by Thomas Kinsinger
Director of Technology, E-N Computers
20+ years experience in enterprise IT and managed services.
The days of giving everyone admin rights are far behind us. They give an account more than the ability to install software or change a setting — they make it possible to cause serious damage to your data and systems.
Privileged accounts, or accounts with admin rights, are accounts with powerful permissions, including the ability to install and remove software, change settings, and access sensitive data. In the past, small organizations commonly gave their users these permissions. Users like it because they can make changes to their computer quickly, without slowing down their work. IT professionals detest giving admin rights to everyone, not because of some power trip, but because it introduces serious risks to the security and stability of your network.
Let’s talk more about privileged access, specific risks of giving everyone admin rights, how a privileged access management solution can help, and what we think are the three best privileged access management solutions.
Why you can trust us
E-N Computers is an MSP with decades of experience providing full-service IT support to businesses throughout Virginia. We believe that businesses deserve hassle-free IT that supports their goals, not IT that gets in the way. With a heavy focus on security and compliance, which includes helping defense contractors achieve CMMC compliance, privileged access management is important to us. We’ve evaluated a number of options to make sure we’re providing the best results to our clients. If you’re looking for a full-service IT provider and complete security solution, let’s talk.
QUICK ANSWER:
What are the best privileged access management (PAM) solutions in 2024?
We think the top three PAMs are AutoElevate, Admin By Request, and ThreatLocker. We found AutoElevate to be the best fit for us, and we’re proud to use it to improve our clients’ cybersecurity posture.
Overview of privileged access
What is privileged access?
Computer user accounts can be divided into two categories: standard and privileged. A privileged, or admin, account has powerful permissions to make changes on a computer. These include the ability to install and remove software, change settings, and access sensitive data.
Why giving everyone admin rights is a bad idea
With such powerful permissions, there are a few key reasons that giving everyone admin rights is a bad idea.
Security risk: When a user has admin rights, it puts their computer and your entire network at greater risk. A simple mistake can introduce malware, disable security features, and cause other problems, especially when the user’s primary account has admin rights. Malicious actors that gain access to your network specifically target users with admin rights to gain greater control over your network. The more people you have with such accounts, the easier it is for your workers or malicious actors to cause serious damage.
Accidental damage: Even without malicious intent, a user with admin rights can cause damage by installing incompatible software, deleting system files, and modifying important system settings.
Data loss: Users with admin rights have broad access to files on a computer or network share. They may accidentally delete important company data, causing significant disruptions.
Benefits of using privileged access management
Most users on your network should not have admin rights, but it can be frustrating to users and technicians when certain tasks can’t be performed with a standard account. One solution is Privileged Access Management (PAM) — a tool that reduces your attack surface, allows more granular control over admin rights, and improves monitoring and logging.
Reduced attack surface: Admin rights are like a master key that gives access to everything. Just like limiting the number of master keys to a building keeps it more secure, limiting the number of people that have admin rights reduces the amount of damage that can be done if someone’s account is compromised.
More granular control: Admin rights are often all-or-nothing; you have them or you don’t. You can make these permissions limited and temporary. You can choose what admin tasks can be performed by a requesting user. When a request for admin rights is received, a technician can review it, approve or deny it, and set a time limit.
Better monitoring and logging: With detailed logs, you can keep track of when someone tries to use admin privileges and what they’re trying to do. This can help you to more quickly identify compromised accounts and take corrective action.
Here are our thoughts on three of the best PAM solutions: AutoElevate, Admin By Request, and ThreatLocker. First, here’s a quick comparison table.
Cheat sheet: AutoElevate vs. Admin By Request vs. ThreatLocker
AutoElevate | Admin By Request | ThreatLocker | |
---|---|---|---|
Who it’s for | MSPs only | IT pros | MSPs; IT pros at mid-size companies or larger |
Scalability | Highly scalable | Free plan for up to 25 endpoints | Highly scalable |
Cost | Competitively priced, not much overhead | Freemium, can be costly for larger orgs | Competitively priced; more overhead to maintain |
Ease of use | Simple and user-friendly | Slightly more complex setup | Complex and requires technical expertise |
Security | Strong security | Basic security features | Highly customizable and secure when configured correctly |
Support included | Yes | Yes, except free plan | Yes |
AutoElevate — Best privileged access management for MSPs
Website: https://autoelevate.com
We think AutoElevate is the best PAM for MSPs because it’s user-friendly, efficient, and affordable. AutoElevate allows the creation of rules to automate approvals for software publishers, updates, and system actions you choose. It integrates with ticketing and remote monitoring and management (RMM) solutions so that technicians can respond quickly.
To get a clear idea of why AutoElevate is our preferred PAM solution, check out our AutoElevate page. We offer it as an add-on to our managed plans or as a standalone product, and the page includes a pricing calculator so you can see how much it will cost. We’ve also put together a short video about how AutoElevate can help you achieve CMMC compliance.
Pros
- Designed for MSPs
- Stays fairly priced as you grow
- User-friendly and quick to deploy to new clients
Cons
- No free plan
- Not as customizable as some options
Admin By Request — Best privileged access management for internal IT at small companies
Website: https://adminbyrequest.com/
Admin By Request is unique because they offer a “lifetime free plan, no strings attached”. The free plan supports up to 25 workstations and 10 servers, so we think it’s a great fit for IT managers at smaller companies. In January 2023, the paid Workstation Edition was estimated to cost less than $10/workstation/year. Ultimately, with hundreds of workstations across multiple clients, we found that it wasn’t a good fit for us.
Pros
- Free plan for up to 25 workstations and 10 servers
Cons
- No support for free plan
- Cost rises rapidly with more than 25 endpoints
ThreatLocker — Most customizable privileged access management
Website: https://threatlocker.com/
ThreatLocker is a zero-trust endpoint protection solution. Even though it’s not strictly a privileged access management tool, it does include elevation control so that users don’t need admin rights. Another popular feature of ThreatLocker is allowlisting, which permits only specifically approved applications to run.
We think ThreatLocker is a fantastic product and we’ve had great conversations with their CEO, Danny Jenkins, at IT networking events. It’s very customizable, there are a lot of add-ons for it, and you can really make things secure. However, one complaint we hear is that it can be complex to set up, especially if you’re using it on workstations. An MSP may need a full-time engineer or two to properly configure and maintain ThreatLocker. On the plus side, ThreatLocker support is known for being helpful and invested in making your use of their product as successful as possible.
Some MSPs use AutoElevate for workstations and ThreatLocker for servers. The combination gives them streamlined elevation control and easy configuration workstations while having greater control and tighter security on servers.
Pros
- Very customizable
- Allows a high degree of security with proper implementation
Cons
- Complex setup and management
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082