It was once normal for Windows users to be local administrators on their machines, mainly because the Microsoft Windows developer ecosystem needed administrator rights to run software. The introduction of User Account Control (UAC) with Windows 7 was controversial. It was a long-term program to eliminate the need for developers to have administrator rights when running software. We’ve since come a long way to where people realize that we can no longer run our machines with administrator rights.
If you are still struggling for justifications for why you shouldn’t run your Windows machines with administrator rights, a recent Twitter post by Sean Metcalf listed several reasons:
- It makes it easier for an attacker to get a foothold on that system simply by compromising that account. The attacker now has local administrator rights and can dump Local Security Authority Subsystem Service (LSASS) and local Service Management Automation (SMA) for more credentials.
- It makes logging more complicated. If all users do not have local administrator rights, you can monitor for suspicious privileged access activity using the “authenticated as local administrator” event (event 4672). If all users are administrators, monitoring for this and related events is useless.
- When the user has local administrator rights, ransomware has all the access it needs to totally brick the system.
- If all workstations share the same local administrator password, then the compromise of a single user account results in the compromise of all workstations. These actions are likely to be done in minutes. To solve this issue, put in place a solution such as Local Administrator Password Solution (LAPS).
