Manage Local Administrator Rights
for MSP Technicians

Remove the local admin rights on systems in the MSP network and enforce least privilege without locking out or affecting the productivity of technicians.

Local Admin Rights Pose Security Risks



MSPs are often a target of cyberattacks as they are unique and have access to several client networks and hold sensitive client information. A single point of infiltration through the MSP can let threat actors gain a strong foothold over systems across customer networks, potentially causing widespread downtime for a fleet of customers.

In most cases, the vulnerability behind infiltration is the local admin accounts available on Windows systems (Correspondingly, SUDO privileges on Unix systems). Gaining administrative privileges on endpoints allows malicious actors to self-elevate their privileges, move laterally and gain unrestricted access to critical systems within the corporate infrastructure.

This potential risk of allowing admin access has pushed regulatory organizations and cyber insurance companies to mandate its management.

Admin Rights Management Has Become Mandatory



  • Cybersecurity Insurance underwriters now mention managing admin access in their contracts with the MSP. Some of the most basic requirements of many cyber insurers include removing admin rights for users and enforcing the principle of least privilege (PoLP) across the enterprise.
  • NIST Compliance, specifically the SP 800-171 security control 3.1.5 states “Employ the principle of least privilege, including for specific security functions and privileged (admin) accounts.”
  • CIS Sub-Control 4.3, a requirement proposed by the Centre for Internet Security talks about the controlled use of administrative privileges and users not having permanent admin access.


Standing Admin Privileges Must Be Revoked

The most obvious solution to permanent administrative access is to remove it. However, revoking admin rights on systems leaves technicians disgruntled as they often make use of it to run applications, update tools, and install new software.

To tackle this, MSPs adopt an alternative method such as using a separate account for administrative activities and having a standard user account for everyday tasks.

Dedicated Admin Account for MSP Technicians

Some MSPs take the approach of creating dedicated local admin accounts that give technicians the necessary privileges to perform their day-to-day operations. The daily driver does help tick some check boxes laid by regulatory bodies to an extent.

However, this is a partial solution and has several loopholes. Monitoring what users do with their privileges is not possible with this approach. Technicians can still use their admin account to create hidden admin accounts that do not come under the purview of the IT team. Human error may also lead to malware being installed when these dedicated admin accounts are in use.

How Can MSPs Remove Admin Rights Without Technicians Being Locked Out?

The best practice for MSPs regarding granting administrative privileges for technicians is give controlled, fully-monitored, temporary administrator rights after contextually examining the type of access request.

Doing this will mitigate a wide range of attacks including ransomware and keep things secure. However, it may slow down engineers and require admins to spend a lot of time approving requests.

To remove admin rights and still balance the scales between productivity and security - endpoint privilege management/privileged access management (PAM) software comes in handy.

PAM helps automate the process of approval, handle cases of elevation for commonly used applications and simplifies the process of granting admin privileges. This reduces the load on the MSP/Client IT and improves user satisfaction.

In summary, it lets you:

  1. Discover all Local Administrator Accounts: The first step in handling privileged admin accounts is to gain visibility over them. A single system can contain multiple administrators. PAM solutions discover these accounts using a lightweight agent. PAM can also discover admin accounts spread across networks with its multi-tenant capabilities.

  2. Remove Local Admin Rights: Once accounts are discovered, users are removed from the local administrator group, and everyone is made a standard user on their systems. This ticks most check boxes that are mandated by regulatory bodies and cyber insurance providers.

  3. Define Application Control Policies: For general users and technicians who run a common set of applications, PAM helps admins define application control policies. This lets users run a specific set of trusted applications as admin without having to request access. IT can also choose to block malicious applications from being run.

  4. Self-Service Client Admin Rights: For techs or client end-users who absolutely need admin access, EPM/PAM helps the IT admin grant time-limited full admin access, which provides elevated access to machines/servers upon request. This Just-in-time (JIT) access is completely monitored and audited and lets the IT admin know what admin access was exactly used for.

    How Approval Works: Users who need admin rights raise a request on their system and provide a reason, which the MSP admin then easily approves or denies from any device (mobile or desktop). Additionally, auto-approval can be configured for senior (Say T2/T3) techs who always use admin accounts. This saves them time from repeatedly requesting access and also ensures their activity is tracked.

  5. Monitor Critical Windows Events: Certain critical Windows Events such as - Event ID 4732 "Addition of a member to security-enabled local group." can be notified to admins as and when they occur.

Securden Help Assistant
What's next?
Request a Demo Get a Price Quote

Thanks for sharing your details.
We will be in touch with you shortly

Thanks for sharing your details.
We will be in touch with you shortly