Finding the Balance with Windows Local Administrator Rights

By ari. September 11, 2019 windows local administrator rights

As a systems administrator, it has always been a difficult struggle to balance Microsoft User Rights Assignments in the Windows Operating System. Too much access on a file system is dangerous, while not enough causes subsequent tickets created at a help-desk. An equilibrium of supportability and security is ideal, yet seldom achieved. Windows Local Administrator (WLA) rights on an endpoint machine (laptop or desktop) often present us the same scenario.

You can layer several monitoring tools in a preventative fashion atop the OS, but here-in you begin removing form and function for end-users. Additionally, solutions such as endpoint privilege monitors are reactive measures and not proactive ones that often cannot identify zero-day threats. Of course, all solutions will take time to implement and embrace, but implementing the right solution for the right problem makes it worthwhile. This is one of the main reasons why I recently joined Hysolate – it’s the right solution to solve this problem.

Hysolate offers virtualization software that lives locally on an endpoint and revolutionizes the approach to endpoint security. The implementation enables system admins to securely strike that balance of providing enough local admin rights for users to be productive without putting the organization at risk.

We can significantly improve security posture with inherent architectural design changes by virtualizing the endpoint. Hysolate’s approach creates a secure and hardened hypervisor that is the foundational layer of the platform. This layer then divides the user’s endpoint experience under the hood, unbeknownst to them. It allows for one user to access two desktops seamlessly. 

Applications execute from different kernels with strictly controlled network traffic which can be verified by SSL trusted certificates. Furthermore, WiFi access points can detect the specific network that has connected at a given OS level and send a message to the hypervisor, thereby connecting them to the appropriate operating system. There are several other features that are available on the platform; all controlled by our centralized blueprint management system.

This style of OS protection has several use cases and obviously will be implemented differently based on your needs. Focusing on one simple, yet powerful use case is the one regarding WLA removal. Stripping down WLA has long been a focus for organizations. Even today, organizations still struggle with the concept because it is not easy to resolve.

The virtualization of the desktop computer experience allows us the flexibility to deploy virtual machines on top of the hypervisor allowing one for corporate, protected functionality without WLA rights and the other remains as a sandbox with full WLA if you wish. For the sandbox environment, you can even elect to run it in a “non-persistent” state where it reverts to a previous snapshot daily. This architecture will still allow you to fully protect and patch the corporate VM with typical EDR, AV or other endpoint tools as you always have and implement the exact opposite on the non-privileged instance. This greatly allows your end-users to reclaim their productivity by accessing both environments through a single-pane-of-glass. Our virtualized approach cannot eliminate all threats, but it is a revolutionary approach to endpoint device management with easy to understand concepts. 

About the Author

Share this article: