Five steps for reducing unnecessary use of Administrator accounts
Not everyone needs elevated access privileges -- remove them and boost your security
Follow @rogeragrimesSomething like 95 percent of all business computer users run as Administrator or root on their computer all the time. I applaud the businesses who have successfully removed elevated privileges from non-admin employees. Although it isn't easy to do, making this one security change can significantly reduce the risk of malicious exploit.
[ Roger Grimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
Removing admin rights (I'm going to ignore that rights, permissions, and privileges are different things for the purposes of this discussion) is difficult to do for different reasons. The most common issue is that end-users want to install and remove their own software and configure their own settings. Developers often need to debug programs and load and unload device drivers.
In thinking about this issue, I came up with seven common reasons why a user would need elevated privileges:
* Installing software
* Configuration changes
* Applications that require elevated rights to run correctly
* Debug Programs, load drivers, kernel modifications
* User management
* Computer management
* Network management
I'm sure there are lots of other issues that depend on whether users only have one-time needs for a particular procedure or continuous needs.
I then came up with many ways a company can either reduce the number of admin-level users or reduce the impact of running as a highly-privileged account. Some options only apply to Windows, while others apply to any platform.
* Add user to an elevated group (Power Users, Network Configuration Operators, Sudoers, etc.)
* Remote support/assistance from IT
* In-person action by IT field support
* Create an Application Compatibility Database for app
* Shim programs
* Custom scripting
* Packaged/managed Installs
* Custom solution (service, Runas app, etc.)
* Third-party solutions
* Run in a virtual machine
* Manifest file
* Redevelop application
* New application
* Remove application
* Training (to give the users another way of doing something so it doesn't require admin assistance)
* Policy/business requirement redesign
* Terminal Services, Citrix
* Assign elevated permissions, privileges, or rights to the user
* Delegation
In the Windows world, Windows Vista adds two new options:
* Vista UAC (User Account Control)
* Vista File and Registry Virtualization
There is no one way to get rid of all admin or root users, but this list should provide any administrator with a solid checklist of alternatives to start.
