I have a client with about 50 users whose PCs are managed through Active Directory with a focus on least privilege. They've got a hybrid setup that syncs with Entra for their Office 365. The technical department, consisting of 5 users, manages IoT devices and PLCs but faces significant restrictions due to least privilege policies. They struggle with tasks like adjusting network card settings on-site at client locations and installing necessary tools without continually asking for my approval. This is really slowing down their workflow. I'm seeking advice on how to handle these kinds of requests effectively. Would setting up a VM on their workstations be a viable solution?
6 Answers
Just in time access could work, allowing them to request elevated privileges daily or weekly, which you can approve. The passwords would then auto-expire, balancing accessibility and security.
Have you considered using local admin accounts? You could grant admin access specifically on the machines you set up. This gives them the autonomy they need without compromising overall security too much.
I’ve tried that in the past—it can work, but we did notice a few unwanted programs popping up after a while. If you have remote monitoring tools, you can easily catch and remove them.
You might want to look into giving them access to LAPS for local admin passwords on their machines. It could provide the flexibility they need without constantly involving you.
After two years of pushback, I finally gave our field engineers a dedicated GPO for local admin rights on their workstations, and it made a world of difference. Remember, applying least privilege is important, but sometimes you have to be practical and provide the tools they need to do their jobs effectively.
I get that! I’m facing pressure from a security officer on this since it’s a public entity. Balancing security audits and practical needs is tough.
I understand the constraints, but giving access to those doing critical work can reduce friction. You might want to consider a combination of options like using a VM for tools and possibly an admin request system.
We’ve had success using Admin by Request for similar situations. It allows engineers to request elevated access when needed while giving you control over those permissions. Highly recommend trying it out!
I wasn’t aware of that option. I’ll definitely check it out!
When I worked for a PLC manufacturer, each engineer had two laptops: one connected to AD for office work and another just for programming PLCs. They had full admin rights on their programming machine but it never touched the office network. This setup really helped.
That’s a solid model, but the team feels that’s too restrictive given management's budget constraints.
That’s an interesting approach. Thanks for the suggestion!