In nearly every organization today, the issue of whether or not to grant unrestricted admin rights is a tug-of-war between IT teams and employees. While it may seem convenient, giving full administrative access to workstations introduces significant security risks.
The default local admin can fully modify and manage the company’s device. These rights can even be exploited for privilege escalation, potentially leading to domain admin access. Such scenarios can result in company-wide disruptions and data breaches, forcing organizations to pay millions in ransomware or recovery efforts.
Employees, developers, and technicians often prefer convenience—they want local admin rights to avoid constantly submitting support tickets. On the other hand, IT admins strive to balance employee convenience with the security requirements of the organization.
Admin Privileges Management in Hybrid and Azure AD Environments
Many organizations have moved to Azure AD or implemented hybrid systems, combining traditional Active Directory and Azure AD to enhance cloud capabilities. In these environments, many users work remotely, making the management of local admin privileges crucial for preventing potential threats.
To strike a balance between security and convenience, system administrators often rely on older software solutions or temporary fixes. Companies generally opt for one of three approaches: Privileged Access Workstations (PAWs), Microsoft’s LAPS (Local Administrator Password Solution), or WDAC and AppLocker.
Privileged Access Workstations (PAWs)
PAWs are specialized computers within an organization used for sensitive tasks. These workstations are security-hardened, isolated from general network activity, and restricted from internet access.
However, setting up PAWs is time-consuming and complex. It involves configuring AD infrastructure, creating backup GPOs, defining firewall rules, and restricting logins. Even after PAWs are set up, employees must submit support requests to use them, causing frustration as they cannot perform tasks directly on their machines.
LAPS: Managing Local Admin
Microsoft’s LAPS is often seen as a simple fix for managing local admin credentials on domain-joined machines. It rotates the local admin password after each use, ensuring strong, unique credentials are always in place. However, while LAPS manages admin credentials, it does not address the underlying issue of eliminating local admin rights entirely.
WDAC and AppLocker
WDAC (Windows Defender Application Control) and AppLocker allow administrators to control which applications and drivers can run on Windows 10 and 11 clients. While AppLocker is easier to use, Microsoft no longer actively updates it with new features. WDAC, though powerful, can be complex to configure, leading many administrators to avoid using it.
Although these solutions are helpful, they require additional controls to efficiently manage local admin rights. This is where Microsoft Intune comes into play as a modern solution for Endpoint Privilege Management.
Microsoft Intune: Bridging the Widening Gap
Recognizing the limitations of older solutions, Microsoft introduced Intune, a cloud-based platform for managing devices, applications, and privileges. For organizations already using Azure AD, Intune has become a key tool for Endpoint Privilege Management.
While Intune was designed to unify device management, its Endpoint Privilege Management (EPM) module is still in its early stages and lacks some advanced features. However, it does offer several important capabilities, including:
- Setting password requirements for local admin accounts
- Automatically rotating local admin passwords
- Storing local admin account credentials in Azure AD
- Generating reports on password changes
- Defining policies to control and elevate applications
Although Intune’s Endpoint Privilege Management addresses many privilege management needs, there are still gaps in its functionality. Stay tuned for “Endpoint Privilege Management: Filling the Gaps in Intune (Part 2)”, where we’ll explore how to enhance endpoint security further.