07/25/2024 | News release | Distributed by Public on 07/25/2024 11:16
Local administrator rights provide users with unrestricted access to their machines, enabling them to install applications, modify system settings and perform other administrative tasks. While this level of freedom can enhance productivity and flexibility, it also poses significant threats to security, compliance and business continuity. Accordingly, best practices recommend strictly limiting local admin rights.
However, if IT teams abruptly remove local admin rights without another way of enabling users to perform necessary privileged tasks, they will almost certainly disrupt critical workflows and frustrate users across the organization. Fortunately, with the right tools and the 4-step strategy provided below, you can safely remove risky local admin rights without hurting user productivity.
Granting local admin rights to business users puts the organization at multiple types of risk, including the following:
Removing local admin rights from users is a highly effective way to mitigate all of these risks, resulting in:
Transitioning away from granting local admin rights to users requires careful planning and communication to reduce the impact on business workflows. The key steps to take are detailed below.
To make the process easier and more accurate, consider investing in a tool like Netwrix PolicyPak. Specifically, you can use PolicyPak Least Privilege Manager to remove local admin rights and elevate applications only as needed, as explained in this video.
Begin by identifying applications and workflows that require admin privileges. To ensure that users can do their jobs once their local admin rights have been removed, establish a process that can elevate rights for those specific actions.
Netwrix PolicyPak simplifies the process of both discovering the privileged actions that users need to perform and creating the rules you need to enable those actions without local admin rights. To learn more, see this knowledgebase article.
Next, educate employees about the risks of local admin rights so they understand the reasons for the upcoming changes. In addition, show them how they will complete tasks that require elevated rights under the new model.
For example, with the Admin Approval policy in Netwrix PolicyPak, you can replace the UAC prompt with a request code to send to the appropriate approvers, such as the help desk or security team. This demo illustrates the policy in a way that's valuable for both IT teams and business users.
Implement the new process for granting elevated rights in phases, starting with less critical teams. This approach will help you uncover and address any issues before proceeding to company-wide deployment.
To further reduce disruption, consider using Self-Elevate mode in Netwrix PolicyPak. It enables selected users to elevate processes at will by providing a justification, which is logged in the event. Of course, this flexibility increases risk, so use this mode with due caution. To learn more, watch this video.
Establish support channels for users who encounter roadblocks once their local admin privileges have been removed. Collect feedback to fine-tune your policies and procedures. If you need help, visit the Netwrix PolicyPak Least Privilege Manager Support Center.
While users love having local admin rights on their company machines, the risks to security, compliance and operational stability are too serious to ignore. Fortunately, Netwrix PolicyPak enables you to replace local admin rights with simple and effective policies that enable users to get the elevated rights they actually need when they need them. By following the 4-step process outlined here, your organization can create a more secure and resilient IT infrastructure without hurting business user productivity.