Access Control and Least Privilege: Who Really Needs Admin Rights, and How to Reduce Them.

A Sligo technology company discovered during a post-incident forensic review that the ransomware had deployed across their entire server infrastructure because the staff member whose workstation was infected happened to be a local administrator on every server in the building. The IT provider had configured the accounts that way when the business was founded, because it was simpler than managing separate admin credentials. Nobody had revisited it in six years.

The infection itself could not have been prevented by access controls — the phishing email arrived and was clicked. But the blast radius of the infection was entirely determined by the access level of the compromised account. An account with least-privilege access would have encrypted the infected workstation. An account with administrator access to every server encrypted everything.

What Is Least Privilege?

The principle of least privilege states that every user, system, and process should have the minimum level of access required to perform its function — and no more. A member of staff who needs to use the accounting software does not need administrator rights on the server where the accounting software runs. A sales team member who needs to read customer records does not need the ability to delete or export them. Your IT provider's maintenance account does not need permanent administrative access if it only needs elevated privileges for specific tasks.

Least privilege is a foundational security principle. Its practical effect is to limit the damage an attacker can do with any single compromised account, because that account's access is limited to what the legitimate user actually needs.

The Three Over-Privilege Patterns in Irish SMEs

Local administrator on all devices. The most common over-privilege pattern: staff working as local administrators on their own workstations. This means any malware executing in their session has the same privileges they do — full access to install software, modify system settings, and access all files on the device. Standard user accounts, which cannot install software or modify system-level settings, contain malware to a significantly smaller footprint.

Domain administrator for general work. In organisations with Windows domains, staff who were given domain administrator accounts — perhaps to avoid a permission request queue — and are using those accounts for day-to-day work. A compromised domain administrator account gives an attacker access to every system in the domain.

Permanent access to everything. Finance staff who can access HR systems. IT support accounts that retain permanent access to client environments after a project ends. Former contractors whose accounts were never fully revoked. In each case, the access exists beyond the operational need that originally justified it.

When did your IT provider last audit who has administrator rights in your environment? For most Irish SMEs, the honest answer is never. Book a free 20-minute strategy call — access control review is a standard component of our SME security assessments.

The Practical Implementation

Convert staff workstations to standard user accounts. This is the highest-impact least-privilege change available to most Irish SMEs. Staff should have standard user accounts for day-to-day work. A separate administrator account should exist for IT maintenance tasks — but it should not be the account anyone works from routinely. IT providers will sometimes push back on this, citing the inconvenience of needing separate credentials for certain tasks. This friction is the point — it means malware executing in a standard user session also faces that friction.

Implement role-based access in your cloud platforms. Microsoft 365 and Google Workspace both support role-based access control. Finance staff should have access to financial systems. HR staff should have access to HR data. The default of giving everyone the same access level reflects administrative convenience, not operational security.

Apply just-in-time access for IT providers. Instead of your IT provider's maintenance account having permanent administrative access to your systems, configure it so that elevated access must be explicitly granted for specific tasks and revoked afterwards. Microsoft Azure Active Directory supports Privileged Identity Management for this purpose. Simpler alternatives include creating a dedicated admin account with a strong password that is changed after each use.

Conduct an access review quarterly. List every account with administrative or elevated privileges. Confirm that each one still requires that level of access for a current operational need. Revoke access that is no longer needed. This review takes 30 to 60 minutes and removes the accumulated access drift that builds up over time.

Why This Matters Right Now

The 2024 NCSC Ireland incident data shows that privilege escalation — where an attacker moves from a limited-access initial foothold to higher-privilege access — is present in the majority of significant incidents affecting Irish organisations. The over-privilege patterns described above make privilege escalation trivial: in a flat-privilege environment, an attacker who compromises any account often has effective administrator access without needing to escalate at all.

Least privilege does not prevent initial compromise. It limits what an attacker can do after compromise. In practice, this difference is often the difference between an incident that affects one workstation and one that encrypts the entire business.

What Next

1. Audit administrator accounts in your environment this week. Ask your IT provider for a list of all accounts with local administrator rights on workstations, domain administrator rights, and administrative access to key systems.

2. Identify which accounts genuinely require administrator rights. Be specific — which staff, for what purpose. Challenge every account that cannot articulate a current operational need.

3. Begin the transition to standard user accounts for day-to-day work. Start with your general office staff. Maintain a separate administrator account for IT tasks. The IT provider's time to implement this should be a few hours per batch of workstations.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Handling Leavers and Joiners: Closing Access Quickly When People Change Roles or Leave
• Third-Party and Supplier Risk: Making Sure Your IT Vendors Aren't Your Weakest Link
• Practical Office Network Hygiene: Guest Wi-Fi, Admin Accounts and Segmentation

[^1]: NCSC Ireland — Access Control Guidance [^2]: Data Protection Commission Ireland [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.