This is a sponsored post from Recast Software.
Table of Contents
Take Back Control of Privileged Accounts
The security of your environment should always be top of mind. With the increasing number of cyberattacks and breaches, it is more important than ever to be cognizant of where your security weaknesses lie. One of the most effective steps to better secure your environment is to remove unnecessary local administrator privileges on your endpoints.
In a recent post on Recast Software’s blog, Sami Laiho, a Microsoft MVP and security guru stated, “It is estimated that around 80% of zero-day vulnerabilities can be mitigated simply by removing local administrator privileges without even installing a patch.” However, going through devices one by one and checking the local admin group is too time-consuming and unrealistic due to most environments’ sizes. Endpoint Insights, Right Click Tools, and Privilege Manager can help in this scenario.
In a previous post on danielengberg.com, we covered how to pair Endpoint Insights with Right Click Tools to manage your endpoints better. This pairing makes removing unnecessary rights a much less painful project. This post will showcase how you can quickly and easily seek out accounts with local admin privileges utilizing Endpoint Insights and then take quick action with Right Click Tools. Finally, we will look at Recast Software’s PAM solution, Privilege Manager, which allows users to control their privileged accounts and groups further.
Locating Local Admin Privileges with Endpoint Insights
Endpoint Insights, a product from the Recast Software suite, brings additional data points and advanced reports to your ConfigMgr environment. This includes reports that are specifically tailored to local group membership. Users can utilize a report that gives them all the local group members on a specific computer with the Computer Local Account-Group Details report. Or, if users want to look at devices at scale, they can utilize the Members of a Local Computer Group report to find local group members on devices across a device collection. Additionally, if users want to keep tabs on these reports to ensure accounts are kept from getting added back in, they can have the report sent out periodically.
The screenshot below demonstrates the use of the Members of a Local Computer Group report to find the members of the Administrators group on devices in a collection. Here you can see that there is an account named GordonFreeman. We will remove this account for this demo from the local admin group, as it should not have local admin rights.
Removing Local Admin Privileges with Right Click Tools
Finding accounts that have local admin rights is only half of the battle. Users will next utilize Right Click Tools and its System Information tool to remove the accounts from the local admin group. The System Information tool gives a host of information about a device (or group of devices), including applications, Windows updates, user profiles, and local group members.
Once we have located a device with a user in the local admin group that shouldn’t be there, we can right-click on the device, hover over Right Click Tools, go to Console Tools, and select System Information to pull up the tool. From there, select the Local Group Members tab, expand the local admin group, check the box to the appropriate account, and click Remove in the top right corner to remove the account from the group. As with other Right Click Tools, users can also take these actions on multiple devices simultaneously, making it a much quicker process to seek out and remove accounts from the local admin group.
In the screenshot below, we have pulled up the System Information tool on the three devices that contain the GordonFreeman account. From here, check the boxes next to the account and remove that account from the local admin group on all the devices simultaneously.
Take Further Control with Privilege Manager
Now that unnecessary local admin privileges have been removed (above), IT teams will encounter unhappy end users who can no longer elevate their privileges on their own. It is also only a matter of time before accounts find ways back into groups they shouldn’t be in. Privilege Manager by Recast Software can help here. A new Privileged Access Management (PAM) solution, Privilege Manager, helps teams manage group membership and provide a smooth end-user self-service elevation process without having to compromise on security.
With Privilege Manager, you can provide several options for end users to take approved elevated actions for a specified time. One option is for users to utilize an access code. The access code can be obtained from a help desk employee and rotates so that it cannot be written down and reused by the end user. This access code can even be utilized if the device is offline. Secondly, users can use an account created by Privilege Manager to complete a task that requires elevation. Lastly, users can elevate with the end user’s account receiving time-limited elevated permissions for the specific process requiring the permissions. The account will then revert to normal after the action is completed.
Providing just-in-time elevation is one of the keys to hardening your environment. Utilizing Privilege Manager’s scheduled group membership feature, IT teams can schedule an account to be a group member for a chosen period. After the time expires, the account is removed. This can help avoid mistakenly handing out access that is meant to be temporary and then completely forgetting about it, leaving it in place until someone (hopefully) remembers.
Privilege Manager also enables IT teams to monitor so that no unnecessary or unapproved accounts are making their way into privileged groups. With the group membership feature, teams can set up groups with the accounts allowed to be in them. From there, Privilege Manager will check the local machine versus what is whitelisted in the Privilege Manager group created. If it finds any accounts that are not allowed, it will remove those accounts. This helps avoid situations where a technician may try to give an end user local admin privileges.
Learn more about the benefits of pairing Endpoint Insights and Right Click Tools by reading this previous post on danielengberg.com. To dig deeper into the complete feature set offered by Recast Software, read more about Endpoint Insights, Right Click Tools, and Privilege Manager via the respective links.