Today's enterprises rely on defense-in-depth mechanisms to protect endpoint computing devices from malware infection. Enterprises no longer rely on just traditional signature-based antivirus software, but rather have started to adopt technologies like role-based network containerization, smart network-level detection, and machine learning-based malware behavior detection. Traditional antivirus software cannot detect zero-day attacks. Instead, it may take a few days to weeks to update new malware signatures on every endpoint device. Additionally, most advanced detection and prevention systems work well only when the endpoint device is within the premises.
Once malware gains access to an endpoint, the malware attempts to control the device and use lateral movement mechanisms to spread to other endpoints and critical assets of the organization. Removing local administrator rights from domain user accounts active on the endpoints can limit an attacker's ability to move beyond the point of entry. Without administrator privileges, however, some legacy applications will not function correctly or at all. In addition, for bring-your-own-device (BYOD) endpoints, employees expect to retain administrator privileges on the endpoints. It is thus desirable to remove the need to retain full administrator privileges for domain users on endpoints, while maintaining functionality of legacy applications and meeting expectations of users.