One of the longstanding debates in corporate security revolves around a fundamental question: should users be granted admin accounts on their own devices? This question delves into the heart of privilege management, and the extent to which users should wield control over their computing environments, be it on Mac or Windows platforms.
Historically, and still to date, both security leaders and regulators often default to restricting local admin rights as a tool for securing an organization. In this article, we argue that allowing local admin rights does not have to compromise security standards, and delivers a better quality user experience. In more modern times, where the lines between personal and work computing are increasingly blurred. We’ll break down how granting local admin rights, in conjunction with the appropriate security controls in place, can offer an alternative yet equally secure solution, that solves the burden of restriction for both the user, and the IT team who has to manage requests.
Local admin rights gives the user privileges within their computing environment, enabling them to perform a variety of critical tasks that are typically restricted to standard users - including: installing software, systems configurations, and account management. However with this, comes the risk that users accidentally, or intentionally, are doing activities that could result in a breach on the organization.
Traditionally, the prevailing belief in cybersecurity has been to withhold local administrative privileges from users. The rationale behind this approach is twofold: first, to mitigate the risk of users inadvertently or intentionally causing security breaches, and second, to maintain a tighter grip on system configurations and changes. In an era where remote monitoring and preemptive security measures were less pervasive, the gatekeeping of admin passwords served as a crucial control mechanism.
Restricting local admin rights is a blunt tool for imposing access controls on an endpoint. Access controls are an important component of modern security protocols, drawing lines between user privileges and system integrity. They are the mechanism to regulate and manage the authorization of users or systems to access resources within a computing environment, with the primary goal to ensure that only authorized users are granted access to resources, and to safeguard against unauthorized access to sensitive information and systems.
Furthermore, regulatory compliance standards often mandate the prohibition of local admin privileges for users, reinforcing the traditional stance. Compliance frameworks, driven by security concerns, have enshrined the restriction of admin rights as a best practice to safeguard sensitive data and ensure regulatory adherence.
However, the landscape of cybersecurity has evolved significantly, and the approach of restricting local admin rights may not be the only mechanisms to protect endpoints and users from threat. There are two main buckets to consider for the argument to reassess restricting local admin rights.
Firstly, the evolution of security tools and programs, means the same level of security can now be achieved through a robust security tools and controls that does not require the complete removal of admin rights for the user. The advent of Mobile Device Management (MDM) coupled with Endpoint Detection and Response (EDR) solutions has revolutionized monitoring and control capabilities. These technologies empower security teams to enforce stringent controls while providing granular insights into device activities, thereby enhancing compliance validation and incident response capabilities. This can both prevent users from high-risk actions (such as turning off firewalls, or disabling password requirements), and can alert a Security team to any high-risk activity to investigate.
Secondly, the employee experience is more important than ever, and organizations are looking to create the best experience for employees to use their devices effectively. Increasingly devices are for both home and work purposes, and IT team are being pushed to create a program that accommodates everything a user wants to use their device for. Both users and IT teams can get frustrated by high volumes of tickets and requests for activities that require admin privileges to execute, an alternative solution is increasingly appealing.
The delineation between personal and work computing has become increasingly blurred, with employees often using shared or personal hardware for professional tasks. This rigid access control as a result of restricted local admin rights, makes it frustrating, if not impossible, to use devices in the flexible way that people are increasingly looking to do.
The emphasis on employee experience in modern workplaces underscores the importance of accommodating user needs without impeding productivity, through a more nuanced approach to securing devices. Security measures should complement, rather than obstruct, workflow efficiency, fostering a culture of security awareness without stifling innovation.
The shift towards distributed security architectures challenges traditional notions of centralized control. Administrators grapple with the impracticality of manually reviewing access requests at scale, often resorting to hasty approvals due to operational constraints, and do not take the time to review requests properly before granting them. With local admin rights granted, as long as the proper endpoint threat detection and response controls are in place, users have the autonomy to execute actions without submitting requests, and Security teams are reassured any malicious behaviors will be flagged and prevented.
Secondly, there has been a notable shift to the browser, rather than the endpoint, being the “operating system” of business computing. Neglecting to monitor and enforce browser settings exposes organizations to significant security risks, necessitating a holistic approach to access management that encompasses both traditional endpoints and web-based applications. Focusing on local admin rights on the OS can result in a false sense of security.
At its core, the debate over local admin rights underscores the need for a thoughtful and intentional approach from security professionals, that takes into account the realities of modern computing and ways of working. Rather than adopting a blanket approach through restricting local admin rights, security professionals should aim to build a security program that creates guardrails to mitigate risk, while empowering users to operate their devices with autonomy and in line with their needs. By leveraging advanced security controls and monitoring capabilities, organizations can strike a balance between user experience and managing security risks.
The discourse surrounding local admin rights epitomizes the evolving nature of cybersecurity governance, requiring a nuanced understanding of risk and user empowerment. By embracing a proactive and articulated approach to access management, organizations can navigate the complexities of modern computing environments while fostering a culture of security resilience and innovation.
Interested in learning more on this topic? Check out our latest article: What cybersecurity tools do you need to build and effective security strategy? and our other articles here.