Removing local administrator rights is a surefire way to improve Windows security, but the politics involved in...
revoking users' control over their desktops stops many administrators from taking advantage of the approach.
When users have local admin rights, they have the power to do almost anything they want to their workstations. They can download any application, use any program, and even ignore or undo anything IT administrators do to their devices. Many users -- especially the higher-ups -- don't want to feel handcuffed or slighted because they don't have complete control, so admins let users be the masters of their own devices.
But in many cases, the decision about whether to allow local administrator rights or not is based on emotion rather than facts, and admins cannot let such feelings determine how they manage security.
Why restrict local administrator rights?
Local admin rights give the user too much power. Endpoints are where many of the greatest risks to enterprise security lie, and giving users control over those endpoints only opens networks to more risk.
Malware is around every corner. Regular Web browsing and email phishing put Windows workstations at constant risk. If users have local admin rights, the risk is even greater because they can veto IT's security measures. A simple authenticated vulnerability scan can reveal just how many patches (both Microsoft and third-party) are missing from enterprise desktops where users have admin rights. The scan can also show the numerous configuration vulnerabilities that can put the Windows OS at risk.
Shops that don't give users local admin rights on their workstations have much better security than those that do. It may be somewhat painful at first to take admin rights away from users, but once IT administrators have worked through the issues and users get over the shock, workstations are far less vulnerable, and user-related mishaps and security breaches happen less frequently.
There are business reasons to argue for giving users local administrator rights on their workstations. Compatibility, lack of IT resources for troubleshooting issues, politics and bureaucracy all come to mind. But none of those reasons outweigh the security benefits shops can reap from removing local admin rights.
It's important for companies to do what's right for their business and weigh the associated risks. If IT shops plan well in advance and get the right people on staff, they can restrict local administrator rights without unfavorable consequences. It's possible to revoke local admin rights from just a portion of the user population, or put limits on users who work in higher-risk departments, such as customer service and sales. Rolling out those restrictions with system upgrades makes the transition easier for some users to swallow.
Regardless, IT administrators should not let rampant local administrator rights put their organization at risk, and they cannot give users all the power and then wonder why they still face Windows security issues in the enterprise.
Local admin rights and app management
How iPads can replace local admin rights
Who should have local admin rights?