0

There are a number of users in the business who are required to perform administrative tasks on machines, not least the IT Service Desk, also Devs etc.

The only requirement for administrative access within our estate would be to install or update software; with most software deployed centrally through SCCM. As such, any requirement would be an IT service desk agent or field technician making ad-hoc changes to a machine, or possibly a developer. There are no requirements for standard users to be local machine administrators.

In the process of creating a reasonable POLP (Principle of least Privilege) policy, we determined that all users should have standard desktop user accounts, and secondary administrative accounts; with the intention being that any requirement to make local changes will be challenged with a UAC, requiring different credentials.

Not only will this stop any malicious processes running in their environment from executing using their account privileges, it also acts as a 'psychological fireguard' to ensure they are being made aware they are making local changes. Additionally, should their standard account be compromised (they have emails, for example), the compromised accounts are not Administrative.

Now, the above seemed logical to me at first glance, but a colleague has since challenged the proposal.

I respect the colleague immensely and he has many, many years of experience in IT; but his challenge was that his standard account has Local administrative privileges on his own machine, and that with UAC turned on this should be sufficiently protected.

Is he Right?

Some of the users would need their ADM accounts linked to a group that populates local administrators to all machines on the domain; putting their standard accounts into that membership seems like a huge risk to me, but is simply enabling UAC prompts sufficient?

  • "Sufficiently protected" against *what*? You state a number of things that your scheme will protect against, but this colleague appears to dismiss those threats entirely. Are you asking if his scheme will protect against the threats that you outlined, or are you asking if he is right to dismiss those threats? – schroeder Sep 13 '18 at 09:51
  • The former; does a standard account with UAC enabled provide the same level of protection as a separate ADM account? If not, why not? – John Smith Optional Sep 13 '18 at 09:56
  • 1
    It is a good idea because in my experience IT dept is utterly stupid at times (actually most of the time) and without normal users being able to perform admin tasks to fix the issues caused by IT, this means that possibly some 10,000 employees will hand in their laptop ("it worked fine this morning???") to have it fixed, and can't work during that time as they can't access the services they need to do their work. Because, yeah, you guessed it, someone particularly smart changed all certificates without urgent need, and didn't tell anyone, nor schedule an automatic update ahead of time. – Damon Sep 13 '18 at 10:33
  • @Damon you're only taking into account one element of the security/functionality/cost in your comment and completely ignoring the other two. You're also only speaking from your own point of view, ignoring the fact that the OP is definitely NOT in the same environment as you – Stephane Sep 13 '18 at 11:59
  • Without knowing why the user wants local admin, it's impossible to determine if the need justifies the added access level. – Steve Sether Sep 13 '18 at 13:36
  • @SteveSether, 'These tasks are usually ad-hoc software installation.', and it is *users* (plural). These are service desk users, so typical software installation and troubleshooting. – John Smith Optional Sep 13 '18 at 13:57
  • What I'm not understanding is why the secondary administrative account isn't sufficient, and why the normal login account needs admin access. – Steve Sether Sep 13 '18 at 15:15
  • @SteveSether, ME either! that's why I'm asking the question... what are the pros/cons of each, if any? Standard account as Local admin with UAC, or secondary account with ADM privileges. – John Smith Optional Sep 14 '18 at 06:47
  • The pros are that admin access is always available without further logging in/out or using UAC. The cons are the access is always available, without further logging in/out or using UAC. That's why I think it's important to ask the user why they need this increased access on the standard account. – Steve Sether Sep 16 '18 at 16:58
  • @SteveSether I've updated the question, hope this clarifies a little! – John Smith Optional Sep 16 '18 at 17:16

1 Answers1

1

In the context of your question, there is no real "right or wrong" answer because we don't really know what are your security requirements.

First, you should take into account the fact that UAC is by no mean the same thing as not having admin privilege. I suggest you read this answer: it contains pretty much all the details you need to know about what UAC is and, more important, what it isn't but the most crucial point is that UAC is only a protection against "low hanging fruits" type of attacks.

That doesn't mean your colleague is wrong either: it might be that, for the set of tasks your users routinely have to perform and for the kind of threat environment you're working in, UAC might be deemed good enough.

Stephane
  • 18,607
  • 3
  • 62
  • 70
  • Many thanks for the answer! As stated in the question, but repeated here for clarity; the only real access they should need is ad-hoc software installation, but obviously this would overlap with drive-by malware (hence the concern). I'm also factoring elements of control and management; are there any considerations to this? – John Smith Optional Sep 13 '18 at 12:20
  • @JohnSmithOptional Honestly, I hesitate to give you an opinion on this: we do not have your business-related motivation for letting users installing ad-hoc software themselves so it's hard to judge. In a perfect world, no: there should be no reason for regular users to have admin but we don't live in a perfect world: some software will require the same level of access to run as they had when installed, for instance, or they will fail and you might be using such a software. – Stephane Sep 13 '18 at 12:25