Too many users needlessly given admin privileges

Many of the security issues that IT administrators have to deal with happen because someone else is empowering their users, often for no good reason.

This Content Component encountered an error
This Content Component encountered an error

For IT professionals, controlling a network is imperative when trying to keep it safe, but some administrators say sloppy coding and lazy product development practices make that job harder

… vendors that do not support limited user rights are forcing me to make security decisions.


Susan Bradley,

IT consultant

,
by forcing them to make security decisions.

What's the best path to take when deciding who gets administrator privileges and who doesn't?

"Some people, no matter what, they have to have administrator rights. Either they're running a program that is too hard to configure or they've just got it in their head that's what they need," said Andy Goodman, a small business systems expert based in the Winston-Salem, N.C., area. "Sometimes it comes down to more politics than technology."

"For many enterprises, the line-of-business staff is usually what gets locked down the most," said security consultant Steve Friedl, of Tustin, Calif. "They use a few line-of-business applications and they have no real reason to do more broad things that would require administrative privileges."

Know before saying no

When taking away privileges, he recommends doing some testing first. "Try it yourself with the line-of-business applications," he said. "Don't infringe on users without trying it yourself first. It's disruptive and it undermines your efforts. If people see it as a huge disruption, they're not going to see the benefit. They're just going to say no."

Helping users understand why they're not allowed to have these privileges is key in keeping them happy, and vendors need to do more to help administrators as well, experts say.

"We as consumers need to be educated

For more information

Find what you need on the topic of desktop management

 

Learn more about user applications

more that it's not a good thing that we're able to download everything we want," said Fresno, Calif.-based IT consultant Susan Bradley. "We need to understand that we need to protect ourselves a little bit better. At the same time, the vendors need to step up to the plate. Intuit, in particular, and other vendors that do not support limited user rights are forcing me to make security decisions. They are the ones causing insecurity on the desktop, not me."

But not all applications will run if the user does not have administrative privileges, Bradley said.

"The ultimate goal is that every single application that we have installed in our systems will run in user modes," Bradley said. "The Microsoft applications do run in user mode. I cannot say that for the rest of my stupid line-of-business applications. To get certified for design for a Windows XP logo, you have to run as a user mode."

Other companies, she said, "are not even coding for the most secure platform out there. They're still coding in a Windows 98 world." For example, an accounting program that she uses with many of her clients requires users to have administrative privileges when it isn't necessary, she said.

Vendors can be culprits as well

Friedl said lazy product development is responsible for some privilege issues, and that vendors need to be made aware of the problems with their software.

"Look at how Microsoft is handling security," said Friedl. "Do you know how long it took them to wake up? They just didn't care. Now they do, so of course Microsoft is the big 500-pound gorilla. Where most of [the problems are created in situations] where developers run as admin so everything works, and then software goes out to the users and it doesn't. You don't know if your keys work [and] if all your doors are unlocked.

"When you take away administrative privilege, it increases help desk support a little bit but it really cuts down on crap," Friedl said. "Do your research to make sure that it's going to be smooth and be responsive. Make notes on the applications and complain to your vendors. … You've got to beat up on the vendors."

Dig deeper on User passwords and network permissions

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close