Admin permissions on your daily laptop
Posted by Important_Ad_3602@reddit | sysadmin | View on Reddit | 39 comments
Our IT department consists of 2 people. Myself being the sysadmin doing all sorts of tasks. Both of us have administrator permissions on our laptop. I'm debating with my collegae if this is best practice.
I know by default it isn't, but with phishing resistant MFA if feels like a pita. I don't want to walk over to the admin-laptop and touch a Yubikey. Moreover, 3 out of 5 days i'm 300km away from that thing.
How do you guys manage, when your job description is not limited to 'open firewall admin webinterface'?
bukkithedd@reddit
I'm weird since I use a Mac despite being a Windows-admin, but for the rest we're quite comparable. Small 2-man department etc.
I use two profiles in Edge for this. One is for everyday surfing, and the other is STRICTLY for admin-work. The account used in the Admin-profile is also PIM'ed to hell. My regular account does have admin-rights in a very few places due to abject stupidity of the muppet who set up that specific portal/system (not me ;) ), but my daily driver doesn't have any sort of global access to anything that matters. At all, period, and done. My regular account is a regular user, and I don't want it to be an admin anywhere that matters (my local PC doesn't matter, which is a hill I'll gladly die on).
I also have two separate admin-accounts. One for cloud (with PIM), one for on-premise servers. The two are not intermixed. The on-prem admin-account does not have admin-rights in the cloud etc.
Now: is it normal to log into an admin-portal from your daily driver laptop? In the real world it is, yes. That being said, ANY admin-work should ideally be done from a security-stance of "good enough for the company". If I worked in a place that was under HIPAA or similar regulations, I'd be layering a whole lot more security on top of my daily driver than merely a separate Edge-profile, PIM and an Yubikey on my keychain, to put it that way.
Is that good enough? Again, it depends greatly on what your company feel is adequate in terms of security.
In the end, as you've seen here: this question tends to trigger a whole avalanche of debate. Shove 10 sysadmins into a room and ask that questions, and you'll have at least 19 answers and 40+ what if's and "it depends" thrown about, if not a full-scale riot.
Important_Ad_3602@reddit (OP)
Haha, thanks for the extensive answer. Sound realistic.
Having to open a PAW for every external portal task is an unrealistic goal. Do you disable Edge / Chrome password managers?
slugshead@reddit
Standard account for work.
If I need to elevate, there's a separate account for that. That account is a member of the BUILTIN/Administrators group.
qordita@reddit
A different/additional account that is a member of local admins on workstations.
Oh_for_fuck_sakes@reddit
Use LAPS instead of a local admin across all your devices. If that account gets owned they have local across your fleet.
qordita@reddit
In an ideal world, yes. Some of us just aren't that sophisticated yet. My local admin username is an ad account but isn't given that access via gp, it's manual so it only has local admin on maybe 3 machines. If I need it on another, I'll grant it to myself to do what I need to do then remove it afterwards. It's clunky, but it works when I need it to. Plus it's pretty rare I need to do that these days, maybe once or twice a year.
Oh_for_fuck_sakes@reddit
I encourage you to look into LAPS. it's incredibly simple to deploy, especially on a small environment which you sound like you have, it will scale with that environment, you no longer have to do that manual process you mentioned, and, it gets rid of your shared local admin.
qordita@reddit
Yeah, it's come up in conversation a few times over the years but hasn't gained any traction. There's always something deemed "more important" when we talk about it. We're a little more mature than we were a few years ago so maybe it's time to bring it up again.
Oh_for_fuck_sakes@reddit
That's fair. It's a marathon, not a sprint! We just get the wins where we can hey:)
NiiWiiCamo@reddit
Or limit local admin to specific devices. Since I am no longer in internal IT (switched to networking on customer systems), I don't need local admin on all devices, just mine. For that I have a domain user that is a local admin on my device only and is only permitted to log in there.
If I need to switch devices, that permission gets migrated to the new laptop, so I personally don't need the LAPS credentials.
Nice flair btw.
DeifniteProfessional@reddit
How do you do third party services? I got thinking about this earlier, I have different domain admin accounts, but I use my primary email address for other SaaS platforms like my RMM
qordita@reddit
Depends on how tight you want to lock things down. I also log into an rmm using an email address, and I do it right from my laptop. But our physical storage system is firewalled off so only certain endpoints can reach it's management web interface. Exchange/entra, right from my laptop. Vsphere? Only allows connections from certain endpoints. Without any policy with teeth, it really depends on the risk tolerance of who set it up initially.
jma89@reddit
We run four accounts for IT folks:
I use a private browsing window to sign into stuff like Entra with my Cloud Admin, and authenticate with a Yubikey. Otherwise my base/daily account has no admin rights, aside from ownership over the department Sharepoint site in the same way the engineering department manager has ownership over their department's Sharepoint site. (Not full control, but enough to manage their group.)
TheThirdHippo@reddit
Use tiered level access. Standard user account for daily driver, tier2 for local workstation admin, tier1 for server admin and tier0 for everything higher such as domain admin. I use runas.exe or app/portal to do the admin functions
Secret_Account07@reddit
Use admin accounts.
Should have 2 different accounts. Our IT have their normal employee accounts and another admin account. Elevate when needed. Preferably vaulted/PAM.
Cannoli41@reddit
You need to separate privileged and non-privileged work, daily driving an admin account is asking for trouble. For example, use a VM to do standard tasks like browsing the web, and sending emails. Use your admin computer/profile for privileged tasks in your environment.
Important_Ad_3602@reddit (OP)
How does logging in with GA account in Intune fit in here?
You can't disable MFA. And you want phishing resistant MFA for that. Would this be done on the daily driver or would you hop to a VM?
3sysadmin3@reddit
Use a PAW next to you on your desk for GA (cloud) and DA (on premises) admin activities. Maybe getting the 300km part of the problem out of the equation solves things.
Important_Ad_3602@reddit (OP)
What tool do you use to hop on a PAW with MFA?
BlackV@reddit
Rsp, yubikey or pass keys (read ms authenticator)
3sysadmin3@reddit
Also my yubi is one of the low profile ones you just leave plugged in. My PAW goes home with me too so it easily transfers to my bag.
3sysadmin3@reddit
My yubikey is set up for FIDO for GA stuff and also smart card auth for on premises DA or server admin stuff. I love it. Much easier to type a PIN vs a GA/DA/SA password
countextreme@reddit
Hot take: it depends.
Everyone here is going to beat the PAW PIM PAM drums until they are blue in the face, but the truth of the matter is that for smaller orgs, that gets expensive real quick. Pitching E5 or a similar SKU and separate laptops (especially with the insane hardware prices right now) to a small business is completely different from a large enterprise environment.
There's a break even point somewhere in the middle, probably about at the point where the discount on cyber insurance premiums outscales the capex and licensing costs. Or if you have a regulatory requirement.
That being said, you should sign in with a daily driver and elevate when necessary. Where and how that elevation happens depends on the budget.
g-rocklobster@reddit
I don't quite follow this - if you need to do an admin task on your laptop, you have to go to another laptop?
You're right, it isn't. Even with more recent developments in security like MFA. Primarily because everytime a better security method is developed, bad actors will work to - and will eventually - defeat it. Both sides are constantly leap frogging each other and you don't always know when they've found an exploit or workaround.
I'm sorry to say but if your colleague was arguing that you should be running your daily work as a local user, not admin, they're right and you're wrong.
Important_Ad_3602@reddit (OP)
Haha, it's the other way round. My colleague doesn't want to lose his. 😄
We can live without the local admin permissions. But should we also stop logging into portals like Azure, from your daily laptop (without local admin permissions)?
g-rocklobster@reddit
Ah, ok. The way you worded it sounded like you were the one who didn't want to lose them.
To clarify my workflow:
Does that make sense?
BlackV@reddit
Local admin? on the workstation? 100% no none of your accounts should have it, not your daily or you portal admin
Rudager6@reddit
I assume we’re talking local admin?
What do you do multiple times a day that needs elevated permissions?
FreakySpook@reddit
It's becoming pretty common now to force powershell to run in constrained language mode unless elevated, if your working with powershell a lot it can cause problems.
My work is looking to push that policy out but use either Administrator protection or just JIT with Entra PIM to let people elevate when needed.
Important_Ad_3602@reddit (OP)
Maybe my question wasn't entirely correct. Being local admin and logging into administrative portals are two different things.
My main concern right now is logging into things like MS portals from my daily laptop. But with the phishing resistant MFA requirements i can't think of another way. And is that risk not taken away by the MFA requirement?
descartes44@reddit
I tell my IT guys, security and convenience are always in opposition to each other. You can't have both. To my users, I tell them "security hurts". 😁
Turridunl@reddit
We have a normal user account and an separate admin account. The admin accounts are in the local admin group. We use an avd as our management steppingstone.
antihippy@reddit
We use PIM. I don't know why you think you think you need so much local admin. We run without local admin & use LAPS for those weird times we do
Tall-Geologist-1452@reddit
JIT and PIM should be the default. No one, even us as admins, should run with local admin 24/7. I would like to see privileged access workstations, even if it's an AVD, but my boss says that is a bit radical.
mike9874@reddit
You need tiered admin.
Some people will tell you that you have an admin device and a standard device, with a different account in each
Some will say that the laptop is your admin device and you connect to a VM that's the standard one
Others will say just RDP to a privileged access workstation and use that with a dedicated admin account - is this the best, no. Is it sufficient for most environments - yes.
ChangeWindowZombie@reddit
Best practice is to use a standard user with no admin privileges to login to your laptop. Then you should have an admin account that you use to elevate activities with via UAC prompts while logged in to your standard user account.
A slight inconvenience for you is a major hurdle to overcome for a malicious actor. The vast majority of breaches in recent history occurred due to compromised admin credentials.
stromm@reddit
NEVER give local/remote admin/elevated rights to a user's (including you) daily account.
NEVER.
Holy cow, doesn't anyone in IT get training anymore? Or read certification books?
This is one of the primary Best Practices.
If a person needs elevated rights, they get a second account that is used ONLY when they explicitly and directly need elevated rights.
kukari@reddit
On the laptop you read emails, absolutely no admins there. Use separate PWA for admin stuff.
joerice1979@reddit
I work on the premise that if some configuration makes it easy for *me* to get and do things in various places, it also makes it easy (or at least easier) for the malware I just ran in a momentary lapse of concentration, to do the same.
Security is a pain in the arse, for sure, but I just live with it. That said, I don't have the distance you have.