Hey everyone! I'm looking for some advice on how to handle local Administrator access on our company laptops. Currently, we use a security group that grants local Admin rights to its members, which we find helpful for software installations and troubleshooting. However, we're worried about potential file and folder access leakage; since anyone in that local Administrator group can reach into other machines' user profiles over the network, this could lead to unauthorized access to sensitive data. How do you mitigate these risks? For example, do you restrict the local Administrator group's access to user profile folders? Also, we've not implemented LAPS or Intune yet, but I've heard they could provide a more secure way to manage local admin access. Any insights would be great!
5 Answers
It's crucial to set up admin roles wisely. Normally, there should be distinct accounts for trusted admins and regular users. By limiting admin access to trusted personnel, you're already minimizing potential snooping or access to sensitive data. Also, consider deploying a tool like AdminByRequest for specific software elevation without giving blanket admin rights.
If you’re still grappling with local admin access, consider implementing a system where regular users are standard users, maybe giving them just temporary admin access when needed through request-based methods. It’s more manageable and reduces risk significantly.
I think every business should evaluate their admin access based on trust levels. If you’re worried about someone accessing files, then yes, limiting the local Admin group access should definitely be considered. Conduct regular audits and consider implementing LAPS if you haven't already.
Couldn’t agree more! If trust is a concern, that alone should lead to tighter access controls.
As a solo sysadmin with a smaller team, I prefer to keep admin access restricted to just admins. You can utilize tools that allow users to install software they need without giving them full admin rights. Programs like Securden Endpoint Privilege Manager can help manage these requests without compromising security.
Absolutely, LAPS is the best route to take for managing these accounts. It provides a much more secure way to handle local admin passwords without exposing them unnecessarily. I highly recommend looking into it, especially if you're concerned about security vulnerabilities.
That sounds like a solid strategy! Keeping tasks separate really helps in managing secure access while maintaining usability.