TechVirtuoso

Access Denied: Giving users local administrator permissions on their machine?

December 8th, 2009 at 9:56 AM  13 Comments Michael Stanclift

A recent email discussion over a education security listserv got me thinking about the topic of giving users administrator rights to their local machines. This is a common discussion that comes up about once every month or so, when ever someone new joins the group. The discussion usually starts by asking for methods of removing administrator access in environments where rights have already been given, and then nosedives into a long discussion about the ethical and practical reasoning behind it.

There seems to be two schools of throught about all of this.

  1. Lock the user out of everything that would prevent malware from being installed or the user installing software they’re not suppose to, at the expense of user frustration and IT time spent approving and installing software requested by users.
    Basically, the users are stupid and cannot be trusted. IT will have to monitor them.
  2. Give the user access to everything and let them install whatever they want, at the expense of user frustration and IT time spent removing software they’re not suppose to have and malware that have been installed as a result.
    Basically, trust the users and clean up after their messes when they don’t understand what they’re doing.

In an educational setting, specifically in higher education, you have a lot of competing interests. You’re a business, selling a product (education) and have to compete with other businesses (schools) to gain more customers (students) — therefore, security like what you’d have at any enterprise is necessary. However, you have a group of highly educated and often times very ego-centric individuals called faculty that feel they have a right to gain access to anything and everything in order for them to independently do their job without interruption from IT, or having to ask them for assistance. I would imagine it’s something like working with engineers, but in this case 95% of the people have no idea how to use a computer. Last but not least, the university is an ISP, providing Internet access to students and employees on their personal machines. But that’s a topic for a future entry.

The idea that users need administrative access to their computer or that they somehow have a right to it is wrong in my opinion. When I go into my office, I have services provided to me by other departments on campus that I do not have full control over. If I need a light bulb replaced in my office, do I have a key to go do it myself or do I just call Physical Plant and have them come over? Sure it’d be faster and probably easier for plant to just go take care of it myself. Just because you can give someone full access to a machine, and they’re used to it at home, doesn’t mean they should have that access at work.

I have full access to the thermostat at home (well, I take that back… my wife does… I’m just a user there too) but I can’t just go adjusting the HVAC system at work how I want.

We make as much software as possible that we’ve pre approved user-installable through Group Policy Software Deployment and soon though System Center once we have that up and running. Our staff maintains a repository of approved software installs that require us to do it, so when the user cannot do it themselves it only takes us a few minutes. If a user walks up to our support center, we can usually get the software installed on their laptop right away. We’ve given our Help Desk very easy to use remote access software and can usually get stuff installed for them within 24 hours, if not as soon as they call in or email.

Does malware still get installed on systems where users lack administrative access? Yes. Which brings me to another point.

You also need to look at the amount of damage that can be done in the time period where a user with administrative access disables anti-virus to install something, or even where the AV client doesn’t detect it and the user isn’t aware enough to see what has happened. A few years ago, the malware was about annoying the user or deleting files, but as it has changed to becoming a security breach where data can be stolen often without the user even seeing they’ve been infected.

My wife works for a multinational accounting services firm, where she and her co-workers have access to information that would probably make any hacker wet their pants with excitement. Yet, they have administrative access to their company issued laptops, since they spend most of their time outside of the corporate office. In one case, she told me where one of her co-workers went weeks with a system she knew was infected with porn-popups, yet was “too busy” to do anything about it, like take it into the office and let IT look at the system. Did she know better? Despite required company IT education and training, probably not. Did my wife? You betcha.

That infection may have been harmless, or just designed to generate traffic to your friendly neighborhood porn site, but would the next one be so lucky? Sure, you may put good AV on systems and monitor them daily, but they can’t catch everything. It seems like we should be fighting to do everything in our power to prevent this from happening, even if it means it’s more difficult for the user and IT. The risk of not doing so outweighs the easy of use.

Do your users have administrative rights? Why or why not?

  • Michael Stanclift

    Just for the record, most of our users are Power Users on their Windows XP systems. As we begin our migration to Windows 7, they’ll be knocked back down to regular users. Previously they were administrators up until about 2006.

  • Frank Owen

    When i started at my most recent position I was horrified that all users had local admin access.  I was told that certain programs required it to work properly.  I set out on a quest and found the settings needed to move the users back to regular users.

    We get maybe 3 virus infections a year at my site of over 700 desktops.  Another site with 900 computers (still all with Local Admin Access) get on average 5 requests a week due to virus problems.

    IMO Users should never have local admin access to a work machine, period.

  • Dan

    I suspect that a lot of large companies are in the same boat – application compatibility under restricted user rights is flakey at best, and the time and effort required to remediate these problems just isn’t a priority – until quite recently. I’ve been faced with the same situation, and reducing rights on XP just isn’t an option, although I fully intend to do this as part of a Win7 deployment.

    The biggest problem we see, is installation of unauthorised applications such as iTunes, P2P applications – and a variety of others that could potentially compromise security. To solve this, I developed a tool to monitor for blacklisted applications and automatically remove the if discovered – and at the same time notify our risk management team to follow up with the user directly. Repeat offenders are referred to HR. It’s working very nicely – since deploying it last week, it’s removed over 800 rogue apps :)

    Virus outbreaks haven’t been much of a problem though, and we’ve implemented disk encryption, host and network IDS and a USB lockdown to minimise the risk.

  • Pingback: Access Denied: Giving users local administrator permissions on … Rate Me

  • Frank Owen

    Dan, you mind sharing the tool? ;)

  • Rob Dewhirst

    It’s not this binary.  There are plenty of compromises between completely locked down and completely open.  For instance, users are given credentials to make system level changes, but are not allowed to use them for regular logins (it’s painfully obvious when they do).  If you have a problem with enforcement via technical means, make them sign an SLA – they may have admin credentials so long as they are responsible for costs of data loss and cleanup.
    I’ve found when users see a hard copy list of all the issues for which they could be potentially responsible, about 50% change their mind about admin credentials and the other 50% you never hear from again.
    You must have management support and technical means to keep the standard users frustrations to a minimum, but you need those things in a well-run shop anyway.

  • Pingback: Access Denied: Giving users local administrator permissions on … High just to Me

  • Dan

    Well, I’m thinking of releasing it. You can find more details here: http://dcunningham.net/2009/10/20/for-the-sysadmins-software-compliance-tool/

    Get in touch if you feel like testing it out.

  • Dan

    I’m afraid I have to disagree. We have plenty of in-your-face policies in place, including constant reminders of disciplinary action in the event of breaches. It hasn’t stopped people installing applications that they think may not cause harm (Firefox for instance, means a new app to ensure is patched from vulnerabilties) and applications that blatantly may bring a firm into disrepute (ie, bittorrent apps).

    The long and short of is you can’t trust users to follow policies! At least in my experience :)

  • Michael Stanclift

    Dan, that tool looks fantastic. If you need additional testers I’d love to help.

  • Pingback: technology definition anthropology

  • Pingback: Goedkope Kamagra Jelly Kopen

  • Pingback: collection agency services

Copyright © 2009-2011 TechVirtuoso, LLC. All trademarks are property of their respective owners.