Q
Problem solve Get help with specific problems with your technologies, process and projects.

Handling the dangers of network users with too many rights

Networking security expert Wes Noonan gives advice on how network administrators should handle situations where employees want too many network privileges.

Our company has 200+ workstations that are joined in a domain. With regards to privileges, I understand that employees are to be restricted to a USER TYPE ACCOUNT PRIVILEGE as part of a standard practice in a network environment. Unfortunately, some employees preferred the upper privileges. Due to this, I'm afraid that my network would be at risk.

In short, I would like to ask your recommendation as an expert with regards to this situation. I need to provide proof to my seniors and employees of best practices for network security. It would be a big help to bring an end to this "power hunger" of some employees.

Politics is probably the second most difficult thing the balance against security (the first being money). This is what I use as a measuring stick. If someone can't provide a valid *business* justification for the escalated privileges, I fight strongly against providing them. If a business application requires escalated privileges, I escalate the issue with that vendor to make it clear to them that requiring escalated privileges is against the corporate security policy, and that if they can't provide a workaround, we won't be buying or using their product. In today's environment, many software vendors have more restrictive access requirements that they can run under, but that they do not always make publicly known (you need to ask for them).

If all else fails though, I then work under the basic premise of the most restrictive rights possible. So before I make a user a local administrator, I will check and see if they can do what they need to do as a power user. Before I make a user a power user, I will check to see if I can grant specific rights to the user (or more practically to a group the user is a member of) or specific rights to the appropriate registry keys or files.

The bottom line here though is that you are 100% correct in how you are approaching this issue, and unfortunately this is one of the more unpleasant aspects of security administration. Your best weapon is the ability to demonstrate how the users can perform all of their required business responsibilities at the lower privilege level. Good luck!!

View questions and answers from all of our Windows security experts here.

This was last published in April 2006

Dig Deeper on Enterprise desktop management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

Close