Should Employees Be Granted Local Administrator Privileges?

Less privileges, lower risk

Most system administrators and security experts approach local administrator privileges for employees like they approach malware infections: avoid whenever possible.

Local administrator access gives users absolute power over their own computers. They can download software (including malware) freely, delete critical system files, and reformat the hard drive. In other words, users with local administrator access can destroy their computers, or expose their organizations to a data breach due to a malware infection.

To make matters worse, if a local administrator installs malware that gives the attacker remote access to his or her computer, like a backdoor Trojan, the attacker will be able to remotely access an account with local administrator privileges. This will make it easier for the attacker to cause maximum damage. For example, an attacker could download a keystroke logger, which is a piece of software that records every key pressed by the user and sends it back to the attacker. The attacker could use this to steal passwords to other accounts.

Installing software is a big responsibility, which is why most system administrators and security experts prefer to limit this privilege. Attackers intentionally disguise malware as fun, “free” programs (games, emojis) or useful programs (antivirus software, browser add-ons) that users would want to download. A malware strain called Conduit is often bundled with free downloads so that users remain unaware that they have downloaded it. Conduit infects users’ browsers, stealing their personal information and making it impossible to alter their browser settings (so that the attacker retains maximum control over the browser). Organizations can make a significant cybersecurity improvement simply by requiring another pair of eyes (an administrator’s) to assess a piece of software before a user downloads it.

Users often have concerns about losing local administrator privileges if they’ve grown accustomed to them. These concerns can be minimized by making sure the appropriate people are on hand to help users when an administrator account is needed.

One significant user concern is: “I need to be able to download software to do my job.” To address this concern, either make sure an IT helpdesk is always available to assist people during business hours, or make sure enough people have administrator access that one of them will be in the office at all times. Then, if users feel they need to download a piece of software, someone will be on hand to approve the download and enter their administrator credentials, or give other guidance as necessary. You can also minimize this concern ahead of time by making sure all workstations are equipped with the necessary software and plugins.

Restricting local administrative access isn’t just smart, it’s also deemed a cybersecurity best practice by the SANS Institute’s 20 Critical Security Controls for Effective Cyber Defense. The implementation guidelines for Control 3 include: “Limit administrative privileges to very few users who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system. This will help prevent installation of unauthorized software and other abuses of administrator privileges.”

Ultimately, granting employees regular, non-administrative accounts is a small convenience tradeoff for a significant cybersecurity benefit.

If you have a cybersecurity or digital forensics question, ask us at [email protected] for the chance to have it answered on our blog.