Lap 4: Restrict local admin access on all devices

Why it matters: Restricting local admin access  is a security practice that restricts users (students and staff) from having full administrative control over their school-issued devices. This means they can use the tools and apps they need but cannot install software, change system settings, or make high-level modifications. 

Main Points 

• Managing and controlling Admin Privileges
• Protects devices from threats like viruses, ransomware, and unauthorized software. 
• Reduces IT issues by preventing accidental changes that break or slow down devices. 
• Safeguards student and staff data by minimizing risk from unapproved apps or downloads. 
• Ensures compliance with cybersecurity and data privacy standards. 

• Audit and Review Access: Regularly check who has admin rights and remove unnecessary access. 
• Assign Standard User Roles:
  • Give staff limited access as per their roles.
  • Reserve admin rights for IT only. 
• Enforce Access Policies: Use tools like Group Policy (Windows) or Admin Console settings to lock down devices.

Related Resources:  

• Cyber Actors target K-12 Distance Learning Education to Cause Disruptions and Steal Data: https://us-cert.cisa.gov/ncas/alerts/aa20-345a 
• Removing Admin Rights with Group Policy: https://activedirectorypro.com/remove-local-admin-rights-using-group-policy/  
• Configuring LAPS: https://4sysops.com/archives/how-to-install-and-configure-microsoft-laps/ 
• Securing Remote Desktop Services: https://security.berkeley.edu/education-awareness/securing-remote-desktop-rdp-system-administrators