targeting organisations, privileged accounts are a common target, since they can be exploited to more easily move around inside of an organisation’s network, escalating an attack while looking like a legitimate user. Removing all local administrator rights can immediately reduce an organisation’s security risk level exposure and attack surface.
Historically, the removal of local administrator rights created a significant escalation in service desk calls and a poor experience for some users. But today’s experience is far different.
Some employees are more advanced than others in their understanding of technology. While these employees still shouldn’t have local administrative rights, they may need a more permissive set of rights than other employees. Software developers and engineers, for example, are likely to require more flexible permissions to do certain things on their local machines compared to a user in a business function like finance or HR, for example. It would be inefficient to force developers to contact the service desk for everything they needed: unnecessarily constraining productivity, while also increasing contact and ticket volumes to the service desk, when the aim is to reduce unnecessary interactions. In addition this is further complicated when you consider that some older applications may even require admin privileges to run in the first place.
Even for more regular users, the way local administrator permissions are withdrawn needs to be almost invisible, such that it does not impede or interrupt existing workflows. There’s also a balance to be struck. Users need to be empowered to do a certain amount of things themselves. Where they do encounter a problem and are unable to self-serve a resolution - perhaps they’re trying to install something they shouldn’t - access to support is critical.
They should either be offered clear instructions on how to work around the issue themselves, via a knowledgebase, or provided an avenue to raise a service desk ticket. What’s important is that the escalation of the request is a simple and frictionless experience; the extent to which this is achieved will reflect back on the service desk and on the IT department.
Graduated flexibility
A point raised by the above section is that not all staff have the same needs when interacting with IT systems and services, and so some flexibility is required in the delegation and management of what different employee types are allowed to do.
One way to manage this flexibility is to create a graduated set of flexibilities - high flex, medium flex and low flex, for example - where users’ permissions and their ability to do things themselves is gradually