Your Weekly Tech Tidbit – Your techs can’t be local admins anymore

March 12th, 2024
Your Weekly Tech Tidbit – Your techs can’t be local admins anymore

Now that I work in a hybrid mode, it is always so annoying when I go to the office and forget my office keys. I have to ask someone to let me into my own office. The same is true for all of us techs with admin credentials. We are the ones building, rebuilding, installing, troubleshooting, and changing the systems. We need the keys. We deserve the keys. Nothing will get done without the keys. We must have the keys.

However, the reality is that the bad guys know that all of the techs have the keys. Your techs have targets on your backs.

A couple of years ago, I was watching a presentation where they said it was safer to go to major porn sites than a tech site. We only have to remember the CCleaner incident and various desktop and laptop vendors who somehow had bad actors insert malicious code into some of their updated software to realize no one is safe. Our admin keys potentially open the floodgates of exposing the network to a larger compromise.

One thing is clear as we look at the post-mortems on the latest successful breaches.

No one can have direct local admin access to any server or workstation *INCLUDING* all tech desktops and laptops.

Absolutely every user must be a limited user. No exceptions.

I am sitting on my laptop in my home office writing this Tidbit. The ID I am signed in as is a limited user. If I am sitting at my desktop at work, I am signed in as a limited user. On AD-joined machines, I am a limited user. On Azure AD hybrid joined machines I am a limited user.

I know the local admin password on my laptop at home. I periodically need the local admin ID to perform approved tasks that need local admin. However, the only time I have ever directly signed into my laptop as the local admin ID is when I set up the ID and tested that it worked!

Whenever an installation or update requires privilege elevation to perform a task that my limited rights user ID cannot do, it prompts me for admin credentials. I type in the admin credentials in the box. It is quite happy with that and completes the task I needed the credentials for. The same is true with right-click RunAs. As a further protection, I run Cisco DUO MFA for all my desktops regardless of whether they are virtual, remote, or in the office. I also have the UAC admin elevation prompt tied to Cisco DUO and MFA still in place in safe mode. If I lose network connectivity, my machines fail in MFA mode.

There is no way that a desktop can be accessed (locally or remotely) or that credential elevation can happen - either intentionally or maliciously - without a credential prompt and a simultaneous MFA prompt. The credential and MFA prompt shuts down anything moving forward (good or bad) until the higher standards of security are met.

Before you say it can't be done, I have been in this working configuration since long before 2019.

This must be your new default tech configuration. No one or no machine can be exempt from this configuration.

If you need help implementing this, let us know. We are happy to help.

-Scott Quimby, CISSP