Allowing your users administrative rights under their Windows desktop certainly makes their life easier, but it can cause significant headaches for your sysadmins — and it also opens up a wide variety of vulnerabilities.
A recent study from security vendor Avecto found that 94% of critical vulnerabilities announced by Microsoft could be mitigated by simply removing administrative rights. These vulnerabilities range from phishing attacks that can hijack the system via applications like Microsoft Word to packets that are specially crafted to hit Windows Server. In most cases, they can be leveraged to remotely execute code and take control of the PC, potentially accessing sensitive data and applications deeper within the network.
Many modern workplaces allow users more leeway over the configuration of their workstations, as computer-savvy employees are often more productive when they have applications set up the way they want. But with shutting down admin rights proving to be a relatively easy and strong method of eliminating vulnerabilities, should you risk enabling them?
The answer is probably not…with some caveats.
Outside of employee happiness and productivity, software and system updates also require administrative rights. Allowing users to update their OS and applications can help keep the overall workstation more secure, unless you have a method to easily push out updates system-wide.
If you don’t have enough IT staff to go around, it may be simplest to have local admin rights as well. This way, users are better able to troubleshoot and fix any problems on their own, in addition to performing desktop updates that your techs would otherwise have to do for them.
You truly need to trust your users for this approach to work — and they need to be very savvy and educated in regards to information security and best practices. It may be worth your while to restrict admin rights for the majority of your users, while creating a tier that has local admin rights for your developers or otherwise computer-savvy employees. These workers often need to research and install their own software tools and may not even know how they will use their system until a specific situation or problem arises. They are generally capable of performing due diligence and practicing smart security.
Sure, you can give your users admin access and allow unscanctioned software to be used, but ideally, all software management should be the purview of your IT department to make sure it works properly with your other applications and doesn’t cause security issues on its own. A user might think they are installing a productivity app only for it to launch malware that is free to access the system registry, modify or execute programs, download additional malware, or even move laterally through the network.
Without local administrator rights, the user account can not disable antivirus/antimalware tools or go around encryption or firewalls. With them, infiltrators or malware software can disable or avoid all of these safeguards. In the case of a zero-day threat, your admins will not have had a chance to update workstations, and local admin rights could be catastrophic should a zero-day vulnerability be used to take advantage of a user.
Organizations that must comply to regulatory or compliance standards may also put that compliance at risk if they enable local administrative rights.
You’ll have to weigh the potential costs of loss of productivity vs. the time spent by your IT administrators to decide if the additional risk of local administrative rights is worthwhile for your company. In general, best practice is to keep all users on a standard user account without administrative rights, applying even to IT workers, who log out and back in as an admin account to make changes.