Guardians of the Local Admin rights

by: rudyoomsPosted on:

Last Updated on August 29, 2021 by rudyooms

Granting your users local admin permissions when deploying Windows 10 is really really best practice…I’m joking, no it’s not! I must be saying this a lot lately.

You need to be certain all of your endpoints are managed, so you can make sure your users don’t have local admin permissions.

You don’t believe me that your endpoints need to be managed? Take a look at these two examples (Alex Fields):

http://www.itpromentor.com/two-incidents/

Removing local admin permissions mitigates a lot of critical Microsoft vulnerabilities.

Relying on Autopilot to have no local admins is not enough… You can give yourself local admin rights by pressing shift + f10 when enrolling your Windows 10 device.

Start removing your local admins at each login. Please read one of my first blogs on how to remove your additional local admins.

Remove all Local Admins!!

Also, beware AppLocker is not designed for local administrators because the default rules will allow all files for the builtin\administrators. Implementing AppLocker when your users are still local admin is useless.

Making sure a user has no local admin permission is not enough. You need to be noticed when a user somehow becomes a local admin because this is not a normal user action. When this event occurs you will need to investigate how and why this happened!

If you are using Solarwinds as I do, you can create a script check. Implementing this script check will create an alert and logs the information in the event log on the local device. This script also makes sure the local admin permissions are removed.

Try {
$admin = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch 'De opdracht is voltooid.|^administrator$|^admin$'}
If ($admin -eq $null)
{
    Write-Output "No additional local admins found"
  exit 0
}
Else
{
    Write-Output "BEWARE!!! another local admin has been created: $admin"
    New-EventLog -Source "RemoveAdmin" -LogName "Application" -ErrorAction SilentlyContinue
    Write-EventLog -LogName "Application" -Source "RemoveAdmin" -Message "Removing $admin from the local Administrator group on machine $ENV:COMPUTERNAME" -EventId 10001 -EntryType information	
    foreach ($user in $admin) {
    net localgroup administrators "`"$user`"" /delete | Out-Null
    		
    }	
    
    Exit 1001
}
}
catch
{
#Write-Warning "Value Missing"
Exit 1001
}

Conclusion:

Your endpoints need to be managed. In a perfect world, there shall be no additional local admins! I’m a warrior, an assassin. I will remove all local admins! Make sure you implement SLAPS for the local admin you need! ( https://call4cloud.nl/2020/07/the-laps-and-the-furious/)

LinkedIn

One thought on “Guardians of the Local Admin rights

  2. Hi, we are using SolarwindsMSP (gfi/maxfocus/logicnow/hounddog) Cloud version, not the NABLE/Ncentral version

    https://www.solarwindsmsp.com/product/login

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  61  =  63