This blog post was originally posted at: http://blog.avecto.com/2013/05/migrating-put-admin-rights-in-the-past/
Do you give local administrative rights to all your users? Or maybe it’s just to the executives or laptop users? As companies now have under a year to move away from Windows XP, this is the perfect, once-in-a-decade opportunity to make your environment more secure, raise user productivity and make the lives of your support personnel easier.
It’s not easy to change user permission levels during the lifetime of an operating system but with the introduction of Windows 7 to users the changes can stay hidden behind bigger changes like a new logon screen.
I’ll start off with a short personal story: I was 16 years old when I first got Domain Admin rights to a company that had more than 30,000 workstations. I couldn’t have been more proud of my godly powers that most users did not have, so I was happy to blindly agree when users asked me to install the games on their computers that they couldn’t! “Sami, I heard you can install Solitaire on our NT4 – could you help me out after work?” they would whisper to me, “Yes” I would reply, “I sure can”.
It was only when I moved on to a new training and development role and a new company that I realized the extra work that my administrator rights had elicited. I was sitting at my new desk when a lady ran to me and started yelling: “Infrastructure department!? We have three new employees: install their laptops, make sure they have network connectivity, activate their user accounts and configure their email!” I thought for a moment and replied with a calm voice: “I can’t – I don’t have rights to do that”.
I could say that that moment changed my life: after years of being pestered to abuse my admin rights unnecessarily, I had just figured out that the less user rights I had the less work I had to do that was outside my area of responsibility. This was my first lesson: from then on, I’ve tried my best to only have the user rights I actually need to do my job – no more, no less.
As sure as I was that I didn’t want administrator rights at work, I was initially more relaxed about their use at home. However, not long after, another user installed a bunch of Outlook ‘Smileys’ on my home computer: I was so angry that people didn’t keep that stuff in their own profiles, I removed everyone’s admin rights from the machine. ‘Smileys’ were no more, but a much more significant side effect of this action took almost a year to figure out.
Prior to removing admin rights from the PC, I had been forced to reinstall my Windows (and that of most of my friends!) every 6 – 12 months because of the inevitable slow-down of the Operating System. What happened with this computer was significant: it was 5 years before I had to do a reinstall and, even then, this was due to a hard disk break, not because of the OS being slow! I’d learnt my second lesson about user privilege: it’s not only security that should prompt you to give up admin rights but also the cold-hard fact that Windows just stays cleaner and more operational that way.
Since then, one of my company’s specialties has been educating organizations on how to get rid of admin rights for end users. I show people the dangers of admin rights by demonstrating how to break into computers and how this can be prevented. To this day, with Anti-malware, Firewalls, AppLocker and BitLocker, the most important and first step for making environments more secure is getting rid of end user admin rights.
What’s the easiest way to rid your organization of admin rights when migrating to Windows 7? With Windows 7 and 8 the gap between standard users and administrators is even bigger because of the lack of “Power Users” group. UAC is designed to help, but it is unsuitable for use in an enterprise environment as it continues to place emphasis on the user to make decisions regarding the safety of applications and processes or facilitates a scenario where usability is impacted in an overly locked-down environment.
There’s an effective solution for everyone, but my preference is always to implement software which applies admin rights by process rather than by user or computer. When I get granular control of admin rights, I can remove them and keep them from coming back. I used to say it’s impossible to take admin rights away from two user groups: developers and kids – nowadays, with the right tools, even that is possible.
which software do you use or recommand to applies admin rights by process?ReplyDelete
I would like to ask your opinion of using UAC with Admin rights, where no credentials need to be entered, just click OK. And secondly what about having an alternate admin credentials that can be known to the non-admin logged in user, so they can enter those credentials when UAC prompts. This lets them get stuff done but keeps them aware, no? Going to research Avecto DefendPoint as well.ReplyDelete
You want to absolutely use UAC. Don't turn it off. The UAC that asks for just Yes or No is vulnerable to driver based attacks. Not that common but possible. You can see my security sessions at Ignite for more information. You could use that approach of two users if you 100% trust your users as nothing prevents them from logging on with the admin account interactively.ReplyDelete
Thanks, I must've not subscribed so didn't see the quick answer until now when I came back to check. Right now I'm thinking about the 2 users for myself, so I totally trust this user:). I watched your NIC conference video and have the Ignite ones in my Watch Later list. Thanks for all the info.Delete