For IT professionals, controlling a network is imperative when trying to keep it safe, but some administrators...
say sloppy coding and lazy product development practices make that job harder
What's the best path to take when deciding who gets administrator privileges and who doesn't?
"Some people, no matter what, they have to have administrator rights. Either they're running a program that is too hard to configure or they've just got it in their head that's what they need," said Andy Goodman, a small business systems expert based in the Winston-Salem, N.C., area. "Sometimes it comes down to more politics than technology."
"For many enterprises, the line-of-business staff is usually what gets locked down the most," said security consultant Steve Friedl, of Tustin, Calif. "They use a few line-of-business applications and they have no real reason to do more broad things that would require administrative privileges."
Know before saying no
When taking away privileges, he recommends doing some testing first. "Try it yourself with the line-of-business applications," he said. "Don't infringe on users without trying it yourself first. It's disruptive and it undermines your efforts. If people see it as a huge disruption, they're not going to see the benefit. They're just going to say no."
Helping users understand why they're not allowed to have these privileges is key in keeping them happy, and vendors need to do more to help administrators as well, experts say.
"We as consumers need to be educated
But not all applications will run if the user does not have administrative privileges, Bradley said.
"The ultimate goal is that every single application that we have installed in our systems will run in user modes," Bradley said. "The Microsoft applications do run in user mode. I cannot say that for the rest of my stupid line-of-business applications. To get certified for design for a Windows XP logo, you have to run as a user mode."
Other companies, she said, "are not even coding for the most secure platform out there. They're still coding in a Windows 98 world." For example, an accounting program that she uses with many of her clients requires users to have administrative privileges when it isn't necessary, she said.
Vendors can be culprits as well
Friedl said lazy product development is responsible for some privilege issues, and that vendors need to be made aware of the problems with their software.
"Look at how Microsoft is handling security," said Friedl. "Do you know how long it took them to wake up? They just didn't care. Now they do, so of course Microsoft is the big 500-pound gorilla. Where most of [the problems are created in situations] where developers run as admin so everything works, and then software goes out to the users and it doesn't. You don't know if your keys work [and] if all your doors are unlocked.
"When you take away administrative privilege, it increases help desk support a little bit but it really cuts down on crap," Friedl said. "Do your research to make sure that it's going to be smooth and be responsive. Make notes on the applications and complain to your vendors. … You've got to beat up on the vendors."