This may open up a massive debate (again) but as part of our ISO27001 compliance, we revoked all local admin rights and deployed MS's LAPS solution which manages the passwords on a local admin account. This local admin account is used for any local admin duties. We have around twenty hardware/firmware and software engineers and our CTO is telling me that revoking local admin rights has blocked work, his argument is that some tools now do not work as expected and the process of entering credentials (and an unmemorable password) is causing frustration.
I can tweak our current solution (LAPS) to alleviate the frustration somewhat and may even be able to resolve the blocked tools/software, however I wonder if I need to look at this afresh.
What we are trying to achieve here is to protect our systems from malware, adware, viruses, bloatware etc. and therefore protect the integrity of our data.
We do have AV in place (ESET) and this does a good job of telling me about known viruses and PUA (potentially unwanted applications) - but it does not block malware, adware and bloatware. My suggestion was to invest in something like Malwarebytes Premium and additionally block known download sites that contain the above threats - this would be difficult as some of these are well known first ports of call for downloads (Cnet, brothersoft, soft32...).
I would like to know what others do in this situation. Whether there are solutions I could deploy easily (LAPS was not easy to configure) or if there is something I am missing.