• Home
  • Blog
  • Technical
  • Removing local admin: a game of compromise (and some tips and tricks)

Removing local admin: a game of compromise (and some tips and tricks)

Back to Blog
11Oct2019

Removing local admin: a game of compromise (and some tips and tricks)

Look, I am a realist. Yes: from a security perspective it would be ideal if we could take away local admin privileges on every corporate owned Windows 10 workstation. But that still isn’t very easy to do for many organizations.

Some orgs do need to maintain a bit more flexibility, with users able to install new app packages as required. Some Line of Business apps also will claim not to support removal of local admin. (Although, I usually find they are bluffing, and when pressed can often explain the folder permissions and/or registry changes that would be required to run without local admin).

Nevertheless, there are certainly barriers that make this a difficult path in some cases. But Microsoft has a more pragmatic approach to this problem these days. They even publish a continuum of various Windows 10 security configuration profiles, intended for the Enterprise.* Removal of local admin is part of their “High” security profile. But we also have “Enhanced” security as an option, and this is a good starting place for many orgs who don’t know where to begin, but need a solid baseline.

*ASIDE: Some of the settings contained in these profiles are not compatible with the Business edition of Windows 10, or even E3. For example, the security profiles all call upon Microsoft Defender ATP. This is used to evaluate threat level on the device, and deny access to risky devices using a compliance policy. That is one way to mitigate the need for local admin (albeit expensive, and still not perfect). Inspired by these profiles, I released my own version of this framework which IS compatible with Business and E3 editions, and does not rely on Defender ATP.

Enter Exploit Guard

Another mitigation that we have access to, even in the Business subscription, is Exploit Guard, including Attack surface reduction and Controlled folder access. These are sub-features of the Microsoft Defender suite, and all of the official MS docs describing them still say Windows 10 Enterprise is required to use this feature, but the Microsoft 365 Business service description confirms that it is one of the Windows 10 Business security features that is included with the Business SKU.

Granted, you have the best experience with these features in E5, because of its tight integration with Microsoft Defender ATP–there you get advanced management features including monitoring, analytics, workflows, advanced hunting, etc. While these aren’t part of the Business or E3 editions, you can still enable the various rules in either Audit or Block mode.

You can find these settings in Intune. If you navigate to Device configuration > Profiles, create a new profile for Windows 10, and choose Endpoint protection. Under Microsoft Defender Exploit Guard you will find the settings.

Attack surface reduction

Attack surface reduction will allow you to either audit or block certain actions that are often associated with malware and zero-day exploits. For example, preventing Office apps from launching child processes.

If you want to see what the impact will be, you can run these in audit mode for a few weeks first, and watch the event logs on your workstations. Just open Event Viewer and filter for Event ID 1122 in the Microsoft/Windows/Windows Defender/Operational log.

If you do find that you have a line of business app, or some monitoring / security agent that requires an exception to ASR, you can add exceptions (scroll down).

Controlled folder access

Especially useful in thwarting ransomware, Controlled folder access is another feature of Exploit Guard that watches system and other custom-defined folders (e.g. OneDrive sync locations); its purpose is to prevent untrustworthy and unknown apps from making changes or writing data to these locations.

Enabling the feature also requires that you have enabled Windows Defender Antivirus Real-time protection. You could accomplish this either using a Windows 10 Device restriction profile, or by using a compliance policy (under System Security).

With that in place you can enable Controlled folder access back in the Device configuration > Profiles > Windows 10 / Endpoint protection policy, again you can Audit only or Enable. As well, you will be able to specify paths to executables that are allowed to make changes (trustworthy/well known apps are included automatically). Last, you can add other folders (such as OneDrive sync locations) that should be protected, along with the default folders.

If you choose to audit the policy (recommended if this is your first time enabling it), again you can monitor the event logs for event ID 1124 under Microsoft/Windows/Windows Defender/Operational.

Network protection

Even though this feature is not called out in the Microsoft 365 Business service description, it is included with Windows 10 Pro, as long as Defender AV Real-time protection is also enabled. Network protection will basically just monitor outbound connections, and block any that attempt to contact known bad domains and IP addresses.

While I usually find exceptions will be required for the other pieces of Exploit Guard (e.g. I have even found some hiccups with MS apps like Teams), I have so far not had any issues just enabling the Network protection feature. Still, the audit events to watch for would be ID 1125 (and 1126 if you have it enabled in block mode).

All of these protections cannot really compare to completely removing local admin privilege (these are different things and stand on their own), but they do help us to limit our exposure, and mitigate risks. They are especially valuable if we cannot take away those privileges, and they still hold value even if we can. Plus, they can provide excellent audit data for piecing together ‘what happened’ in the event of a breach or ransomware infection.

User Account Control

Whether or not you ultimately take away local admin, you should be implementing User Account Control. I would consider this a mandatory/typical corporate security baseline. With UAC enforced, Windows will allow the local user account to run in “Standard user” mode, and only prompt to elevate the session to “Admin mode” when required. I am sure you are familiar with these prompts.

So many admins were scared away by this feature when it first came out in Vista. Since then it has been common practice for admins to disable it, either when troubleshooting issues, or just because they think it will prevent issues and remove question marks. But that’s a mistake. Many of the early days headaches were due more to the “goof” of Vista than UAC.

Within Intune, you can find the UAC settings by creating a new Device configuration profile, Windows 10, Endpoint protection: Local device security options > User account control.

Here is what I recommend as a minimum.

Microsoft’s recommended baseline is actually more stringent than this, and denies elevation requests automatically for standard users. However, what I like to do is Prompt for credentials on the secure desktop. The secure desktop (rather than the interactive desktop) is more jarring and is more effective at snapping your attention and allowing you to focus on the question–so you’re less likely to dismiss it outright.

If you do take away local admin and users are running as standard users, then I do one more thing in conjunction with this: I create a “Desktop admin” account that has no special roles or privileges in the tenant (it is not a global admin for instance), but we place this account as an additional local admin on any Azure AD joined device. This can be accomplished from Azure AD > Devices > Device settings.

The password for this account is known by the admin, and by another trusted technical contact (or two) at the organization. If and when a system change or update or other software package is required (and the action is not being accomplished via central administration with Intune), then the user has an option to get one of the designated people to assist them with completing the elevation request.

There is some training that goes with this change for end users and the technical contacts. If they are suddenly prompted on the secure desktop and they weren’t trying to make a change or install software, they should not allow the elevation to continue (and they should notify IT immediately). With the lack of local admin and the secure desktop credential prompt in the mix, there is more activation energy required to make the change happen, so users really have to be sure that they want to continue (they won’t just click whatever makes the interruption go away the fastest).

Note that even when taking away local admin privilege and having UAC in place, Microsoft Defender Antivirus and Exploit Guard and other protections still remain useful. Not only for the audit log information, but also because some of the potential malware actions would not trigger a UAC prompt as they are relying on other system and application processes to do their work. So you can and should use these features in conjunction with one another.

And of course, all of this and more is detailed in my recent product, the Windows 10 Business Secure Configuration Framework.

Technical , , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

25Oct

12 Steps you can take to up your Office 365 Security & Compliance game

I don't mean to oversimplify things here. This is not a comprehensive guide or anything like that. Every organization has different goals and business objectives, and depending on your industry, etc., you could have very different compliance regulations or whatever, that you need to consider.... read more
30Aug

(Mis)Adventures with Conditional Access in Azure Active Directory Premium (P1)

I have been playing with Azure Active Directory Premium (P1) features a lot lately. And I love to try as hard as I can to break things. Turns out, it isn't that hard to do with Conditional Access. But, having brushed up against a few... read more
18Jul

Reader question: How do I setup iOS devices after disabling app permissions consent for my users?

I continue to get great feedback and questions from our readership lately. Keep it up! I love to field these questions and use them to improve my literature. This person (who is also an MVP) also wished to remain anonymous, and had a couple of... read more
08Apr

Managing Hybrid Exchange environments: a Cheat Sheet

Office 365 Exchange Online is pretty simple to manage if you are a "cloud-only" organization. Especially now that many edits can be made easily via the Microsoft 365 admin center, without even going into the Exchange Online admin area, separately. But, for those of us who... read more
24Jul

How to manage and secure service accounts in Microsoft Office 365 (without MFA)

Okay, so hopefully everyone knows by now that MFA is not an "optional" thing that you can decide to turn on, or not, depending on your "feelings." It isn't a choice, and your feelings about it don't matter. You need to turn it on. ... read more
04Sep

Windows Hello for Business: Azure AD Join vs. Hybrid Join

Windows Hello for Business replaces a traditional password when signing into your workstation, with a stronger two-factor authentication. One factor being some kind of local gesture such as a PIN, fingerprint or facial recognition, and the other being a key or certificate that is bound... read more
19Sep

Devices still matter, Part 2: How attackers can use YOUR device

So based on our last post, we now know that MFA and Conditional Access can help prevent a lot of different scenarios involving "any old" devices. That leaves one other avenue for attackers then... Why bother trying to gain new access through any... read more
29Oct

Windows Server 2019, Windows Server Essentials 2019, Office 2019 and other 2019 Microsoft products for the SMB

So the 2019 lineup of products are basically all here now--Office 2019, Windows Server 2019, Exchange Server 2019, etc.  Now with regard to the SMB space, I would usually be recommending that most organizations, especially very small sized business of 25 users or less, be... read more
24Jul

Updates coming soon to the Azure AD Best practices checklist

Update: The best practices checklists and guides are now available. I will be updating the best practices checklist and guide for Azure AD again soon, but I wanted to post a couple of notes about the coming changes--since it may be a while before I get... read more
20Apr

What is Windows Hello, and how to enable it

Windows 10 introduced a new security feature called "Hello," which allows a computer to be unlocked via different means than a traditional username/password prompt.  The marketing around this sells it as a more "personalized" login experience--more "human" or whatever. But it's really just extra security... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me