![]() People say, “If I don’t have admin rights, I can’t fix it.” The reality? If you don’t have admin rights, you can’t break it. In my projects, ranging in size from 1 endpoint to 550,000 endpoints, we lower the amount of service desk tickets by 75% on average. By removing your admin rights, you prevent yourself from writing as much to your disk, which means that your SSD will live longer and remain faster.īeyond these personal reasons to avoid being an admin, the biggest reason for companies is that it’s so much cheaper. Before 2002 I used to be a person who said, “You should just reinstall Windows every 6-12 months, as Windows works better when you “format c:” occasionally.” Now, I haven’t reinstalled since removing my own admin rights. I also like my computer to be fast and performant. I personally would never go back to using admin rights because my computers work so much better. Removing admin rights allows your computer to run faster, for longer, with less interruption to your work. Computers don’t need to be repaired when the principle of least privilege is applied. First, principle of least privilege in my customers’ environments has lowered reinstallations of Windows by 65%. Let’s talk about why you should not want to be admin, not just why we say you can’t be one. So far all these reasons have been security related and “boring” for some readers. Removing admin-rights from end users gives you the ability to control your environment by blocking users from deciding what you need to protect. Unfortunately, you say goodbye to “up-to-date” the day the user gets admin rights. The Center for Internet Security (CIS) states that the two most important security controls today are “up-to-date hardware inventory” and “up-to-date software inventory.” You simply can’t protect if you don’t know what to protect. Even more, it can mitigate close to all vulnerabilities related to the browsers and email clients, which remain the most common entry points for malware. Removing admin rights can mitigate around 80% of these vulnerabilities without a single patch installed. There are more than 100 security patches per month on average, with at least a few zero-day vulnerabilities to mitigate with them. Learn About Pricing Zero Day Vulnerabilities Make Admin Rights Dangerous In other operating systems, using the principle of least privilege has been more common, but in Windows people still believe that working with the computer is not possible without admin rights. There is no way to secure an endpoint without removing admin rights. If your company tries to make sure your computer uses up-to-date security settings by using Group Policies or Microsoft Endpoint Manager MDM-policies, you can easily delete them with admin rights. ![]() For instance, if you turn on AppLocker for Allow-Listing (the most recommended security feature by Gartner for many years), anyone with admin-rights can easily bypass it by simply switching off a service. ![]() If you try to secure a Windows endpoint without removing admin rights, you are fighting against windmills. False Security when Admin Rights are Abundant This principle is more concisely known as “ getting rid of end users’ admin rights.” There are many reasons to prioritize the principle of least privilege implementation, but the most vital is security. Has applied the principle of least privilege in environments for over 20 years.įor the past 20 years I’ve worked to solve one of the longest-lasting problems within companies when it comes to security- applying the principle of least privilege. By Sami Laiho, Chief Research Officer at Truesec and Microsoft MVP in Windows and Devices for IT.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |