Even though it's not a security best practice, we still give most of our Windows endpoint users admin rights so they can manage their applications without support. What are the best controls we can put in place to mitigate risks?
By giving your end users local admin rights, you are placing a considerable amount of trust in each person, and this approach can wreak havoc within the network. It's virtually impossible these days to adequately filter out threats at the network boundary. The more risk that is accepted internally, the more work that is required at the boundary.
So while you may give end users freedom with regard to what applications they can install and run, security administrators would be wise to populate a blacklist of applications that users are forbidden to use. This should be augmented by the various publicly available blacklists that can be located with a simple Google search. An even better approach would be to use application whitelisting, policies and technology to allow only a specific set of approved applications to be used on Windows clients, but this approach can be difficult to administer and even more difficult for users to accept culturally. Also, consider putting some sort of intrusion detection system in place in order to detect malicious application activity.
Lastly, frequent auditing should be conducted at the system administration level so admins are aware of what is and is not inside their network. For example, if an audit is conducted and something like Metasploit is found on one of the local boxes, this may arouse suspicion and require further investigation. On the other hand, if a given company is a security consulting firm, it may be perfectly normal for Metasploit to reside on several boxes within the network boundary.
This was first published in December 2013