How to Minimize the Risk of Local Admin Rights and Privileged Account Attacks


In our last post, we discussed the risks of granting administrator rights to end users at the workstation level. Local admin rights enable users — or hackers — to do whatever they want with a machine. An attacker who is able to obtain local admin credentials can launch a “pass-the-hash” attack, leveraging well-known Windows vulnerabilities to obtain higher-level privileged credentials.

Pass-the-hash isn’t the only reason local admin rights are risky. Endpoints, and the humans who use them, are the weakest link in the IT security chain. Cyber criminals use phishing attacks to dupe users into divulging their credentials or downloading malware. This enables attackers to take administrative control of the endpoint to launch further phishing attacks or move laterally through the network looking for valuable systems and data.

Most organizations recognize they should implement least privilege access policies and restrict local accounts to the tasks users legitimately need to perform their jobs. Nevertheless, a recent survey found that an alarming 87 percent of end users have local admin rights, making it difficult for organizations to regain control over endpoints.

CyberArk Endpoint Privilege Manager, however, protects against threats that exploit local access credentials by interlocking three core capabilities: privilege management, application control, and targeted credential theft detection. These features are designed to prevent pass-the-hash attacks and to block and contain other damaging attacks at the endpoint.

CyberArk allows organizations to automate the removal of local administrator rights and seamlessly elevate privileges as needed for authorized applications or tasks. This reduces risk while alleviating pressure on help desk support and minimizing the impact on user activity.

Application control capabilities featuring automatic policy creation prevent malicious applications from executing and use greylisting to run unknown applications in a restricted mode. Traditional whitelisting techniques create operational bottlenecks by preventing the use of unknown applications and create risk by placing trust in applications that are approved but could still be compromised.

Behavioral analytics capabilities are designed to identify common privileged account-based attack patterns and malware behavior to further reduce the risk of emerging threats. Using these capabilities, CyberArk Endpoint Privilege Manager helps organizations detect and block malicious users and applications attempting to steal Windows credentials, remote access application credentials, and credentials stored by web browsers and cloud applications.

By focusing on detecting and containing credential theft at the endpoint, Endpoint Privilege Manager alerts security teams on the specific threats that can pose the most danger to an organization, allowing them to reduce “noise” and prioritize remediation efforts.

With CyberArk Endpoint Privilege Manager as part of the CyberArk Privileged Account Security Solution, organizations gain a complete, centralized solution for monitoring, protecting, and responding to privileged account activity across the enterprise. Additionally, the CyberArk Discovery and Audit (DNA) tool helps organizations broaden their awareness of privileged account risks by locating privileged accounts on-premises, in the cloud, and in DevOps environments.

The Clango team includes CyberArk consultants and engineers with extensive experience in the design, implementation, and support of CyberArk solutions. Our experts can help you leverage CyberArk Endpoint Privilege Manager to reduce the risk associated with local access rights and endpoint threats.

If you’d like to learn more about Endpoint Protection, send us an email at

Leave a Comment