We're cautious about granting local admin rights to anyone, even our IT team. Typically, users call us when they need something installed on their machines, which works fine. However, we have a group of engineers who argue that they need local admin rights to run specific applications and occasionally change their IP addresses. I'm curious to know how others deal with similar situations when software demands these rights continuously. What solutions or workflows do you implement in your organization?
5 Answers
In our case, we had to give local admin rights to our engineers because they work with industrial equipment requiring direct TCP/IP communication on non-routed local subnets. Without admin access, they can't change their IP addresses as needed, which is essential for their tasks.
I'd recommend investing in an Endpoint Privilege Management (EPM) solution to give users the admin rights they need for specific executable files. This way, users only elevate their permissions when necessary, which helps maintain security across the board.
It's critical for us to vet admin access. We give some users local admin rights but make sure it’s approved and logged for compliance purposes. We also implement temporary passwords that can reset automatically after a set period, which is a nice security feature.
We have a system called Admin by Request where users can request admin access. It's a bit more structured; we log requests and have a process in place to manage who gets access and under what conditions.
Admin by Request sounds pretty efficient. It could be a great way to pre-approve certain tasks without users realizing they even needed admin rights.
We use a tool called BeyondTrust that lets users elevate their privileges on demand. Some tasks don't need justification, while others might require a passcode from our info security team. This way, users can get admin access only when absolutely necessary.
I heard that adding the user to the local network configuration operators group allows them to change their IP, but it's limited to the old settings panel and not the new Windows 11 interface.