1 / 35

Controlling the Captains of Your Desktops: Avoid Permanent Local Admin Rights

Learn why removing permanent administrator rights is important for security and how to manage admin rights effectively. Explore methods, tools, and other layers of endpoint protection. Get buy-in, remove existing rights, and handle operations and exceptions. Discover gaps and future opportunities.

bsnider
Download Presentation

Controlling the Captains of Your Desktops: Avoid Permanent Local Admin Rights

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Controlling the Captains of Your Desktops: Avoid Permanent Local Admin Rights

  2. Presenters Patrick Rohe Associate Director, IAM Senior Enterprise Architect Richard McIver Systems Engineer Reid Guanti Manager, Application Engineering

  3. Founded in 1865 • 329-acre suburban campus, eight miles north of Baltimore • The 2nd largest university in the University System of Maryland

  4. By The Numbers • 22,705 Students • 3,533 Faculty and Staff

  5. Agenda • Why remove permanent administrator rights? • Methods and tools to manage admin rights • Other layers of endpoint protection • Getting buy-in and removing existing rights • Operations and exceptions • Gaps and future opportunities

  6. Technical Background • Mix of Windows/Mac and desktops/laptops • Active Directory and SCCM (as well as JAMF for Mac) • Permanent admin rights removal effort focused on Windows computers used by faculty/staff (not in labs) • Differentiate terminology: • administrator rights / admin rights (member of Administrators group) • local Administrator account

  7. Poll Information Visit: https://PollEv.com/educause401 OR textEDUCAUSE401to22333tojoin the session, then text your response number.

  8. https://PollEv.com/educause401OR textEDUCAUSE401 to 22333 Poll #1 Do you allow permanent admin rights on your Windows workstations? A. Yes, everyone is an admin B. It depends. We allow it in certain situations. C. No way! Results

  9. Why remove permanent admin rights? • “…of the 235 Critical vulnerabilities reported (by Microsoft) in 2017, 80% would be mitigated by removing local admin rights from users.” Source: https://www.avecto.com/resources/reports/microsoft-vulnerabilities-report-2017 • Prevent malware infections • Prevent confidential data leakage • Supportability & Reliability 

  10. Why might someone need temporary admin rights? • Installing business-critical software or device drivers (when not available through other IT tools and services) • Troubleshooting and Support (IT Staff) 

  11. Methods and Tools Three-pronged approach

  12. Methods and Tools: SCCM • Hardware + Software Inventory • Proactive software deployment/patching • Leverage Software Center

  13. Methods and Tools: SCCM (Cont.) Remove unauthorized admin rights: “No Admin” • Approved admins text file • Script to remove unauthorized admins • SCCM package to execute the script periodically

  14. Methods and Tools: SCCM (Cont.)

  15. Methods and Tools: SCCM (Cont.) Sample Approved List – “approved.txt”

  16. https://PollEv.com/educause401OR textEDUCAUSE401 to 22333 Poll #2 What is your experience with LAPS? A. Never heard of it. B. Heard of it, not planning to use it. C. Heard of it, and plan to use it. D. Currently use it. Results

  17. Methods and Tools: LAPS Local Administrator Password Solution • Developed and supported by Microsoft (Free) • Centralized storage of randomly generated passwords in AD • Able to restrict who can see the passwords • Easily implemented with minimal footprint

  18. Methods and Tools: LAPS (Cont.) Normal Operations Successful Access Locked Out

  19. Methods and Tools: LAPS (Cont.)

  20. Methods and Tools: LAPS (Cont.)

  21. Methods and Tools: LAPS (Cont.) • LAPS Web App • Custom built • Responsive • (mobile-friendly)

  22. Methods and Tools: LAPS (Cont.) LAPS Requirements • AD Schema Extension • Client Side Extension via MSI to managed PCs • Group Policy Configuration

  23. Methods and Tools: TCAR Temporary Computer Admin Rights (TCAR) • Windows faculty/staff workstations only • Home-grown automation written in .NET • Web application – self-service request/revocation • Web service and database – tracks requests, connects to PCs • Revocation script – restores previous Administrators group membership • Additional internal IT tools for managing requests and logs

  24. Methods and Tools: TCAR (Cont.)

  25. Methods and Tools: TCAR (Cont.) Benefits: • Successfully used for most scenarios where faculty/staff need admin rights • Easy to use, and training materials are available • Self-service and available at any time • Can offer OU-level authorizations for departmental IT support staff

  26. Methods and Tools: TCAR (Cont.) Disadvantages: • May require that user log out or use secondary logon (“run as”) • Can’t be used for computers off network or not joined to AD domain • Not for labs, and not for Macs

  27. https://PollEv.com/educause401OR textEDUCAUSE401 to 22333 Poll #3 Do you use host-based firewalls on your Windows workstations? A. Yes, Windows firewall B. Yes, a third-party firewall C. No, things work better without one. Results

  28. Other Layers of Protection • Local Windows firewall on faculty/staff computers • Disk encryption (BitLocker, Dell Data Protection) • Network firewall, network-based IPS, OpenDNS • Antivirus (SCEP), Cisco AMP • Aggressive OS/third-party software patching • Spirion (Identity Finder) for removing PII

  29. Rollout & Easing People into Change Timeline – gradual rollout of tools • TCAR – 2014 (First Admin Removal Project) • LAPS – 2016 (Added as part of AD Redesign) • SCCM-based admin right removal script and large-scale admin rights cleanup – 2017 (In response to Phishing and Compromised Accounts)

  30. Rollout & Easing People into Change • SCCM reports were used to identify admin accounts • Identified accounts used on many/all computers • Worked with distributed IT support to remove their accounts • Communicated prior to removal with instructions for TCAR and LAPS • Eventually removed central IT staff

  31. Buy-in: Overcoming political challenges • “But we’ve always done it this way” • Legislative audit • CIO and Director backing • Emphasized security risks • Large scale phishing attacks & compromised accounts

  32. Operations • Manage requests for permanent admin rights • Manage requests for TCAR OU-level authorizations • Periodic audit of the “No Admin” text file • Periodic audit of local Administrators group members • Use of LAPS/TCAR to add unauthorized accounts • Delegated IT support staff using GPO to add unauthorized accounts • Continued maintenance and troubleshooting of internal tools

  33. Exceptions When would permanent admin rights still be needed? • Legacy software • Laptops/Tablets (no TCAR tool access from off-campus)

  34. Gaps and Future Opportunities • Low-cost solutions not meant to cover all scenarios • Laptops off-site • Macs • Monitoring of TCAR activity

  35. Q&A • Questions? • Thank you!

More Related