the problem we are trying to solve here? If we take away the ability for users to be able to do whatever they please then we are saving most of them from themselves and helping to harden the security of the network. Next thought, “This is going to add more work to myself, or IT staff, because of the uptick in support calls.” This is true at the beginning. Yourself and the support staff are going to have to do work upfront to make this successful, which is true of any IT or security initiative really. Security is not convenient, but it is a necessity in this day and age. Spending time today tightening up the policies will save you time cleaning PCs, networks, etc. in the future if you are breached or infected. It could potentially help to save your job as well.

Now that we have decided that we are going to take this plunge and lockdown access, what do we do? If you are running Active Directory then I would urge you to consider running Microsoft LAPS (Local Administrator Password Solution).  I point you towards this great Microsoft TechNet article for all the details, but in short it allows you to centrally manage the local administrator account for each machine. It will handle password storage, rotation and creation and secures the passwords in a central location where domain administrators or privileged users can access the information when needed.

If you have a smaller shop and you are not running Active Directory then I would do it the manual way. I would recommend creating a spreadsheet (or password database) that contains all the devices on your network. It would have each Device Name, MAC address and IP Address (assuming static IPs) listed. You can then change the local administrator password to a random password per machine and document it. This spreadsheet would then itself be password protected and stored in a protected area on your network, possibly even offline at the business someplace rather than online. I would then create a reminder to update the Local Administrator password on each machine at least every 6 months, if not every quarter. This isn’t the cleanest way to do it, but without having a directory service in place this is one of the easiest ways to accomplish the goal.

After taking the above steps to lockdown the Local Administrator account itself, I always make it a point to audit the current usernames on the machines and remove Local Administrator access if they did have that privilege.  What is the point of locking down the Local Administrator account if you are going to leave normal user accounts as administrator?

Once all is said and done, I would also make certain to send out formal communication to everyone in the company letting them know what took place, what the benefits are and how they will need to work moving forward. This will help curb the backlash when Bob in Accounting can’t install his Coupon Bar.

My hope is that someone finds this useful, even just one person, then it was worth getting it out there. As IT professionals we need to work together to help each other out, share information, and make our lives easier and more secure. This is not the end all be all to security and yes, I know there are exceptions to locking down Local Administrator access to everyone (developers), but I’m not going to address those here. This is for the majority of end-users that we as IT professionals support on a daily basis.

Let’s take that step today and not wait until tomorrow.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s