I went to a BeyondTrust demo in put on at Microsoft’s Herndon Virginia site. Derek Melber a MVP in Group Policy spoke first on Least Privilege. Derek described the need for and the realities of least privilege.
Microsoft recognizes that to help create a secure, auditable, and compliant enterprise environment, all users should be standard users and ideally not have administrative privileges or access to administrator passwords.” –Austin Wilson, Microsoft Windows Client Security product management director
A number of regulatory frameworks require or hint toward the removal of local administrator rights.
FISMA 800-53 AC-6
Least Privilege—The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.
The Federal Desktop Core Config (FDCC ) mandates the restriction of administrator rights
HIPAA – removing admin rights is necessary to control access to healthcare related data.
PCI – need to know and role based access are required.
In spite of the regulary and customer requirements, management is often loath to remove administrator rights. Obviously it would be a very unpopular move. However it seems that when I’m talking to support myself or talking to people at other companies, many times they have implemented removal of administrator rights on a large percentage of computers. I would love to see some trustworthy statistics broken down by industry on companies that have successfully removed administrator rights.
BeyondTrust’s product allows you to granularly provide the ability to perform certain actions without giving away the store. I expect to write a bit more when I’ve had a chance to try out their product.