Denys Rudyi - Fotolia

Manage Learn to apply best practices and optimize your operations.

Why you should remove local administrator rights once and for all

Some companies shy away from removing local admin rights just to make users happy, but taking back users' admin privileges can prevent many problems and improve security.

Removing local administrator rights is a surefire way to improve Windows security, but the politics involved in revoking users' control over their desktops stops many administrators from taking advantage of the approach.

When users have local admin rights, they have the power to do almost anything they want to their workstations. They can download any application, use any program, and even ignore or undo anything IT administrators do to their devices. Many users -- especially the higher-ups -- don't want to feel handcuffed or slighted because they don't have complete control, so admins let users be the masters of their own devices.

But in many cases, the decision about whether to allow local administrator rights or not is based on emotion rather than facts, and admins cannot let such feelings determine how they manage security.

Why restrict local administrator rights?

Local admin rights give the user too much power. Endpoints are where many of the greatest risks to enterprise security lie, and giving users control over those endpoints only opens networks to more risk.

Malware is around every corner. Regular Web browsing and email phishing put Windows workstations at constant risk. If users have local admin rights, the risk is even greater because they can veto IT's security measures. A simple authenticated vulnerability scan can reveal just how many patches (both Microsoft and third-party) are missing from enterprise desktops where users have admin rights. The scan can also show the numerous configuration vulnerabilities that can put the Windows OS at risk.

Shops that don't give users local admin rights on their workstations have much better security than those that do. It may be somewhat painful at first to take admin rights away from users, but once IT administrators have worked through the issues and users get over the shock, workstations are far less vulnerable, and user-related mishaps and security breaches happen less frequently.

There are business reasons to argue for giving users local administrator rights on their workstations. Compatibility, lack of IT resources for troubleshooting issues, politics and bureaucracy all come to mind. But none of those reasons outweigh the security benefits shops can reap from removing local admin rights.

It's important for companies to do what's right for their business and weigh the associated risks. If IT shops plan well in advance and get the right people on staff, they can restrict local administrator rights without unfavorable consequences. It's possible to revoke local admin rights from just a portion of the user population, or put limits on users who work in higher-risk departments, such as customer service and sales. Rolling out those restrictions with system upgrades makes the transition easier for some users to swallow.

Regardless, IT administrators should not let rampant local administrator rights put their organization at risk, and they cannot give users all the power and then wonder why they still face Windows security issues in the enterprise.

Next Steps

Local admin rights and app management

How iPads can replace local admin rights

Who should have local admin rights?

Dig Deeper on Unified endpoint management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think is the biggest risk when users have unrestricted admin rights?
If I kept my house unlocked, friends and neighbors could stop by to help themselves to whatever they needed whenever they liked.... Even rearrange the furniture if they wanted. That would save everyone a whole lot of time.

Not a very good idea with the potential of huge added costs. A bit of security is well worth the effort.
Your analogy is nonsense. There is no parallel between admin rights and a permanently unlocked door. What you're really doing is locking the door and taking the key away from the user so that they need to call you each time they want to lock or unlock the door. This is nothing more than a means to justify your existence.

A much better analogy would be that you have a fleet of trucks being driven without a steering wheel. It would be really dangerous for a driver to turn the wrong way, so you better take away the ability to steer.
Privileged access abuse is less like leaving your door unlocked and more like not putting a in a door period. Who comes and goes in is anyone's guess and when you come home to find someone left the sink on and it flooded your basement, no one seems to know who was responsible. There are no fingerprints to find on the doorknob because you never installed the door!  
Maybe you could put limited restrictions on access while showing who wanted it, then you could determine whether or not to give more or less access.

Coirby3 , that sounds reasonable but like most jobs, everyone has responsibilities that should be defined as part of their job description. Knowing this, IT departments using best practices will use what is called "least privileged" model for controlling access to sensitive information. Meaning, unless your job requires access to it, you don't get any access to it. This removes the ambiguity of determining what's an appropriate level of access in each individual instance and puts that responsibility on management , to determine what people need access to in order to fulfill their job duties. Nothing more, nothing less.  
Providing Admin rights gives user full access to system, users can remove system from domain and tune the way he wants.
Monitoring such systems is important process in ensuring endpoint security compliance.
Does any one know how can we fetch all local admin accounts of systems in domain?

IT employees have local admin rights in my organization. I can see the argument for taking them away, but I can say that it would be at the severe detriment to our productivity. 

From the article:

"If IT shops plan well in advance and get the right people on staff... "

Yeah, I just can't imagine that happening with the current state of our IT department.
Admin rights are required to do a lot of jobs related to Software Engineering and R&D. IT departments want to restrict rights out of ignorance, laziness, incompetence and irrational fear.  This results in billions of lost revenue and an immeasurable loss of innovation. It's sad and frustrating that the IT industry has been overrun by ignorant people.