I’ve been asked about this more than a few times, so here goes…
In fiscal year 2009-2010, we (the IT department where I work) were tasked with “evaluating issues surrounding end-user privileges, then developing recommendations and a strategy for ensuring end-users have the most appropriate permissions needed to perform their duties.” Up until that time, from Windows NT 4 through Windows XP, our employees were given administrator rights on “their” computer, i.e., the computer in their office.
The project description acknowledged the fact that some users legitimately would still require administrative rights. The project description also mentioned training users on the use of the “‘run as’ command,” along with exploring and offering alternative solutions where RunAs does not meet a given user’s needs.
As expected, the recommendation that resulted was to remove users’ administrator rights, reducing them to standard user accounts. This was to be done during FY 2010-2011, in conjunction with the planned migration to Windows 7. The recommendation reiterated that while some users need to install applications occasionally, most users do not need to install applications most of the time. When these situations arise, they can be remediated via privilege escalation tools or some other method, e.g., adding the user to the local Administrators group, temporarily or permanently.
By the end of September of 2010, we had decided that Windows 7 was going to be our default operating system. Any PC replacements or re-images would result in Windows 7 being installed.
On October 5, 2010, we had a meeting to discuss a long-term solution to the administrator rights problem. We gathered people from various parts of IT, who would either have some ideas about what we could do, or who would have a stake in supporting whatever decision we made. All of the typical solutions were discussed, including the ones you see today. For example:
- Creating an admin group for each PC, and having the help desk drop users in their PC’s group when they call, and take them out later. [No. Just no. This is an awful idea at scale.]
- Also discussed were the ideas of having just one workstation administrator group in AD, moving users in and out of this group as-needed, or simply adding the user to their PC’s local Administrator group as-needed. Both of these are equally awful.
- Creating a separate administrator account for each employee, which they would only use for elevation.
- Also discussed was management of the local Administrator password, and letting the users use that account for elevation.
- Process elevation software, such as what you would get from BeyondTrust, CyberArk, PolicyPak, etc.
None of the ideas really sounded all that exciting, mostly from an IT support requirement perspective, but also from a pure dollars perspective. Some ideas just did not match the culture to which academia is accustomed.
Near the end of the meeting, our CIO said something like, “you know what we need… a utility that would give people admin rights temporarily, but then take them away, and then they have to re-apply if they still need them.” I went back to my desk and thought, “well, why can’t we do that?”
On October 7, I sent an email to the people in the meeting, with a video demonstrating the original version of Make Me Admin. It was a client-server application, with the privileged work being performed by a process running on a server with domain administrator credentials.
While we did deploy this version of Make Me Admin to all users a few months later, it did have its shortcomings. The server process required the client computer to be connected to the network when the request was made, so remote users had to be handled differently. Also, we were migrating our DNS servers from Windows servers to appliances at the time, and in a severe case of It’s Always DNS, clients with name resolution issues were not able to receive administrator rights.
Over time, I re-worked the privileged component to be a local Windows service running on each machine. This solved both the DNS and the disconnected mobile user problem. I also gathered feedback from help desk tickets. This led to a few performance improvements, and the removal of some rather hideous UI elements.
In February of 2015, I demonstrated the version of Make Me Admin that is available today.