What is a Local Administrator (Admin)?
A local administrator is a permission setting that is conducted on the system-level. It means that a particular user's profile is given sole control when they are signed in to a single machine. They are able to download various applications without approval, and execute various system commands without limitation.
Sounds great, doesn't it? While this is a wonderful feature to have, there is one thing to keep in mind - "with great power, comes great responsibility."
Okay, while this is a well-known Spiderman movie line, it couldn't be more true. Local Admins have a lot of power when this ability is granted to them. They can download and do just about anything they want, which can come with lots of risks to the organization's network. Choose the wrong application to download, and the network can quickly become infested with various types of malware.
It's for this reason that the staff here at ETTE not only try to limit who becomes a local admin, but also the number of local administrators there are within a given organization. The more local admins there are, the more individuals' actions need to be reviewed if something happens that exposes the network to various types of threats. This can slow down threat response - the less time spent reviewing actions, the more time there is for malware to cause a lot of damage to organization files and/or siphon data to cyber criminals.
So does this mean I cannot be a Local Admin?
With all of this said, that's not to say that the staff here at ETTE will tell you no outright. If the user is properly educated about the potential threats and permission is granted from the organization's executive team member(s), local administrative permissions can be granted to an individual. We simply wish to ensure that the risks are understood and accepted before doing so.
The best way to request local administrative permissions to a user is to grant it for a short time frame. For example, if a user has a project that requires them to download a variety of tools and/or modify various attributes that would prompt for administrative credentials and thus, slow down the project, then local admin can be granted for the duration of the project, then be removed when the project is complete. This is preferable to granting permission indefinitely.
So if you or a staff member would like to become a local admin, please feel free to reach out to us to request this permission. We will be happy to work with you and your staff to ensure the proper use cases.