90 second read.
In a market of complicated detection technologies, we’re always advising businesses to go back to basics with cybersecurity. Remove admin rights, assign privileges on an application basis, and protect user credentials (Privileged Access Management).
Actions like these are part of a set of practices that we call “good cyber hygiene.” Of the many collections of these practices, we like the “Essential Eight” the best. You can access a complete list and lots of supporting details from the Australian Cyber Security Centre.
Having said that, the UK has a good offering in their Cyber Essentials Scheme. And, the National Institute of Standards and Technology Cybersecurity Framework is useful for helping organizations practice “reasonable cybersecurity.”
Two of the most powerful endpoint cyber risk reduction strategies is removing local admin and turn on application whitelisting. Despite the known risks involved with unrestricted privileges, there are still a large proportion of US and UK-based companies giving their employees local administrator access.
In a world where least privilege is easier than ever to achieve, here’s why these problems persist:
In terms of Windows desktops, many people assume that removing local admin will result in a tsunami of support calls that will continue without end. These same people also assume that it’s only possible to remove local admin at great cost and will lead to a “user revolt.” We can see why they believe this, but it’s not inevitable.
About ten years ago, when Kip was CISO at an insurance company, they were able to completely remove local admin during the conversion to Windows 7. Many of our other customers today have done it, too. And, while there was a spike in support calls in the weeks following the conversion, the overall support call volume went down. Current customers report that same pattern.
The other major benefit of removing local admin is the greatly reduced risk of malicious code infection because most malware assumes the target computer is being operated by someone with local admin. When it isn’t, the malware can’t fully execute. And, when you include application whitelisting on the desktop, malware of all kinds is almost completely neutralized.