The Problem with Everyone Being an Admin
Walk into most small and mid-size businesses in Australia and you will find the same pattern: employees logging into their computers with administrative privileges every day. They can install software, change system settings, disable security tools, and access parts of the network they have no business reason to touch. It feels convenient. It is also one of the single biggest cybersecurity risks your business faces.
Restricting administrative privileges is one of the Essential Eight mitigation strategies precisely because overprivileged accounts are a primary target for attackers. When an adversary compromises a standard user account, they are limited in what they can do. When they compromise an admin account, they own your network. Every ransomware incident, every data breach that spreads across an organisation — nearly all of them involve the exploitation of excessive administrative access.
What Restricting Admin Privileges Actually Means
The Essential Eight does not say nobody should have admin access. It says admin access should be limited to those who genuinely need it, for the specific tasks that require it, and for only as long as necessary. This principle — known as least privilege — is foundational to modern cybersecurity.
In practice, this means several things. Daily work accounts should not have admin rights. If a user needs admin access for a specific task, they should use a separate admin account and only when performing that task. Admin accounts should not be used for email, web browsing, or any other activity that exposes them to internet-based threats. The number of admin accounts in your organisation should be regularly reviewed and minimised.
Why This Strategy Gets Ignored
Despite being one of the most impactful Essential Eight strategies, restricting admin privileges is one that many businesses skip or implement half-heartedly. The reasons are predictable.
Convenience. Users and IT staff are accustomed to having admin access. Removing it means software installations require IT involvement. Settings changes need to be requested. Everything takes a little longer. In fast-moving businesses, this friction feels counterproductive.
Legacy applications. Some older business applications were designed to run with admin privileges. They write to protected directories, modify system settings, or require elevated access for basic functions. Removing admin rights breaks these applications unless compatibility fixes are applied.
Related reading: Essential Eight | application security
Internal resistance. Business owners and senior staff often feel that restricting their access is unnecessary — after all, it is their business. But seniority does not correlate with cyber risk awareness. In fact, senior executives are among the most targeted individuals in phishing and business email compromise attacks. Their accounts, if compromised with admin privileges, give attackers access to the most sensitive business data.
Maturity Level Requirements
The ACSC’s requirements for restricting administrative privileges escalate across maturity levels.
At Maturity Level One, privileged access to systems and applications must be limited to only what is needed for duties. Admin accounts must not be used for reading email and browsing the web. Privileged accounts must be prevented from accessing the internet. Unprivileged accounts cannot log into privileged environments.
At Maturity Level Two, additional controls include disabling privileged access after 12 months unless revalidated, just-in-time administration for server and network admin tasks, and Windows credential caching limited to the minimum needed. Admin events must be centrally logged.
At Maturity Level Three, privileged access must be revalidated every 12 months or sooner. Just-in-time administration is required for all admin tasks (not just servers). Windows credential caching is limited to one previous logon, and all privileged access events are monitored in real time.
Practical Implementation Steps
Audit Your Current State
Start by identifying every account in your environment with administrative privileges. This includes local admin accounts on workstations, domain admin accounts in Active Directory, admin roles in Microsoft 365 and other cloud services, and service accounts with elevated permissions. Most businesses are surprised by how many admin accounts exist — and how many belong to people who left the company months or years ago.
Separate Admin and Daily Accounts
Every person who requires administrative access should have two accounts: a standard account for daily work (email, browsing, documents) and a separate admin account used only when performing tasks that require elevation. This separation ensures that if a user’s daily account is compromised through phishing, the attacker does not automatically gain admin access.
Implement Privilege Access Management
Tools like Microsoft’s Local Administrator Password Solution (LAPS), Azure AD Privileged Identity Management (PIM), and third-party PAM solutions provide automated, auditable control over administrative access. These tools enable just-in-time access — admin rights are granted for a specific period and automatically revoked afterward.
Remove Local Admin Rights from Workstations
Standard users should not have local admin rights on their workstations. Software installations should be handled through IT-approved deployment tools (Microsoft Intune, SCCM, or similar). This single change eliminates the most common method by which malware elevates its privileges on a compromised machine.
The Business Case for Restricting Privileges
Beyond cybersecurity compliance, restricting admin privileges delivers tangible business benefits. IT support costs often decrease because users can no longer install unapproved software that causes conflicts and instability. Malware infections drop dramatically when users cannot execute unauthorised software. Audit and compliance requirements become easier to meet when access is controlled and logged. And cyber insurance providers are increasingly offering better terms to organisations that can demonstrate proper privilege management.
TechAssist helps Australian businesses implement Essential Eight compliance including proper privilege management. As part of our managed IT services, we design and maintain role-based access controls that balance security with operational efficiency.
Ready to take control of admin privileges in your organisation? Contact TechAssist to start with an access audit and a practical plan for achieving compliance.
