July 03, 2023
Protecting Company Data with Microsoft Intune
Implementing identity and access management processes is an effective method of protecting sensitive corporate data. It enables organizations to regulate user access and prevent instances of identity theft, data breaches and unauthorized access to confidential business information. In this article, we describe how organizations can significantly reduce their exposure by controlling access rights with Microsoft Intune.
The problem with local administrator rights
Access management is a fundamental aspect of modern IT security operations for enterprise devices. While giving users non-privileged user accounts has long been established, it is increasingly important to protect sensitive corporate data. The growing dependence on technology and the increasing threat of cyberattacks are just two factors in this.
Giving users local administrator privileges is a common practice in many organizations, but it can pose significant security risks. Local administrator privileges give users extensive control over their devices. This may include the ability to change system settings and install or remove software in the system context or for all users.
This level of access can make it easy for users to accidentally or intentionally introduce malware or other security threats into corporate devices by clicking on malicious links or intentionally tampering with system settings to allow unauthorized access.
Often users are given local administrator privileges to reduce the burden on IT support teams. It is thought that by allowing users to install their own software, the number of help desk tickets will decrease. In reality, users with administrator privileges may experience system errors or software conflicts more often, leading to increased support requests and time-consuming troubleshooting.
Giving users local administrator privileges can also make it difficult for IT administrators to manage and enforce security policies, as users with elevated privileges can bypass security measures. If users accidentally disable or change security features, this can also open up the rest of the corporate network to attack.
The ITSecOps challenge
For all of the above reasons, it has long been known that giving standard users privileged access to their work computers is not a good idea. However, preventing users from having local administrator privileges is a common challenge for IT administrators because it can be difficult to strike the right balance between security and usability.
For example, some applications require local administrator privileges to function correctly, which can make it difficult to restrict access without disrupting business operations. This can be especially true for outdated software that may be essential to the organization.
IT administrators must also consider the potential impact on productivity and user experience. If users regularly need administrator privileges to complete their work, restricting this access can lead to delays, which can have a negative effect on business operations.
How organizations can limit local administrator privileges
To mitigate these security and management risks, it is recommended that organizations limit local administrator privileges to a selected group of trusted IT professionals.
Alternatively, IT teams can use strategies such as least privilege access and role-based access control, which grant users access based on their job responsibilities and limit access to only the minimum resources needed to complete their work. This approach gives users the necessary access to do their jobs while minimizing the risk of introducing security threats into corporate devices.
User account management (UAC).
One way to implement Endpoint Privilege Management is through User Account Control (UAC). This security feature is designed to prevent unauthorized changes on a computer.
When UAC is enabled, it asks the user for authorization before allowing certain types of changes. This feature is an important part of Microsoft’s overall security vision and is crucial for organizations looking to implement a better-managed desktop environment.
With UAC enabled, apps and tasks are always run in the context of a standard user account, even if the user has administrator privileges on their computer. This means that any attempt to make changes to system settings or files will trigger a UAC prompt.
In business environments, UAC is combined with the approach of restricting privileged access for standard users. This way, they receive a prompt for administrator credentials when they try to start an elevated process or install an application in the elevated context – something they don’t normally have UAC enabled by default for Windows 10 and Windows 11 computers connected to Active Directory or Azure Active Directory.
Windows Local Administrator Password Solution
Windows Local Administrator Password Solution (Windows LAPS) is a feature on Azure Active Directory-connected and domain-connected devices that automatically manages the local administrator account password. It is a cloud-native iteration of the traditional on-premises Local Administrator Password Solution (LAPS) feature.
Currently, Windows LAPS is now natively integrated into Windows 11, Windows 10 and Windows Server, but support for Azure Active Directory is in private preview.
Credential Guard is a security feature in Windows 10 and later that uses virtualization-based security to protect sensitive information such as domain credentials. It helps prevent attackers from stealing these credentials and using them to gain unauthorized access to your network.
Credential Guard works by isolating credentials in a virtualized environment, which only trusted system processes can access.
It is very easy to enable Credential Guard for Windows 10 and later devices. Here are the steps:
- In the Intune admin center, select Devices.
- Select Configuration Profiles.
- Select Create Profile > Windows 10 and later > Settings Catalog > Create.
- Configuration settings: select Device Guard as a category.
- Configure required settings.
Although easy to enable, it is important to verify that your configuration has had the desired effect. Here is a very simple way to verify that Credential Guard is running on a target machine.
- In Start, type msinfo32.exe, and then select System Information.
- Select System Summary.
- Confirm that Credential Guard is listed under Virtualization-based Security Services.
Microsoft Intune Suite: A unified platform for managing endpoints
The Microsoft Intune Suite was recently announced as an advanced endpoint management and security suite. It aims to unify, consolidate and replace existing third-party endpoint management and security tools to establish the Intune Suite as the single platform for managing endpoints. It includes:
- Microsoft Intune Remote Help
- Microsoft Intune Endpoint Privilege Management
- Microsoft Tunnel for Mobile Application Management
- and more…
Until recently, new features made available for general availability for Intune were automatically available to all organizations that have the Microsoft Intune license assigned to their users. With this release, Microsoft has shaken things up a bit, announcing that the Intune Suite release will be available as an add-on to the current license.
Considerations for implementation
Before implementing these security measures, it is important to conduct a thorough assessment of your current security infrastructure and identify any security gaps. Implementing these measures should be considered as a complement to a comprehensive security policy.
Limiting local administrator privileges is an effective way to reduce the risk of security breaches. By choosing Microsoft Intune and related technologies such as User Account Control, Credential Guard and Windows Local Admin Password Solution, organizations can enhance their security measures and ensure the security and integrity of their business information.
Note, however, that security is an ongoing process. Security teams must regularly evaluate and adjust their security measures to ensure they continue to meet changing security needs and threats.
Has this information inspired you to implement Microsoft Intune in your organization? For a smooth transition and expert support, don’t hesitate to contact our team at Alta-ICT. We are ready to help you every step of the way on your journey to improved data security and efficiency.
Want to know more?
Copilot in Dynamics 365 Field Service: Update for Frontline Workers
Why switching to Direct Routing in Microsoft Teams is such a smart move
The latest news about Microsoft 365 and Teams in your mailbox every week.