Should Windows users have full administrative rights?

Giving Windows users full administrator privileges can help reduce your workload, but it also leaves your environment vulnerable.

It's a common dilemma many administrators deal with daily. Do you give your Windows users local administrator privileges...

and deal with the subsequent malware infections and system screw-ups? Or do you give them lower-level access to the point where they're not allowed to do anything and then bother you all the time?

In my experience, nearly all Windows environments I've seen are configured with the former. Administrators want their users to have the access and privileges they need because it reduces the number of help desk calls and lightens their own workload.

The principle of least privilege -- giving users minimal access to do their work -- looks good on paper, but it's difficult to implement in a typical Windows environment that doesn't have enough IT resources or budget to meet everyone's needs. Microsoft says that the solution is to upgrade to Windows 7 and implement User Account Control (UAC), so that users can maintain administrator-level access. Unfortunately, this also causes applications to run at a lower privilege level. I predict that the majority of users will be on Windows 7 in 10 years, but until then we'll have a combination of XP and other legacy versions of Windows to contend with. Simply put, this problem is not going away anytime soon.

According to BeyondTrust , 62% of all Windows XP vulnerabilities in 2009 could have been mitigated by limiting user privileges. I don't completely agree with that statistic given all the variables involved, but the numbers are interesting nonetheless. When it comes to deciding whether or not users should have administrator privileges, I've found that it's often a one-sided conversation between the Windows administrator and himself.

Often management, software developers, vendors, end users and other key players are not brought into the discussion. Unfortunately, security standards and policies are rarely adhered to -- frequently because they don't exist -- and there's not much real insight given during the discussion . A combination of politics, refusals to buy into security and decision makers who want to take the path of least resistance tend to get in the way of actually managing business risks.

Personally, I have mixed feelings regarding the scenario. On one hand, I'm for balancing security with usability. Give users what they need and get out of their way. It's one of the least-touted principles of information security, but one that can go a long way to making security work for you rather than against you.

On the other hand, I understand that users cannot be trusted. Be it malice or ignorance, the average user can and will get themselves, their computers and potentially your network in a bind.

I'm not positive there's a good answer to this. Sure, UAC in Windows 7 may seem fine on paper, but it's going to have compatibility issues and hacks that will cause headaches for many IT professionals. Anti-malware software can't always be trusted either. The only reasonable way to control this problem is to search for a third-party endpoint security solution. Just realize that no singular solution will be seamless or trouble free.

The best thing to do is to step back and take a look at the big picture and what you're trying to accomplish. Get input from others who have experience, research third-party vendors or try to find some workarounds with what Microsoft already gives you. Just don't ignore the problem, it will only become more complex.

ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at  kbeaver@principlelogic.com.
 

This was last published in June 2010

Dig Deeper on Windows Operating System Management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

My local office is about to switch from a local domain where everyone is a local administrator to a corporate domain that does not allow users to have admin rights by default. This is going to make my job difficult because I have to install regularly, and need to use "Run as Administrator" on lots of my tools for them to be useful.

On the other hand I've also worked in tech support and seen the damage that can be caused by a user that has full control and minimal knowledge of their OS. So, I can definitely understand the desire to keep people from causing damage.
Cancel
Far, far too often I see the issue where people have administrative rights and do something disastrous to their system.  The first thing that comes out of the peoples mouths is I didn't do anything.  I had one person tell me that their keyboard had quit working and they did not know why.  I walked into their office and found that they had dumped a milkshake on the keyboard. They had cleaned the top of the desk up so it was not all over desk and they tried to hide it.  I just looked at them, and replaced the keyboard.  We by default did not allow users administrative rights and that was a major blessing.


Cancel
In my opinion NO. I have worked with enough users over the years to know better. I see them open suspicious e-mails, change setting, either WIndows or other apps, and then want it changed back and forget how they did it. That much power in those hands would make me lose sleep at night.

Cancel
I don't mind that the user has some base rights because that allows patches to download and install, but I do not want them to have full local rights to the machine because that is and will be disastrous because with out fail I have seen end users do something to the machine, and them blame everyone but themselves for the problem that they created.
Cancel
It has to be balanced between helping to ensure security protocols are being met and at the same time allowing people to do the work they need to do. In many cases, I find that I need to use Administrative privileges to run key utilities and applications. If those rights will be taken away from me, my work will become much less productive, and the amount of hand holding will subsequently increase. Spread across an organization, I can't imagine this going well.
Cancel

mostly the user always blaming if there something wrong in the machine especially in Microsoft office tools....so for me its better don't give a  full local rights to the machine


Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close