No standing local administrator rights
Demonstrate that no user accounts possess persistent local administrator rights on endpoints and servers, and that privileged access is granted only through controlled, auditable elevation mechanisms.
Description
What this control does
This control restricts the assignment of local administrator privileges on workstations and servers to prevent users from operating with elevated rights during normal business activities. Instead, privileged access is granted on a just-in-time or time-limited basis through tools such as privileged access management (PAM) solutions, sudo elevation, or temporary group membership workflows. Eliminating standing administrative rights reduces the attack surface by limiting the scope of credential theft, preventing unauthorized software installation, and containing malware propagation.
Control objective
What auditing this proves
Demonstrate that no user accounts possess persistent local administrator rights on endpoints and servers, and that privileged access is granted only through controlled, auditable elevation mechanisms.
Associated risks
Risks this control addresses
- Credential theft via malware or phishing yields immediate administrative access across user workstations, enabling lateral movement
- Ransomware executes with elevated privileges, encrypting system files and evading endpoint protection mechanisms
- Users install unapproved or vulnerable software that introduces security gaps or compliance violations
- Malicious insiders deploy unauthorized remote access tools or exfiltrate sensitive data without detection
- Pass-the-hash or pass-the-ticket attacks leverage cached administrative credentials to compromise additional systems
- Audit trails are obfuscated or deleted by users with local administrative rights covering their activities
- Configuration drift occurs as users modify security settings, disable protective agents, or alter system logs
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all workstations, servers, and endpoints subject to this control from asset management or endpoint detection and response (EDR) systems.
- Extract membership of the local Administrators group (Windows) or sudoers file entries (Linux/macOS) from a representative sample of at least 30 endpoints across multiple departments and geographies.
- Query Active Directory or identity provider for all domain accounts with local administrator privileges granted via Group Policy or mobile device management (MDM) policies.
- Review privileged access management (PAM) or just-in-time (JIT) access logs to identify all requests for temporary elevation over the past 90 days, verifying each was approved and time-limited.
- Interview IT operations and helpdesk staff to confirm procedures for granting emergency administrative access and validate that no standing exceptions exist outside the formal elevation process.
- Examine endpoint security configurations or Group Policy Objects to verify enforcement mechanisms that prevent users from adding themselves to local administrator groups.
- Test a sample of 5-10 user accounts by attempting to perform administrative tasks (software installation, service modification) to confirm effective restriction of privileges.
- Review exception and exemption records to verify that any accounts with standing local admin rights (service accounts, break-glass accounts) are documented, justified, and subject to compensating controls such as monitoring or password vaulting.
Where this control is tested