Do regular users have local admin rights on their workstations?
Demonstrate that regular business users do not possess local administrator rights on their assigned workstations and that administrative access is granted only through documented exception processes or temporary elevation mechanisms.
Description
What this control does
This control restricts local administrator privileges on workstations to prevent regular users from installing unauthorized software, disabling security controls, or accessing sensitive system files. Organizations implement this through group policy objects (GPOs), endpoint management platforms, or privileged access management (PAM) solutions that enforce least-privilege principles. Restricting local admin rights reduces the attack surface by limiting what malware can accomplish if a user account is compromised and constrains users from circumventing security configurations.
Control objective
What auditing this proves
Demonstrate that regular business users do not possess local administrator rights on their assigned workstations and that administrative access is granted only through documented exception processes or temporary elevation mechanisms.
Associated risks
Risks this control addresses
- Ransomware or malware executing with elevated privileges can encrypt or exfiltrate enterprise-wide data by leveraging local admin rights to disable endpoint protection
- Compromised user credentials allow attackers to install persistent backdoors, keyloggers, or remote access tools that survive reboots and evade detection
- Users intentionally or accidentally disable security agents, firewall rules, or encryption services, creating unmonitored gaps in defensive posture
- Unauthorized software installation introduces licensing violations, supply chain risks, and unvetted applications that bypass security review processes
- Lateral movement attacks escalate from initial compromise to domain administrator access by exploiting credential caching and pass-the-hash techniques on admin-enabled workstations
- Insider threats leverage local admin rights to tamper with audit logs, exfiltrate data to external storage, or install data destruction tools without detection
- Configuration drift occurs as users modify system settings, networking configurations, or authentication mechanisms outside change control processes
Testing procedure
How an auditor verifies this control
- Obtain a current inventory of all workstations including asset identifiers, operating systems, assigned users, and organizational units from the configuration management database or endpoint management console
- Export Active Directory group membership reports for the local Administrators group across all workstations using PowerShell scripts or AD reporting tools
- Review group policy objects (GPOs) that define restricted groups, administrator rights assignments, and privilege escalation policies for workstation organizational units
- Select a representative sample of at least 25 workstations across different departments, locations, and user roles for hands-on validation testing
- Physically or remotely access sampled workstations and enumerate local administrator group membership using 'net localgroup administrators' or equivalent commands, documenting all accounts found
- Verify that privileged access management (PAM) or just-in-time (JIT) admin solutions are configured to provide temporary elevation workflows and that approval records exist for legitimate administrative access
- Interview IT service desk personnel to understand documented exception processes, validate that exceptions have written business justification and management approval, and confirm periodic recertification occurs
- Cross-reference identified admin accounts against the approved exception list and escalate any unauthorized local administrator assignments as findings