Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

How to Protect Your Desktop Team When Moving to Least Privilege 


Written by Steve Goldberg

March 6th, 2018

When companies yank local administrative privileges from business users without considering the downstream impact, their least privilege programs are doomed to fail. Suddenly unable to download applications, run programs, install printers or make other system changes, users will be confused and frustrated. Those frustrations are going to land squarely on the plate of the desktop support team.  

Imagine a desktop admin coming into work each day facing a mountain of requests from users. “I am working remotely and need rights to install a printer.” “I am in a client meeting and need to access a remote application.” And, by the way, those users expect their requests to be answered immediately. 

With each desktop support call costing an average business $25 (not to mention the cost of stress and bad blood between IT groups) you can’t let that happen. 

When you move to least privilege, put application control in place at the same time

If you don’t want the desktop support team to put your head on a spike (picture Game of Thrones), when you move to least privilege you must put application control in place at the same time. 

Policy-based automation = happy desktop team 

Application control works behind the scenes to enable the applications users need to do their jobs without requiring local admin rights. For most tasks, users should experience no change and there is no impact on the helpdesk. 

Application control can prevent programs not on approved lists from running and provides users attempting to run them with a message box to ask the support team for approval. You can customize this user-facing message to explain why an application or program was denied and what users need to do to justify their request. Make sure you share the expected turnaround time for approval to match the capacity and service abilities of your desktop helpdesk. Alternatively, you can start with less intrusive control of applications and simply take an audit of everything that is being used. This part of application control is the supporting cast the main event of implementing least privilege. It’s more than just denying and allowing. It’s about ensuring unknown applications have an automated path towards approval. 

An advanced application control solution should allow your desktop team to consume those requests however they desire – on their mobile phones, in a web interface, or within a helpdesk ticketing system such as ServiceNow. As more applications are reviewed and added to global application control policies there will be less need for the helpdesk to respond to user requests. 

Graphic: Ensure that unknown applications have an automated path towards approval

Application control within Thycotic’s Privilege Manager includes a mobile app for desktop support teams to manage requests. The helpdesk team can easily see their queue of requests and manage them quickly, with a simple swipe. 

Some requests may require more investigation. Some applications may need to run in a sandbox, isolated from system controls and configurations. As our Chief Security Scientist Joe Carson demonstrates in the video below, desktop admins can have full control, even though the mobile app.  

 Privilege Manager mobile app in action 

If you are considering implementing least privilege, grab your desktop team and make sure they are in on the planning from the beginning.

Must Read: Top 10 Keys to Successful Least Privilege Adoption Via Application Control 

To try out Privilege Manager for yourself, just request a free trial 


Like this post?

Get our top blog posts delivered to your inbox once a month.