Yes, Local Administrators ARE a Risk

November 1, 2021

Modern environments are in a constant state of flux; new systems are being commissioned, and old systems decommissioned, to meet new requirements and increase efficiency in all sectors. Managing those changes takes strategy and labour, and every change has an overhead in both of those resources.

What do you do when your users want new software, or to be able to update their apps without waiting for the next patch window?

It’s the perfect solution, your users can now:

  • Install new and updated software
  • Change software configurations
  • Run repairs on software of there are issues
  • Run software that only runs as a local administrator

And all this without taking up IT resources for changes that may only affect a single endpoint. Sure, everyone needs email but how many users need software for CAD, tax reconciliation, or even software development?

Many businesses decide that the cost to the business, and frustration of users, is too high and provide admin access to users over their own machine. Some may even give functional groups admin to all the endpoints in their team via security groups.

Whatcha Running There, Bud?

A significant downside of this strategy is loss of both control and visibility over endpoints. You don’t have to patch applications now, but are your users doing it? Maybe they’ve installed chrome and they’re keeping it up to date, or maybe they’re using a portable Firefox on a USB they bring from home – the same one they use to clean up viruses on their parents’ home PC.

If you’re letting users install their own software, answering these questions is going to be hard:

  • What software do we monitor for updates?
  • What software do we have installed in our environment?
  • Are users using pirated software?
  • Are users installing software from reputable sources?
  • How do we get notified of vulnerabilities in a timely manner?

But how do I secure it?

Let’s have a look at ACSC’s Essential Eight Controls to mitigate exploitation. These are the Australian Government’s recommendation for the 8 most important controls to protect your business.

Let’s see how they align with allowing:

  1. Application Control – Stringent Application Control is a great control is you have a single application that requires admin execution, but it is impossible for unmanaged endpoints. Application Control can only have an effective implementation if you can manage and restrict the use of the endpoint; local administrator privileges actively work against this control.
  2. Patch Applications – If we are allowing users to install applications, there is no way to effectively implement a patching strategy. We don’t know what we need to patch.
  3. Configure Microsoft Office Macro Settings – This is something we can do, but care should be taken to ensure that users aren’t able to undo group policy settings.
  4. User Application Hardening – As with Patch Applications, we can’t implement this as we can’t control what applications are installed on an endpoint.
  5. Restrict Administrative Privileges – Users have admin, the best we can do is restrict their scope to machines specifically assigned to them.
  6. Patch Operating Systems – Not affected, though a policy should be enforced configuring the update schedule (disabling update checks is an administrative privilege)
  7. Multi-factor authentication – Local Administrators can add local users to their machines which may bypass this policy
  8. Regular backups – this is still possible, but backups must be configured centrally to prevent unrecoverable destruction on endpoints via deletion of filesystem checkpoints.

At this point, allowing Local Administrator access has weakened or invalidated the most effective controls we have.

OK, so we’ll get EDR to detect malicious activity. At least this way attackers can’t use tools to exploit other machines.

Oh, yeah that. We can’t stop the tools from running because we can’t get visibility and execution control within a virtual machine. Ok, we’ll get a vulnerability scanner to detect exploitable vulnerabilities – even if we can’t control the applications, we can scan for vulnerable installs to fix.

Oh, we made the scanner service a domain admin to have one account to scan all our machine. Now we need privileged account management anyway to detect and prevent the scanner account being used outside scanning schedules.


The basic answer here is – administrative privilege is a risk. One of the best ways to prevent exploitation is to limit its usage for administrators, any expansion pollutes your environment.

Giving users administrative access is giving away your control, and it’s hard to get that back.

Share this article

Recent Post

Detecting and defending against advanced persistent threats utilizing the latest in industry-leading tools and techniques to strengthen and mature the security posture.

Conti Group - Tooling, Leaks and Russian FSB Ties

The Conti group have been featured across many news outlets lately both inside and outside the cyber security community. It is well known that this specific threat actor is mainly operated from within Russia, and with the recent events within Russia and Ukraine we thought it would be a good idea to do a recap […]

Read More

Yes, Local Administrators ARE a Risk

Modern environments are in a constant state of flux; new systems are being commissioned, and old systems decommissioned, to meet new requirements and increase efficiency in all sectors. Managing those changes takes strategy and labour, and every change has an overhead in both of those resources. What do you do when your users want new […]

Read More

OSINT for Penetration Testers

Part of performing an effective and successful penetration test requires gathering as much information about the target as possible. The more information you have on your target, the more likely you are to discover an exploitable service or land a successful phish. For example, through OSINT you may discover that the target is openly advertising […]

Read More

CONTI Group - The not so advanced APT

Recently in the news it was revealed that a member of an “APT” group that utilises the “Conti” ransomware became disgruntled at the state of their relationship with the group and leaked a large majority of the groups “Tools, Techniques and Procedures” documents. Conti was first discovered in 2020 and is used primarily by the […]

Read More

Hidden Cobra - Uncovering the North Korean APT

Advanced persistent threats come in many forms ranging from your crime groups, activists all the way through to your state sponsored groups. While some of these threat actors such as crime groups are seen on a regular (if not daily..) basis, state sponsored attacks are less common and more sophisticated. While most state sponsored groups […]

Read More

Please Sign Here - Why NTLM Relaying Is Still a Risk in 2021

The Windows Name Resolution Flow You may be under the impression that turning host names into IP addresses is simple. You check:  The Hosts file; then  Your system’s DNS (Domain Name System) resolver  That’s it right? If you don’t get a response from your local file or DNS, then the system doesn’t exist. Well, no; the name resolution flow in Windows looks something like this:  Well, that’s a […]

Read More

The benefits of Red Teaming

Red teaming is not a new concept within the cyber security community. However in Australia, Red Teaming is a relatively new term for most organisations. In this blog post we'll take a dive into: What differentiates a Red Team engagement from a Penetration Test. Why you shouldn't consider a red team engagement (You totally should.) […]

Read More

Stealing Password Reset Tokens for Fun and Profit

When adding a “Password Reset” function to your application it is especially important to ensure this has the same security considerations as any other critical function within the application. Due to the nature of resetting a user’s password, along with many security considerations being overlooked, it is not uncommon for attackers to spend extra time […]

Read More

MITRE ATT&CK Framework Primer

The MITRE ATT&CK framework is an incredibly powerful framework that organisations can utilise to improve their cyber security capabilities.

Read More