Revoke Local Admin Rights with Admin By Request

Revoke Local Admin Rights with Admin By Request

Are you having a tough time deciding how to revoke local admin rights from your cloud-managed Windows 10 devices without hindering user experience?

Enter Admin By Request, a product that enables you to revoke local admin rights from end-users easily and with confidence.

Further, Admin By Request can easily integrate with your infrastructure with a few simple clicks and works natively with Microsoft 365.

However, before we continue, let’s understand why there is a need to manage local admin rights on the endpoints?

Why revoke local admin rights from the end-users?

Providing local admin rights to end-users is always considered a security risk in the enterprise scenario.

Having local admin rights enables end-users to be able to install applications on their assigned workstations without any approval, thereby increasing the risk of installing harmful applications and infecting the infrastructure.

With the onslaught of malware and ransomware attacks in the recent past, this security concern has been further bolstered.

With the Covid 19 pandemic forcing many organizations to switch to remote working with very little time for planning and preparing for the move, many organizations decided to allowing users to be local administrators, utilizing windows built-in User Account Control (UAC) to handle the admin sessions.

Although UAC along with protective software does prevent most viruses, malware, and ransomware from being installed, attacks can still happen anyway due to user negligence and unawareness.

Revoke Local Admin Rights with Admin By Request - Majority of IT vulnerabilities can be averted by revoking local admin rights from end-users
Revoke Local Admin Rights with Admin By Request – Majority of IT vulnerabilities can be averted by revoking local admin rights from end-users

Data shows that revoking local admin privilege from end-users could have mitigated the majority of security incidents.

  • 92% Critical vulnerabilities reported by Microsoft could have been mitigated by removing local admin privileges and access information management.
  • 100% of Microsoft Office vulnerabilities can be mitigated by removing local admin privileges.
  • 100% of Internet Explorer & Microsoft Edge vulnerabilities can be mitigated by removing local admin privileges.
  • 94% of Microsoft Windows vulnerabilities can be mitigated by removing local admin privileges.

The stats above are from studies as published in different security blogs and clearly depicts the benefits of removing local admin rights from the end-users.

This justifies removing local admin rights from an end-user helps to prevent and mitigate lateral movement and elevation of privilege attacks.

However, though removing local admin rights helps to reduce the security risk count, it also significantly reduces end-user experience quality and increases the workload on the IT Helpdesk.

It is never always possible for the IT team to anticipate the end-users need completely and prepare a whitelist ahead of time.

This causes increased remote install calls for the IT team.

Further, a whitelist does not necessarily mean that those files or applications are safe and the entire process is resource extensive.

Also, there are cases where end-users reacted to system lockdowns by turning to ‘shadow IT’ workarounds creating new security risks.

Over the last few years, as more and more organization shifted their workloads to the cloud and adopted digital workplace solutions, transitioning from traditional management to modern management, the end-users have also significantly matured in a way that they expect the best user experience with the least amount of obstructions in their daily workflows.

Removal of local admin rights if planned and implemented well can be a boon, but otherwise a bane for the IT support.

Challenges to revoke local admin rights from end-users?

The user account that is used to perform the Azure AD join operation gains local administrator privilege on the Windows 10 workstation, as it is automatically added to Local Administrators group.

Other than that, Azure AD also adds the security principals of the following accounts

  • the Azure AD Global Administrator (GA) account of the tenant
  • the Azure AD Device Administrator account of the tenant

to the Local Administrators group on the workstation. This is by design. Ref Microsoft Article.

Azure AD natively gives you the option to specify additional Azure AD user accounts to be granted local admin privileges on the Azure AD joined Windows 10 endpoints. But then that is all that is available natively.

If you want to remove local admin rights from the end user accounts, you either have the option to

  • Provision devices with Standard User Autopilot profile, or
  • Use PowerShell script to remove end-user account from the local administrators group of the workstation

This works fine till the point you are only concerned about removing local admin rights from the end-users.

But the real pain comes when you decide that you need to provide local admin rights to select personas, say your local IT support team members, in a way that the support member of region A will have admin rights on the workstations that belongs to region A only, and not outside the region.

The requirement of having region-based dynamic device grouping is complex to achieve as AAD device objects do not have a location property to be used for creating a dynamic device group.

Further, in Azure, you cannot create a dynamic device group based on the associated user property.

Also, when you remove local admin rights from end-users, there are scenarios that need to be considered as exception cases during the planning phase. Examples of such scenarios

  • Specific application (which runs in user-context) or process might stop working properly since it requires elevated permission to run.
  • Specific personas, mostly developers, require to run certain tasks with elevated permissions, which breaks.

Other than this, installing new software (with business justification) or updating existing software requires the end-user to call IT support who would be then initiating a remote to perform the requested activity.

It is really tough for the IT Support Team to anticipate whitelisting requirements due to varied and diverse application usage across an organization.

This is how revoking local admin rights when not well-planned adds to the IT overhead as well as can be considered a hindrance to end-users natural workflow disrupting productivity.

How to address the challenges to revoke local admin rights?

Modern digital workplace solutions require to include a Privilege Access Management solution which can effectively remove local admin rights from end-user accounts, making use of the least privilege principle to run most tasks and activities on the workstations, but can still handle the exceptional cases, which is to allow

  • end-users to request and gain elevated privilege for running an activity on-demand
  • only specific approved applications to run with elevated privilege on the workstations
  • a specific group of users to gain access to elevated privilege on the workstation (IT Support Team)
  • elevated session for a limited time period, with force closure of applications on session termination

It is needless to say that all such requests and activities needs to be audited and reports available for later review.

The above basically gels into the below principles

  • Isolation of privilege: Account used for performing daily activities should be assigned the least privilege
  • Just-in-time privilege: Privileged access to be acquired only when required
  • Just-enough privilege: Privileged access should be just enough to perform the required task only
  • Time-bound privilege: Privileged access granted should be only for the minimum possible time required to complete the task
  • Require approval and provide justification for requesting privileged access
  • Auditing and review

Essentially, we are looking for a Privileged Access Management solution for the endpoints, which can revoke local admin rights from end-users in a way, without interrupting their productivity and normal workflow, but is also able to provide privileged rights on demand, while actually locking down local admin rights.

Privileged Access Management (PAM) is Gartner Top 10 Security Projects for 2019

Trying to explore my options on this very topic, I was referred by one of my seniors to this product named Admin By Request. This blog post essentially captures my testing experience with the same.

Disclaimer: There are a variety of vendors that provide products in this space, such as CyberArk and BeyondTrust to name a few. Though this blog post is about one such product, my intention is to not recommend one over any other. You would have to try and evaluate the products to find the one that is the best fit for your environment and needs.

Admin By Request – Revoke Local Admin Rights with Ease and Confidence

Admin By Request from Fastrack Software is a simple, easy to set up, easy to use, with zero infrastructure footprint. It’s all from the cloud.

The product allows you to easily and confidently revoke local admin rights of your end-users from their workstations (Windows 10/macOS), instead of providing on-demand elevation of privilege on request which can be further controlled and time-restricted, to allow performing activities that require elevated access. All of this while maintaining a full audit trail.

The product helps to greatly reduce propagation of malware and ransomware threats due to working on the principal of least privilege access.

Requesting elevation permission to execute an infected file will get blocked due to the advanced real-time cloud threat detection capabilities on offer.

Admin By Request utilizes OPSWAT MetaDefender Cloud service to provide real-time cloud threat detection capabilities.

The file to be executed is subjected to evaluation by 30+ AV engines (OPSWAT MetaDefender Cloud Multiscanning) before it is even allowed to get executed.

Irrespective of your present infrastructure model, if you are cloud-only, or hybrid, or fully on-premises, Admin By Request can be integrated with your infrastructure with minimal IT efforts!

Did I forget to mention inventory information? You also get a great deal of inventory information as the client retrieves hardware and installed software information from the workstations.

Last but not the least, the product also ships with a fully functional comprehensive auditing and geographic asset tracking solution.

Want to have richer analytics? You can easily hook up Admin By Request service with Microsoft PowerBI via API access.

Admin By Request is a complete SaaS service hosted in Microsoft Azure and if you are worried about the SLA and Compliance, their website has everything mentioned for you.

Admin By Request – Available Features

Let’s check out what the product offers in a bit more details.

Elevation served on-demand

Allow end-users to gain to request and gain elevated privilege on-demand [Run as Admin]

Saves IT from the chores of whitelisting applications and doing repeated remote installs. When an end-user starts installing an application, the activity is intercepted by Admin By Request client which then sandboxes the execution without providing the end-user with full admin rights. The activity is audited for future reference.

Similarly for any application which is already installed but requires elevated privilege to perform its task, the user can request the “Run As Admin” while executing the application.

The admin privilege granted is applicable to that particular instance or process only.

Revoke Local Admin Rights with Admin By Request – Allow your end-users to request and gain elevated privilege on-demand with Run as Admin
Revoke Local Admin Rights with Admin By Request – Allow your end-users to request and gain elevated privilege on-demand with Run as Admin

Configure different set of restrictions for different groups of users [Global and Sub-settings scope]

You would mostly not want to apply the same set of restriction configuration organization wide. As such, you have the option to create sub settings which can override the global settings based on scope.

If you really want to have a complete lockdown by not allowing your end-users to ever get admin rights, but instead allow admin rights to only specific personas, you can do that by configuring the Global Access Scope and Sub Settings Scope.

Revoke Local Admin Rights with Admin By Request – You can have different settings for different groups of users using the Global and Sub-settings scope.
Revoke Local Admin Rights with Admin By Request – You can have different settings for different groups of users using the Global and Sub-settings scope.

Allow end-users to start Elevated Session (mostly to be used by IT Helpdesk) [Admin Session]

You can allow to start a protected admin session where the persona requesting the same will gain full admin privileges for a specified period of time as configured, which allows the persona to perform tasks which requires elevated access. The entire session is audited for the activities performed and is available for future reference.

Revoke Local Admin Rights with Admin By Request – Allow elevated session for a limited time period (mostly for IT Support Team)
Revoke Local Admin Rights with Admin By Request – Allow elevated session for a limited time period (mostly for IT Support Team)

Pre-approve apps to allow execution with elevated privilege without requiring approval [App Whitelist]

IT can create and define pre-approved application list. This results the execution of those specified applications to “Run as Admin” without requiring an approval, which is required otherwise. This is a good way to reduce the audit log entries by making known-good applications and trusted legacy business applications (LOB) pre-approved to bypass the approval flow.

Revoke Local Admin Rights with Admin By Request – Pre-approving applications let the end-users elevate those applications without requiring approval.
Revoke Local Admin Rights with Admin By Request – Pre-approving applications let the end-users elevate those applications without requiring approval.

Considerations for pre-approving files (installed application or an application installer)

When you pre-approve an application file, you need to ensure that the end-users will not be able rename any file to match the pre-approved one to get the exemptions. To do this, you get to choose from 3 types of protection mode.

  1. The file must be located in Read-Only directory which ensures the file name cannot be modified by the end-user.
  2. The file must match the checksum which is the most secured since only one file in the world can match the checksum. But it is not viable since it is version dependent.
  3. The file must match the digital certificate which allows you to pre-approve all applications from a particular vendor.
Revoke Local Admin Rights with Admin By Request  – Pre-approving applications similar to creating AppLocker policies in Windows
Revoke Local Admin Rights with Admin By Request – Pre-approving applications similar to creating AppLocker policies in Windows

If you have noticed, this is quite similar to creating AppLocker policies where you get the same options to create a rule, which can be

  • Path (location-based)
  • Hash (checksum-based
  • Publisher (digital cert based)
Revoke Local Admin Rights with Admin By Request - Pre-approving applications similar to Windows AppLocker policies
Revoke Local Admin Rights with Admin By Request – Pre-approving applications similar to Windows AppLocker policies

Read from their website to know more about the Logic flow implemented behind “Run as Admin” approval.

Real-time Malware Detection

When a user requests for “Run as Admin” to execute an application installation or start an application that requires elevated privilege, the Admin By Request client on the endpoint initiates an API call to the backend cloud service which then scans the file to be executed using 30+ anti-virus engine in real time.

The real-time scan is prior to actual execution, thus ensuring that no malicious code can get executed with admin privilege.

This does not conflict with security software that is already present on the endpoint (Windows Defender or other 3rd party AV products) as it does not install any additional AV components. The entire process of malware detection is cloud-driven. 

Admin By Request cloud service leverages the OPSWAT MetaDefender cloud service for this purpose utilizing the OPSWAT’s REST API or the MetaDefender Cloud API.

Read from their website to know how ABR uses real-time cloud scan for malware detection.

OPSWAT MetaDefender Cloud analyzes files to detect threats using a process known as multiscanning – advanced threat detection and prevention technology that increases detection rates, decreases outbreak detection times, and provides resiliency to anti-malware vendor issues. OPSWAT pioneered the concept of multiscanning files with over 30 anti-malware engines available to deliver enhanced protection from a variety of cyber threats.

If you are really interested in learning more about OPSWAT MetaDefender Cloud API, here is the reference documentation.

Mobile App for Admins to supplement the web portal

Admin By Request also provides you with a free publicly available mobile application available on both Google Play Store and Apple App Store, which can act as a supplement to the web portal.

Admin By Request: Free mobile app available for both Apple and Android platforms and supplements the web portal for admin tasks like approvals
Admin By Request: Free mobile app available for both Apple and Android platforms and supplements the web portal for admin tasks like approvals

Now that we have covered all the features of the product, let’s now see how easily you can integrate Admin By Request with your Azure AD tenant.

Set up Admin By Request with Microsoft Azure AD

It’s just a matter of creating an Enterprise Application in Azure which corresponds to the instance of Admin By Request service and the process is well explained here on their own website. You can also refer to this blog by Hubert Maslowski.

Admin By Request:  Easily integrate with your Azure AD tenant using the Azure AD Connector of Admin By Request.
Admin By Request:  Easily integrate with your Azure AD tenant using the Azure AD Connector of Admin By Request.

Once connected you can utilize your Azure AD user and device groups to base your Scope (Global Access and Sub Settings) to differentiate or customize access settings for different scope groups.

Your current infrastructure is Hybrid or fully On-Premises? 

Don’t worry as Admin By Request supports your infrastructure environment in all forms, be it Cloud, Hybrid, or On-premises.

Deploying the Admin By Request client to the endpoints

The Admin By Request Windows client is an MSI application package that you can easily deploy from Intune as a LOB app.

Revoke Local Admin Rights with Admin By Request -Easy client deployment using Microsoft Endpoint Manager, Microsoft Intune (or any MDM solution)
Revoke Local Admin Rights with Admin By Request –Easy client deployment using Microsoft Endpoint Manager, Microsoft Intune (or any MDM solution)

As usual, you can track the deployment using Windows Event logs.

Windows Logs > Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
   
Event ID 1901
   
EnterpriseDesktopAppManagement CSP: A node instance of was created successfully.  MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, MSI UpgradeCode: null, User SID: (S-0-0-00-0000000000-0000000000-000000000-000).
   
Event ID 1904
   
EnterpriseDesktopAppManagement CSP: MDMAppInstaller task has started.
   
Event ID 1905
   
EnterpriseDesktopAppManagement CSP: Application content download started. MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, User SID: (S-0-0-00-0000000000-0000000000-000000000-000), BITS job: (2cf08fe2-7c6c-47e0-a9c2-4e2e57eb7403).
   
Event ID 1906
   
EnterpriseDesktopAppManagement CSP: Application content download completed. MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, User SID: (S-0-0-00-0000000000-0000000000-000000000-000), BITS job: (2cf08fe2-7c6c-47e0-a9c2-4e2e57eb7403).
   
Event ID 1920
   
EnterpriseDesktopAppManagement CSP: An application install has started. MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, User SID: (S-0-0-00-0000000000-0000000000-000000000-000).
   
Event ID 1922
   
EnterpriseDesktopAppManagement CSP: An application install has succeeded. MSI ProductCode: {449CB0E3-7239-ECC2-16A2-E156B5774E6E}, User SID: (S-0-0-00-0000000000-0000000000-000000000-000), Result: (The operation completed successfully.).  

Related Application events as below

 Windows Logs > Application 
   
MsiInstaller Event ID 1040
   
Beginning a Windows Installer transaction: C:\Windows\system32\config\systemprofile\AppData\Local\mdm\{653905F7-95D6-4F7B-8C3B-31EDF9AECEC6}.msi. Client Process Id: 8772.
   
MsiInstaller Event ID 11707
   
Product: Admin By Request Workstation -- Installation completed successfully.  

Once the install is confirmed, you can get the event which confirms the removal of the end-user account (the Azure AD GA account and Azure AD Device Administrator accounts are kept intact ) from the local administrators group of the device.

Windows Logs > Application 
   
Admin By Request Event ID 0
   
User <Display Name>/<SID> removed from local admins group  
Admin By Request Client installation removes all account SIDs from the local Administrators group on the endpoint, except SIDs for the Azure AD Global Admin/Azure AD Device Admin
Admin By Request Client installation removes all account SIDs from the local Administrators group on the endpoint, except SIDs for the Azure AD Global Admin/Azure AD Device Admin

You should have the Admin By Request Tray Icon enabled at this point.

Revoke Local Admin Rights with Admin By Request - The desktop client can be accessed from the System Tray on the Windows Taskbar.
Revoke Local Admin Rights with Admin By Request – The desktop client can be accessed from the System Tray on the Windows Taskbar.

The client as shown in the snap above has been deprecated but was the GA version at the time this post was initially published. As of re-publishing and editing this, the latest windows client is Admin By Request version 7.

Worried about offline endpoints?

Admin By Request works the same whether the computer is online or offline. Portal settings are cached on the client and as an end-user, you do not have any rights to tamper with the client or its settings.

Nevertheless, policy settings go here in the registry HKEY_LOCAL_MACHINE\SOFTWARE\FastTrack Software\Admin By Request but if you try and access the same, you would be greeted with an error.

Admin By Request client can’t be tampered with even if the endpoint is offline.
Admin By Request client can’t be tampered with even if the endpoint is offline.

Integrating Admin By Request with Microsoft PowerBI

Navigate to Settings > Windows Settings > Data > API > API Access and toggle the switch to enable API access which gives you the secret API key.

Admin By Request: Enabling API access from the web portal to extract data from Admin By Request to be used with 3rd party analytics and reporting tool like PowerBI.
Admin By Request: Enabling API access from the web portal to extract data from Admin By Request to be used with 3rd party analytics and reporting tool like PowerBI.

With the Secret Key available, open Power B1 and click on Get data > Web

Easily integrate Admin By Request with PowerBI for richer reporting and analytics.
Easily integrate Admin By Request with PowerBI for richer reporting and analytics.

Fill out the form with the details. Choose Advanced and fill in the URL parts. You can find the details to fill in the link here. Notice the FQDN will contain the data center number which is hosting your ABR service.

Easily integrate Admin By Request with PowerBI for richer reporting and analytics.
Easily integrate Admin By Request with PowerBI for richer reporting and analytics.

Click on OK and then Connect and you have now connected your Admin By Request cloud service instance with PowerBI.

Admin By Request: End-User Experience

End-users can easily request for an application to run in an elevated context by using the Run as Admin option.

End-users can easily request for an application to run in an elevated context by a right-click selecting the Run as Admin option.
End-users can easily request for an application to run in an elevated context by a right-click selecting the Run as Admin option.

If allowed by IT Admin, End-users can also request for a sandboxed Admin session by clicking on the Admin By Request icon from the System Tray and then clicking on Request administrator access.

End-users can also request for a sandboxed Admin session by clicking on the Admin By Request icon from the System Tray and then clicking on Request administrator access.
End-users can also request for a sandboxed Admin session by clicking on the Admin By Request icon from the System Tray and then clicking on Request administrator access.

Finally, The End

Well, that was all for today.

Note: The new Admin By Request client version 7 for Windows Workstations, introduced many new changes and improvements to aid the end-user experience. Give it a read!