Even though it's not a security best practice, we still give most of our Windows endpoint users admin rights so...
they can manage their applications without support. What are the best controls we can put in place to mitigate risks?
By giving your end users local admin rights, you are placing a considerable amount of trust in each person, and this approach can wreak havoc within the network. It's virtually impossible these days to adequately filter out threats at the network boundary. The more risk that is accepted internally, the more work that is required at the boundary.
So while you may give end users freedom with regard to what applications they can install and run, security administrators would be wise to populate a blacklist of applications that users are forbidden to use. This should be augmented by the various publicly available blacklists that can be located with a simple Google search. An even better approach would be to use application whitelisting, policies and technology to allow only a specific set of approved applications to be used on Windows clients, but this approach can be difficult to administer and even more difficult for users to accept culturally. Also, consider putting some sort of intrusion detection system in place in order to detect malicious application activity.
Lastly, frequent auditing should be conducted at the system administration level so admins are aware of what is and is not inside their network. For example, if an audit is conducted and something like Metasploit is found on one of the local boxes, this may arouse suspicion and require further investigation. On the other hand, if a given company is a security consulting firm, it may be perfectly normal for Metasploit to reside on several boxes within the network boundary.
Dig Deeper on Network Access Control technologies
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading