General
This check verifies in Entra ID whether the feature to automatically add Global Administrators to the Local Administrators group on new Windows devices is disabled.
Rationale
When an attacker gains access to an account that has local admin rights on all devices, they can quickly move from one system to another and gain control over the core of the IT environment. Especially if the same account also has global admin rights.
As with other administrative tasks, it is wiser to assign these specifically, and therefore not add global administrators to the local admin group.
Attic Fix
A fix is available for this check! It will be offered through a ticket in Attic, which you can then accept.
Manual Instructions
Follow these steps to adjust the setting:
- Open the Entra portal https://entra.microsoft.com
- Go to Devices > All Devices > Device Settings
- Check if the setting Global administrator role is added as local administrator on the device during Microsoft Entra join (preview) is disabled
- Click Save
Impact
As a result of the change, administrators may no longer have local admin rights on their PC or that of colleagues. If they do need admin rights, they will need to be explicitly added to the global administrators group on the specific system per endpoint, or be added to a specific central role that exists for the specific task of local administration.
Comments
0 comments
Please sign in to leave a comment.