When should I grant users Windows administrator rights?

Network security management is tricky enough without your users begging for rights that they don't need or that you don't want to give them. Find out when you should give (or not give) your users administrator rights with this advice from Windows security expert Kevin Beaver.

Question: Our access control group is asking for domain admin rights and I am not sure I want to give this to them. How can I determine whether or not to grant my group administrator rights?
- Posed by a SearchWindowsSecurity.com reader.

Kevin Beaver offered this response:

This is a common request/demand. Has your access control group given a good reason as to why they need such rights? If they can justify the business need, then I don't see why you couldn't reasonably create accounts for each user, enable logging, and let them do their thing. It sounds like the 'access control' group may have some justification for this anyway.

So, you need to determine what access is really needed, why it's needed, when it's needed, and so on. You do have a documented access policy that covers this, right? If not, now's the time to create one based on risks and business

    Requires Free Membership to View

Granting rights and permissions
Network Access Control Learning Guide

Network security FAQ: Managing user rights

need. A change management policy and procedures need to be in place as well to make sure everyone is on the same page regarding making system changes. Once these are established, then use Windows audit logging and the right tools from vendors such as Ecora and Configuresoft to make sure they're not abusing their rights and everything's being doing properly.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as (Auerbach). He's also the creator of the Security On Wheels providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

This was first published in June 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.