Ok, let me ask: why? What is the absolute worst case scenario here? That a user in your organization gains admin privileges on their workstation?
Nearly every org I've ever worked at already gave their users admin privileges because trying to do their job without it caused far more friction than any imaginary gains from locking them down. So they might screw up their OS, big deal, that's what imaging is for.
It's not like ransomware needs admin privileges to ruin your day anyway. In fact, local admin does absolutely nothing for it since it will still only have permissions to the same network resources that the user does, and of course their local documents.
There are some kiosk-style single-application appliance use cases out there where it makes sense to lock things down just to make sure the user isn't browsing reddit all day or something, but by their nature those are at low risk of being infected and you care even less about them than a workstation if they are.
I honestly can't think of a realistic scenario in which this isn't a complete non-issue.
> Nearly every org I've ever worked at already gave their users admin privileges
I assume you've never worked at a large retail or investment bank, or similar organisation, then? Admin privileges are never granted to ordinary users; to install new programs or perform administrative tasks requires a call to the helpdesk, and there is usually some form of remote management service running to handle updates and so on.
An attacker that gains SYSTEM permissions on a machine can dump the SAM database, which may contain credentials for domain or enterprise administrators. This is very bad.
A user with administrator permissions can modify their DNS settings to avoid DNS-level filtering to block known malware domains. This can be bad.
A malicious or ignorant user can disable or remove antivirus protection. This can be bad.
A user can accidentally make a computer nonfunctional by, for example, deleting system files, perhaps because it was suggested (sarcastically) on a help forum ("LOL delete system32"). This is bad.
I'm far from a security expert, but from a sysadmin perspective, every user having local admin privs is an absolute nightmare.
> An attacker that gains SYSTEM permissions on a machine can dump the SAM database, which may contain credentials for domain or enterprise administrators. This is very bad.
True enough, but unlikely to be a significant risk. If you are concerned about it then it is much easier to have a separate AD account that only has local administrator on normal (non-admin) workstations and use that.
> A user with administrator permissions can modify their DNS settings to avoid DNS-level filtering to block known malware domains. This can be bad.
It is trivial to block or even reroute DNS queries to unapproved servers at the firewall. At least until DNS over HTTPS ruins that and simultaneously renders your point moot.
> A malicious or ignorant user can disable or remove antivirus protection. This can be bad.
I disagree. Anti-virus software has negative value and always causes significantly more trouble than it is worth. Case in point, the very issue we're talking about.
> A user can accidentally make a computer nonfunctional by, for example, deleting system files, perhaps because it was suggested (sarcastically) on a help forum ("LOL delete system32"). This is bad.
This is a minor inconvenience at best, that's what imaging is for.
> I'm far from a security expert, but from a sysadmin perspective, every user having local admin privs is an absolute nightmare.
If it were a nightmare, I'd have expected to see more issues arise from it throughout my career, but I've yet to see even one instance where a user having local admin has caused any significant trouble.
Many orgs haven't deployed LAPS yet. I know, lame, but its a fact. Even fewer have migrated to use DAWs, 2FA, delegated creds or the other top ways to secure AD. Its really complicated to do on a production environment of >1000 users.
Many networks are essentially flat, and don't make use of intra-network firewalling. So a compromised client can do MAC flooding, DNS spoofing, send SMB requests to other clients, pretend to be a printer, etc. All of these are preventable, but it just isn't in the mindset of most security orgs.
But the main reason that people don't have local admin is a psychological one: managers don't understand security and have a paranoid need to lock everything down for end users, even though they are not the main threat vector, and are the people who generate revenue.
> True enough, but unlikely to be a significant risk. If you are concerned about it then it is much easier to have a separate AD account that only has local administrator on normal (non-admin) workstations and use that.
I strongly disagree. If an attacker gains access to a system as an admin user, that is a much larger problem than a non-admin user. Designing an environment as you suggested helps compartmentalize that, but it doesn't help the fact that a SAM database from one of those machines can potentially spell an almost company-wide compromise. Such a strategy gives far too much opportunity for lateral movement in case of a single compromised machine.
> It is trivial to block or even reroute DNS queries to unapproved servers at the firewall.
That's a good point.
>I disagree. Anti-virus software has negative value and always causes significantly more trouble than it is worth. Case in point, the very issue we're talking about.
Regardless of your feelings on antivirus (I'm ambivalent myself), I don't quite see how a potential abuse of an antivirus software, which can lead to EoP, is justification for allowing all users in an enterprise to have full local admin privileges. You're cutting out the step where an attacker has to exploit an EoP vulnerability.
> This is a minor inconvenience at best, that's what imaging is for.
True, but if I can avoid the trouble by limiting user privileges, why not?
> If it were a nightmare, I'd have expected to see more issues arise from it throughout my career, but I've yet to see even one instance where a user having local admin has caused any significant trouble.
It's possible it may never be a problem in $arbitraryEnvironment, but that doesn't make it good security practices. I can imagine that in smaller environments, it may even be somewhat manageable.
There will probably be circumstances that create a need for local admin access as you described, but I don't think it should be the modus operandi.
> I strongly disagree. If an attacker gains access to a system as an admin user, that is a much larger problem than a non-admin user.
Not really. There's quite a lot you can do as a non-admin user too you know. You can probe anything on the internal network that machine has access to and act as a relay for the attacker, for instance. Since the user does work for the company, they probably already have access to a lot of things the organization would rather not give out. Local admin gives you a few more options, but the difference isn't really worth special attention in my book.
> True, but if I can avoid the trouble by limiting user privileges, why not?
Because you're also causing a lot of friction for the users. Users do work too you know, in aggregate hopefully a lot more than sysadmins. Every barrier you put between them and their work is a cost, and my argument is that the cost of locking everyone out of local admin pretty much always outweighs the benefits.
> I don't quite see how a potential abuse of an antivirus software, which can lead to EoP, is justification for allowing all users in an enterprise to have full local admin privileges.
It isn't, it's justification for disregarding "could disable the virus scanner" as a valid reason for denying local admin to the user.
"Good security practice" is often, in my experience, either a lot of academic crap that completely ignores the concept of risk analysis, or what someone who's trying to sell you something recommends. Every barrier you put between people and their ability to do work for the company is a cost that you have to justify against the cost of a compromise and the probability of said compromise actually occurring.
Depending on your environment, that level of cost may be worth it, but I think that's true for a much smaller segment than a lot of people who argue the point. I suspect this is because my paycheck depends on keeping the business running smoothly, not selling security consulting services.
> Not really. There's quite a lot you can do as a non-admin user too you know.
Yeah, of course. Otherwise ransomware would be much less prevalent than it is today. That said, there's quite a bit an admin user can do that a normal one cannot. I suppose we just disagree on how important the distinction is.
> Local admin gives you a few more options, but the difference isn't really worth special attention in my book.
And that's fine, but surely you can see why plenty of organizations feel that it is, right?
> Because you're also causing a lot of friction for the users...Every barrier you put between them and their work is a cost, and my argument is that the cost of locking everyone out of local admin pretty much always outweighs the benefits.
Well I can only speak to my experiences, but given the technical knowledge of 90% users on systems I support...it is definitely worth the cost.
> It isn't, it's justification for disregarding "could disable the virus scanner" as a valid reason for denying local admin to the user.
Touché. That said, in environments with antivirus requirements, for whatever reason, a user being able to remove such a program is a problem.
> "Good security practice" is often, in my experience, either a lot of academic crap that completely ignores the concept of risk analysis, or what someone who's trying to sell you something recommends.
The same could be said RE: antivirus. In many situations, protecting a user from running dangerous applications (e.g. a trojan delivered by a social engineering attack) is likely more important than a hypothetical escalation of privilege by a user who calls helpdesk every time their password expires.
> Depending on your environment, that level of cost may be worth it, but I think that's true for a much smaller segment than a lot of people who argue the point. I suspect this is because my paycheck depends on keeping the business running smoothly, not selling security consulting services.
Hey, it sounds like we're in the same business! :) I agree, different environments = different requirements. But that doesn't make for good headlines, either.
> Well I can only speak to my experiences, but given the technical knowledge of 90% users on systems I support...it is definitely worth the cost.
Is this meant to mean they have high or low technical knowledge? Because we support some users with a decidedly low understanding of... well, everything really, and it hasn't been a problem. They still give help desk a lot of grief, but it's because they don't know that windows can be minimized and things like that. Accidentally installing malicious applications or other reasons you'd think of restricting them really just doesn't come up.
Well, there are two groups that worry me: those that don't know Windows can be minimized, and those who believe they're much better at using computers than they actually are. And honestly, the second group worries me more.
That group doesn't represent the majority of users by any means, of course.
> Ok, let me ask: why? What is the absolute worst case scenario here? That a user in your organization gains admin privileges on their workstation?
I think the critical bit you're missing is that if a user can do something, a virus running under their credentials can do it too. Meaning I'd expect a virus can use this to get admin access.
It's less serious for any machine you have physical access to, but it is definitely an issue if you are remotely logged into a central server. If you manage to escalate privileges in this situation you could look at the files of other users e.g. the spreadsheets that only the payroll team is supposed to have access to...
Nearly every org I've ever worked at already gave their users admin privileges because trying to do their job without it caused far more friction than any imaginary gains from locking them down. So they might screw up their OS, big deal, that's what imaging is for.
It's not like ransomware needs admin privileges to ruin your day anyway. In fact, local admin does absolutely nothing for it since it will still only have permissions to the same network resources that the user does, and of course their local documents.
There are some kiosk-style single-application appliance use cases out there where it makes sense to lock things down just to make sure the user isn't browsing reddit all day or something, but by their nature those are at low risk of being infected and you care even less about them than a workstation if they are.
I honestly can't think of a realistic scenario in which this isn't a complete non-issue.