19) Has your organisation removed local administrator rights on all end point devices for all employees that do not require it?
IT Operations Local Administrator
Written by Haydn Brooks
Created on March 18, 2019
Modified on July 8, 2020

Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.

Within an operating system, different types of users typically have different system privileges with regards to changing system settings and running programmes. A user with local administrator privileges can essentially make any changes to their local system as required.

When a system has been infected with malware, or if a system has it’s user account broken into, if the compromised account has local administrator privileges the malicious user can effectively change any settings and run any code as required on the machine.

Accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you cut down on the chance that an admin account will be compromised.

This is important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account.

This is a control required to maintain a Cyber Essentials certification.

How to implement the control:

In order to implement this control you need to provision each user with an account that doesn’t have administrator privileges. If a user requires local administrator privileges to do their day job they must be provision with both an administrator and non-administrator account and only use the administrator account to run tasks that require administrator privileges.

If you are a small or medium sized business and you don’t centrally manage your devices (through the use of an Active Directory for example) you will have to set up these accounts on each device for your users.

If you centrally manage your windows devices you can provision the relevant accounts using your Active Directory.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.