Question: Last week, you pointed out that not using local admin accounts for routine computing tasks (e.g., web browsing and emails) was a powerful cyber hygiene practice. I’ve heard that’s an impossible change to implement across any size organization. Do you agree?
A: Nope! It is challenging because you need to make both technical and cultural changes. But it’s not at all impossible.
The major cybersecurity benefit of removing local admin is the greatly reduced risk of malicious code infection because most malware assumes the target computer is being operated by someone with local admin. When it isn’t, the malware can’t fully execute. And, when you include application whitelisting on the desktop, malware of all kinds is almost completely neutralized.
In terms of Windows desktops, many people assume that removing local admin will result in a tsunami of support calls that will continue without end. These same people also assume that it’s only possible to remove local admin at great cost and will lead to a “user revolt.” I can see why they believe this. But, again, it’s not inevitable.
About ten years ago, at the insurance company where I was CISO, we were able to completely remove local admin during our conversion to Windows 7. Many of our customers today have done it, too. And, while there was a spike in support calls in the weeks following the conversion, the overall support call volume went down. Our current customers report that same pattern.
There are two key items to watch when planning for removing local admin accounts from daily use:
- If you get the support of your company’s management team, then they will make sure the users do their best to take up the change. Start by making your case to the executives. I suggest you focus on the long-term decrease of desktop incidents of all kinds as a primary benefit.
- Focus on application compatibility by adjusting the permissions in the file system and in the registry. Sometimes you’ll need to redirect the location in which the application stores its data, so you don’t loosen permissions too much in sensitive areas of the file system and registry. Otherwise, you’ll be creating other vulnerabilities.