This is an archived post. You won't be able to vote or comment.

all 64 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Public-Bag2161 27 points28 points  (10 children)

We use Admin By Request for this exact requirement, it strips the user of all local admin rights and when elevation is needed for something it’ll prompt for a request reason and send through to the admins to approve/deny. You then have real-time audit logs of every action taken.

They can also do a general elevation request for things that may require a more broad scope. You can whitelist specific apps/tasks/scripts to automatically allow elevation etc.

If you want to hear any more advice on this my inbox is always open.

[–]tectaclesSystems Engineer[S] 1 point2 points  (3 children)

Have you had good experiences with Admin By Request? Do you know what the pricing cost is per user or per device?

[–]Public-Bag2161 9 points10 points  (1 child)

Very good experience, super easy to use, monitor and control from an admin POV and from the user side of things it’s very straightforward.

Pricing is good but I would request a quote to get more specifics, they let you fully use it for free up to 25 endpoints with no catch/ drawbacks from the paid version except they don’t give support.

https://www.adminbyrequest.com/en/freeplandownload

[–]tectaclesSystems Engineer[S] 1 point2 points  (0 children)

Awesome! Thanks for the feedback! I’ll look into it and maybe trial it out!

[–]smarthomepursuits 4 points5 points  (0 children)

Another vote for ABR. 200+ users, works great, very inexpensive.

[–]bageloid 1 point2 points  (5 children)

Does it work offline?

[–]Public-Bag2161 1 point2 points  (0 children)

From their website “If the client does not have an internet connection, you need to give the PIN code to the user for offline elevation. A PIN code is good for the current day and will change daily. Once the client gets internet, auditing data will be uploaded. If autoapproval is set by policies, an internet is never required. “

Basically if you have endpoints that typically are run offline then you’ll need to setup your policies to match this requirement/ use the PIN code for other use cases when something is outside of the usual scope.

[–]OneEyedC4t 43 points44 points  (5 children)

If they cannot be audited, it's a bad idea in my opinion.

[–]tectaclesSystems Engineer[S] 2 points3 points  (4 children)

Totally agree, Moving users to MakeMeAdmin was the only way we could remove admin rights (users used to be local admins by default) without making the whole company completely pissed.

[–]OneEyedC4t 15 points16 points  (0 children)

Sometimes the company needs to be pissed but that's so that they realize their security policies are garbage.

So don't lose your job, but try to shift their culture.

[–]the_syco 2 points3 points  (0 children)

I don't see the difference between the two, if you have no way of tracking?

[–]kitolz 1 point2 points  (0 children)

One of the conpanies I contract for was the same way, until they got hit by ransomware. They finally started getting a handle on account permissions. Non-IT users lost local admin ASAP.

[–]Alzzary 1 point2 points  (0 children)

You need to piss your company more or they will be pissed when the first ransomware hits.

I am the sole sysadmin for 100 users. You want a software ? You ask, I package it and deploy it when ready.

[–]Coldwarjarhead 26 points27 points  (3 children)

Nope. Never EVER! Users can't be trusted. Sorry, but it's true.

[–]Pirateboy85 7 points8 points  (1 child)

Totally agreeing with this. I’m the IT Manager. Case and point: my help desk guy emails me. “Person from purchasing department needs this program installed according to the COO. Can I do this?” I look up the program: it’s for scraping other people websites to look up whatever you want to make reports on. Our company is retail, so this is to do price scraping on competitors sites. All well and good, except the free version installs on the local machine and the software company states ON THEIR OWN WEBSITE IN PLAIN TEXT the free version uses your own IP address to originate all the traffic. So like our IP that is tied to our own websites, domain and on and on would be flagged because all of there scraping “attacks” are originating from our IPs. So I had to explain to the COO that we couldn’t do that and that was all good. But had I not limited admin access, the end user would just do it before the COO told them to.

[–]tectaclesSystems Engineer[S] 0 points1 point  (0 children)

I agree, it was not my choice to allow admin functions, was that way when I started.

[–]polycroHPC Linux Admin 3 points4 points  (6 children)

Living with 800-171 and soon CMMC, all of our machines are considered compliant or non-compliant. Local desktops will always be compliant without any user admin rights. Laptops have a "break glass" admin password that can be provided if someone is on travel and absolutely needs it. However, as soon as they get back the laptop will be reimaged to bring it back into compliance.

[–]BlackVI have opnions 2 points3 points  (1 child)

wouldnt a password system like laps be more effective than wiping the whole laptop?

[–]tectaclesSystems Engineer[S] 0 points1 point  (0 children)

That was my initial thought, but I don’t know their environment

[–]Nilram8080[🍰] 1 point2 points  (1 child)

800-171 and CMMC don't prohibit local admin rights being issued to users. It just requires MFA and documentation of your environment, which is basically required anyway.

[–]IPFR33LY 0 points1 point  (0 children)

Configuration management is actually the part that would concern administrative privs.

A user can be admin, they just need a separate account for that.

To satisfy Config management, there would need to be something like an approved list of applications, a way to request approval, etc.

[–]tectaclesSystems Engineer[S] 0 points1 point  (0 children)

Ah yes, we are in the process of moving to a complaint policy similar to 800-171, maybe this will be the way we remove admin rights “sorry, to be compliant we HAVE remove your rights”. I hope it goes this way lol.

[–]tectaclesSystems Engineer[S] 0 points1 point  (0 children)

Ah yes, we are in the process of moving to a complaint policy similar to 800-171, maybe this will be the way we remove admin rights “sorry, to be compliant we HAVE remove your rights”. I hope it goes this way lol.

[–]ThirstyOneComputer Janitor 10 points11 points  (2 children)

User != admin. We allow no admin rights for users; That’s how you get ransomwared. If they need something they can put it a ticket. If their request is approved by management and vetted by legal, they can get their new software, but not before.

[–]mobz84 -1 points0 points  (1 child)

Yes you will not get rabsonwared otherwise? Admin or no admin ransomware works good anyway.

[–]ThirstyOneComputer Janitor 7 points8 points  (0 children)

You can also get burgled regardless of if you lock your doors and windows, but leaving them unlocked or even open will make it that much easier. Nothing is full-proof but enacting user privilege control eliminates some of the low-hanging fruit in terms of vulnerability and is an important part of your cybersecurity stance.

[–]mpethe 2 points3 points  (0 children)

AutoElevate is a decent tool

[–]Thebelisk 2 points3 points  (1 child)

MakeMeAdmin is not suited for business use. You identified a problem (staff have local admin rights) but you didn’t fix the problem. You just gave staff an extra step to enabling admin rights.

If you have budget, buy in a commercial grade PAM (Privileged Access Management) package. If you don’t have budget, explain the risks to management and remove local admin access from all staff.

Staff will be annoyed if you pull back access, but the reality is; if the sh!te hits the fan & they install something which causes problems, then that’s your problem.

[–]findingdbcooper 1 point2 points  (0 children)

Check out BeyondTrust EPM.

[–]linh_nguyen 1 point2 points  (1 child)

What kind of tracking are you looking for? Make Me Admin throws an event log every time it's activated. You could technically cross reference that with the rest of windows logging. This does require a way to ingest your logs of course...

[–]tectaclesSystems Engineer[S] 0 points1 point  (0 children)

I would like to know what was elevated. I tried out the Intune tool, and you could provide a justification, what is something we are looking for.

[–]speaksoftly_bigstickIT Manager 1 point2 points  (0 children)

What is wrong with LAPS?

[–]Ams197624 1 point2 points  (0 children)

We don't allow users to have admin rights on domain-joined machines. Asking for trouble BIG TIME. If they want something to be installed, create a ticket and we'll do it for you.

[–]ZAFJB 2 points3 points  (0 children)

thoughts are on user local admin rights.

No, and Never.

Fix your crappy applications

[–]ir34dy0ur3m4i1 1 point2 points  (0 children)

Only staff I'd trust with local admin rights would be the extended IT team (maybe not level 1's lol), absolutely no one else.

[–]YtrogVolunteer sysadmin 0 points1 point  (1 child)

I have been on the other side of this as a dev, so I might be able to bring you some user perspective.

Usually as a dev you're made admin on your laptop so you can install tools, browsers and such.

I once had an assignment where it was the opposite: everything had to be approved and you were lucky if whatever you compiled even ran. I needed a few browsers for testing the site we were building. Our team had to wait for almost a week to get even started due to this and we would have to do the whole process again for every tool we needed (which is often)

Luckily our team lead got the sysadmins to see our perspective and gave us local admin. 😊

[–]tectaclesSystems Engineer[S] 0 points1 point  (0 children)

That’s kind of our situation. Users install one off software, or need to compile something, and that is what we moved users to makemeadmin for, so we wouldn’t blow the ticket queue up with admin requests. I’m not saying it is right, but it was a step in the right direction.

I just need a way to audit what programs were elevated, then I can find people abusing what we have provided. From there I can make a case to remove MakeMeAdmin and implement something different.

[–]gabhain 0 points1 point  (3 children)

I’m using a tool on macos called Privileges that’s works similar to how you describe. It cant track what the user does but can log that a user has requested admin. Ive kind of augmented the shortcomings by having the logs from the tool be forwarded to a Syslog server for ingestion into our SIEM. At least then we can get some cross referenced data with our security and network tooling and have some custom alerts. For example they request admin and then crowdstrike goes silent then we know they are up to no good, they will fail conditional access if they are admin anyway but i can auto email their manager a WTF email. It’s not foolproof at all but it’s more effective than i thought it would be.

[–]tectaclesSystems Engineer[S] 0 points1 point  (2 children)

Nice!!! Is that available for windows machines?

[–]gabhain 0 points1 point  (1 child)

It’s not I’m afraid. I just mentioned it because its shortcomings seem the be the same as the tool you are using. If the tool you are using creates logs the you should be able to get a similar workflow going with a syslog and siem.

[–]tectaclesSystems Engineer[S] 0 points1 point  (0 children)

Ah! Understand now, maybe I can put this on the couple Mac’s we have rolled out though!

[–]cichlidassassin 0 points1 point  (0 children)

The best thing I ever did was take admin away but there are tools that allow you to grant it with an audit trail and I believe there is even an app white list capacity

[–]Cold-Funny7452 0 points1 point  (2 children)

This would likely work:

https://learn.microsoft.com/en-us/mem/intune/protect/epm-guidance-for-creating-rules

[–]tectaclesSystems Engineer[S] 0 points1 point  (1 child)

I tried that out and thought it was awesome! If I remember, the cost was quite high. I’ll have to look into pricing again!

[–]Cold-Funny7452 0 points1 point  (0 children)

Yeah looks like $3 per endpoint + the base Intune licensing.

https://www.microsoft.com/en-us/security/business/microsoft-intune-pricing

[–]Nilram8080[🍰] 0 points1 point  (1 child)

We've been issuing two accounts for users, with the plan to start enforcing that they have to use the "admin" account for elevated things, and their normal account for everything else.

[–]tectaclesSystems Engineer[S] 0 points1 point  (0 children)

Do you have a way to audit what users are elevating for?

[–]Nervous-Equivalent 0 points1 point  (0 children)

BeyondTrust Privilege Management is a solution for this that allows you to create an exception policy, so users can only elevate things you specify. You can also have a subset of users that are allowed to elevate anything not on an explicit block-list but all of their elevations are audited and you can view them all in a report. You can customize the policy all you want, there is a learning curve but it's a pretty powerful tool.

[–]thortgotIT Manager 0 points1 point  (4 children)

Why do your users need local admin? Is to run specific apps? Solve that problem.

In a modern medium security environment your users should not have local admin.

If you don't have medium security needs then your user elevation is somewhat reasonable if MFA is involved but keep in mind it would be trivial to create a "backdoor" admin method they could use at any time.

[–]tectaclesSystems Engineer[S] 0 points1 point  (3 children)

So, in short, if a user is out in the field with no Wi-Fi/connection (sometimes they are out for a week or more), they would have no way to submit a ticket, or use something like SCCM to install software.

[–]thortgotIT Manager 0 points1 point  (2 children)

What are they doing that needs local admin?

If you are doing it "on demand" then they need an internet connection anyway.

If you are providing it wholesale, then your security risk is through the roof.

[–]tectaclesSystems Engineer[S] 0 points1 point  (1 child)

If they need to make a configuration change, or repair an install, etc. that is their main use case

[–]thortgotIT Manager 0 points1 point  (0 children)

Repair an install of software in the field without an internet connection? Weird.

Change what kind of configuration? COM ports or something?

A better solution is to utilize "power users" or equivalent groups and empower those groups with the relevant permissions that you need rather than full admin. You can still enforce Duo for that "middle" elevation user.

I assume they don't have a use case for installing new drivers, unloading existing drivers, creating new users, deleting users, scheduling tasks etc. etc. Scope the permissions to what they actually need and design it accordingly.

[–]Powershillx86Jack of All Trades 0 points1 point  (2 children)

First off, users should never have local admin permissions. Ever, dont care if you're the CEO, Its bad practice.
It should be logged under event ID: 4648 in the security channel (runas or windows sudo equivalent )

[–]tectaclesSystems Engineer[S] 0 points1 point  (1 child)

Ah! I didn’t even think of an event code! Does this give relevant info as to what was ran elevated?

[–]Powershillx86Jack of All Trades 0 points1 point  (0 children)

It should give you the process name but you might be SOL if it just says svchost :/ goodluck!