13

I have a user who wants to be a administrator of his work PC, he's made some story up about how he can't work without it so I'm told to "fix it" (as if it is a fault he's logged on as a user!).

My IT co-workers and I don't login as administrators due to viruses/malware getting a foot hold and setting themselves up as servers to distribute an attack (yes this happened in the past).

What is the 'norm' for your network users and how do you handle requests for administrator access?

Thanks

EEAA
  • 109,363
  • 18
  • 175
  • 245
Phillipe B
  • 131
  • 1
  • 3
  • 3
    If you object to giving him admin rights, then it's your responsibility to ensure he has all of the granular permissions and access enabled in advance so that they do not encounter roadblocks in a piece meal fashion. This is very difficult to anticipate in a Windows system, given the complexity of today's software. For example, they might see strange behavior in an application, and after a day of troubleshooting find out that the application was silently failing to read some registry setting to which the user did not have access. – AaronLS Apr 01 '10 at 22:03

7 Answers7

12

We currently have three levels of support for the users:

  1. Full support. The users only have basic access and a standard set of applications
  2. Limited support. We do central patching of the OS and supply applications. The user has root access.
  3. No support. We supply the user with an internet connection. The user takes responsibility for the computer, including software and patching. We monitor the network for issues, and cut off the user if there is a problem.

This way the users can choose what they want and we minimize the impact, both for IT staff and for users. We have found that the users can be trusted to choose an appropriate level of support. I have a feeling that locking down users by default is very costly in the term of productivity.

pehrs
  • 8,789
  • 1
  • 30
  • 46
  • 1
    +1 I like this, and might try it at my work. – Nic Apr 01 '10 at 21:08
  • 4
    While an interesting approach and is worth consideration, with malware prone operating systems, this is very likely to enable the perpetuation of worm like malware throughout your internal network. To eliminate this risk, options 2 and 3 could not include unrestricted internal access to the network. – Warner Apr 01 '10 at 21:09
  • 2
    I think this is an excellent approach. People with PCs on their desks are usually "knowledge workers" (KWs), and KWs are usually best left to make their own personal technology decisions. In the 80's, IT was still called "Data Processing", and they were only responsible for the big iron and dumb terminals. It was KWs bringing in their own PCs that forced Data Processing departments everywhere to focus on supporting PCs and move to a client-server model, and eventually rebrand themselves "IT". Let your KWs decide for themselves how much hand-holding they want from you. – Spiff Apr 01 '10 at 21:13
  • @Warner where I work, most people don't use malware-prone OSes, and they opt for #3, and are given unrestricted internal access to the network. People who want to use malware-prone OSes are forced toward #2 or #1, and are forced to only use registered static IP addresses for their malware-prone boxes so that IT scan their ports or their network traffic for malware activity more easily, and track down the culprit user more easily. – Spiff Apr 01 '10 at 21:19
  • Conditions are key. You couldn't convince me that giving customer care unrestricted access to their Windows workstations on the internal network would be a good idea, while maintaining a reasonable end-user service level. It would introduce a severe security risk between an inability to maintain standards, updates, and the additional privileges allowing malware to run free without restrictions. I do like the idea of 3, as I focus my career on Internet technologies and high level solutions-- not intranet support type technologies. – Warner Apr 01 '10 at 21:21
  • It's novel to consider an intranet where the only internal IT service is the physical network connectivity. But again, that introduces potential risk to company data and decentralizes internal information sharing technologies. Probably not realistic in the big picture. It seems Google's SaaS stack is probably focused around this idea, however. – Warner Apr 01 '10 at 21:26
  • @warner I don't mind giving customer care root access on their systems, as long as they want it. They know it means less support, and in most cases do not want it, but we have a few people there who know technology. Our security model is based around the assumption that all workstations are more or less insecure anyway, and we try to minimize the damage that can be done from a workstation. We discourage users from storing data locally. – pehrs Apr 01 '10 at 21:52
  • I like this approach but I would only let management, developers, IT staff, and other savvy users make the choice. For a role where the employee is not necessarily security/malware knowledgable I would default to #1, and enable granular access where necessary. – AaronLS Apr 01 '10 at 21:56
  • I just wanted to add that if you are giving up local admin rights on a domain then you're generally adding Domain Users to the local Administrators group. This means all users have full admin access to their machine as well as all PCs in the domain. Chances are if you're doing this then you're probably doing a lot of other things wrong. You probably spend most of the day fighting fires because of your short sightedness. When you remove local admin rights then you must manage the PC and keep it up to date. Use GPSI as much as possible and leverage Group Policy. Fix it once, fix it for everyone. – kovert Feb 12 '12 at 18:07
4

There can be business justification for an end-user to have higher privileges. Often, it will be dictated by your company culture.

The best IT policy is to default to least privileges necessary to perform a job function. If there is justification and there are not technical solutions for maintaining lesser privileges, there is then a business justification for the additional access.

Some technical companies choose to give all users local admin access. Others, only technical staff.

In my department: without justification, they don't get access. In regards to workstation local admin access: technical users usually get it. If they introduce risk to the company, it can be reassessed on an individual basis. The average non-technical employee does not. We've never had a malware incident of any significance but we run a tight ship in general.

I also answered a question earlier today, which is related to your question here. It covers some of the fundamental principles associated with access control policy and procedure.

Community
  • 1
Warner
  • 23,756
  • 2
  • 59
  • 69
4

My two cents :

1/ Admin rights are BAD. And malware is not the only reason why. Another, and often bigger issue, is that many users will add applications that you don't know how to support, or that get discontinued over time. Result ? Three or four years like this, and you end up crying because for some reason a business-critical process is handled using an app that no-one knows, or that was developed by a friend-of-the-guy-who-left-the-company, or whatever. I have a customer for instance who developed a BIG -and indeed VERY USEFUL- app using Lotus 1-2-3. A very old version. That does not run on any later OS than... Windows 98. And the guy who did this left the company. See the issue ?

2/ If SOMEONE should NOT have admin rights, it's the developers. Because if they are admins, they will not make ANY effort to write their software respecting coding guidelines. And they will end up writing apps that NEED admin rights to run. Which is bad.

I'm a system admin and I'm running WITHOUT admin rights (not even local admin of my computer). When I need them, I grab them, for the time of my admin task. That's my own life-saver. I can do mistakes... And mistakes with admin rights can be terrible.

3

No, No, No, No, No!

No computer with a user having admin rights should ever go on your network. Certainly no company owned computer should have user admin rights:

I don't hate users, but an IT dept just can't do it's job effectively if they constantly have to fix self inflicted computer problems.

Why on earth should users (developers, if you have them, excepted) need admin access.

To install applications?

We spend a great deal of time and effort testing applications for compatibility then we standardise on a particular version. We maintain licensing information, and agree to support whatever we install.

To run apps that require Admin access?

Hey we are not running Windows 98 anymore. I can't recall a standard business app that requires admin rights. If one did we would not allow in the first place.

Updates?

That's what WSUS/ASUS is for. Most users don't need the latest graphics card drivers - they are not gamers!

What if [insert reason here] had to run as admin?

Then they are totally segregated from the rest of the network, possibly if there were enough of them, in their own domain. Most importantly we manage their expectations - you break it you fix it - normal SLA resolution times don't apply.

There are lots of edge cases, but we aim to run our department so no user should ever need admin access or even request it. If your users have admin rights then you do not control your 'network' not a situation I would ever want to be in.

Jon Rhoades
  • 4,987
  • 3
  • 31
  • 48
  • 2
    Good point that the kind of user (and thus, the kind of organization) is a deciding factor. My experience is in doing administration for software development shops, but clearly requirements elsewhere can and do differ. – Charles Duffy Apr 02 '10 at 05:44
  • @Charles Duffy - I agree having developers changes everything, we only have the one and he is also a member of the IT team hence no issues there. – Jon Rhoades Apr 04 '10 at 08:44
2

Typically, where I've worked, software developers have had admin access and generally nobody else.

At one place I contracted, they had a good idea. In order to get admin access, I had to read and sign a form agreeing that, if I ever had to call IT about computer problems, or if somebody else noticed problems on my computer, IT would try to fix it for fifteen minutes and then wipe and re-image.

David Thornley
  • 181
  • 1
  • 1
  • 4
1

As you can se from the previous answers, there is no norm for this. There is however the Golden Rule of Least Privileges. That simply means you user should have the minimum access rights required to do their job. It's unfortunate that, especially in the Windows world, that does mean some users (e.g. programmers) require full admin rights.

I suggest you ask the user in question to document what it is he/she is unable to do as a user and see if the issue can be resolved with something less than full admin rights. If they are unable or unwilling to document the issues you may well be able to present a case to management that the claim is unfounded and therefore requires no change. Of course how well this goes down often depends on who sucks up to who in your particular organisation.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
0

If someone really needs admin rights on their local machine I would be tempted to setup something like Virtual Box / Vmware Player as their sandbox. Allow them to do anything they want within their sandbox, and on the Host OS they will be locked down like any other machine.

The specifics would depend a lot on the expectations for the particular system.

  • Is the user (and their managers) willing to make that user be responsible for backups?
  • Will the user be able to accept that if something can't be fixed quickly because he/she fudged it up that you will pop in a disk and immediately format it?
  • Is the user and manager ready to take responsibility for any legal issues resulting from unlicensed software, security breaches, damage to other systems on the network?
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Assuming that the VM wasn't connected to the network, it would be easier to just unplug their network cable. Otherwise, all of the risks are still there. – Joe Internet Apr 02 '10 at 03:06