Sunday, November 28, 2021

Is Protecting Admin Privs on Endpoints Still Relevant?

 

The post-pandemic WFH (Work From Home)  model should force us to reevaluate the effectiveness of our security architectures. The most common reason for wanting administrative privileges on a device is that the local IT support can't install needed software when it's required by the business. I ask my SANS students how long it takes to install a software package for a business unit. The answers range from 1-2 weeks to 6 or more months because of a software review process. 

Admin privileges on endpoints

I want to emphasize that I'm NOT talking about administrative privileges on Active Directory or some other central management (Kaseya, Solarwinds, etc.)  domain accounts. I'm talking about local accounts and accounts on standalone computers. 

Is the "User having (local/standalone) admin privileges on a computer" as bad a security risk as people say it is? I emphasize the term "local/standalone" admin accounts. I think it is not.  Why? 

  

1) in the old days, having admin privileges on a multi-user system was a big deal. If you were in administrator/root mode and your account got owned, the consequence of that breach would impact ALL of the users on that system.  For large multiuser systems, that could be hundreds to thousands of users.  I understand why there was concern about the administrative/root accounts being secure. For servers that provide a service to multiple remote (to the server) users, it makes sense to restrict admin privileges on the server(s).

  

 2) In today's BYOD world, users are admin/root and general users simultaneously. There usually is only user per device. The impact of an admin/root failure is limited to the individual.   Phishing, ransomware attacks are just as damaging regardless of the entity that triggered the attack being a general user or admin level account.  Smartphones, tablets, etc. have merged the admin and general privilege levels into a single account so it makes no sense to "restrict" admin privileges on those devices today. You can't enforce that.  

  

What about high risk data exposure? Such data exposures can happen in either admin/root or general user mode. For most of the hits I've seen over the years, the damage was done regardless of the privilege level of the account involved.

  

It comes down to training. I've said in a previous blog entry that a poorly trained sysadmin is one of the greatest threats to an organization's data and infrastructure. Organizations should require a minimum amount of training for employees who want administrative privileges on a device.